Software developers, sharpen those No. 2 pencils. A standardized test on your knowledge of secure programming may soon be coming your way.
The Secure Programming Council unveiled Tuesday a proposed standard for companies to test their software developers’ knowledge of secure programming. The aim is to create a situation in which companies can ensure that their developers, whether in-house or outsourced, have a base level of knowledge about wrapping security into software applications.
The council is rolling out its “Essential Skills for Secure Programmers Using Java/JavaEE” (PDF), the first of six standards initiatives. It plans to later add skills tests for C and C++, as well as languages .Net, PHP, and PERL.
The council is opening up the Java/JavaEE proposed standard for public comment via e-mail over the next 60 days.
Some of the proposed areas of testing will include data handling, authentication, and session management and access control. For example, under the data handling task, Java programmers must be able to write programs that read input from interfaces, properly validate the data, then disseminate it. The programmers would also need to be familiar with such malicious-attack scenarios as cross-site scripting and SQL injections.
The skill testing is designed to not only ask developers whether they know what encryption is but whether they understand the differences between PKI encryption and other forms of encryption, said Ryan Berg, co-founder of Ounce Labs and a member of the Secure Programming Council’s Java and JavaEE steering committee.
More than 40 companies, government agencies, and security firms have participated in helping to establish the standards, largely coming from the financial services, manufacturing, aerospace, military, and outsourcing industries, said Alan Paller, director of research at SANS Institute.
“One large financial institution has told its developers that they had to pass the test by August 1, or they won’t touch a line of code,” Paller said. “The financial industry is taking the lead because they have the most to lose.”
SANS will administer the tests, which are scheduled to begin on December 5 in London and continue for the next eight months in cities through out the United States and Europe.
The tests, which don’t actually require a No. 2 pencil, cost between $50 and $450, for participants ranging from students to employees of large corporations.
Read the rest of this entry »
Posted in General, Programming, Security | No Comments »
The process of creating ECMAScript 4—the next-generation JavaScript dialect—has become increasingly acrimonious as major stakeholders argue about the future of web scripting. The latest feud is between JavaScript creator Brendan Eich and Microsoft representative Chris Wilson, who have differing views about the long-term viability of the ECMAScript standard.
The vast majority of web developers acknowledge that JavaScript in its current form is anachronistic compared to modern dynamic scripting languages. The ECMAScript 4 draft process hopes to resolve weaknesses with the language by adding additional syntax elements, many of which are heavily influenced by Java and Python. ECMAScript 4 is largely backwards compatible with conventional JavaScript, which means that it provides a clean glidepath for updating legacy code.
Critics like Microsoft and Yahoo argue that certain characteristics of the language (particularly the prototype-oriented object model) make it impossible to add modern language features to ECMAScript without dramatically increasing the complexity of the language, breaking existing code, and creating new interoperability problems. Such critics believe that the focus should be on improving interoperability between existing ECMAScript 3 implementations and that modern scripting capabilities would be best provided by using a completely different scripting language.
Although this approach could provide a cleaner language for web scripting, it would mean that all existing JavaScript code would be trapped forever in the ECMAScript 3 standard and would have to be completely rewritten in order to benefit from much-needed modern language features. There are also serious concerns that new alternative languages would be less standards-oriented than ECMAScript.
“[T]he ES4 proposal introduces a lot of new language functionality that essentially changes the character of the language,” wrote Wilson in a recent blog entry. “I don’t personally have a problem with that language as a language—but I think grafting that different-in-character-language together with a compatible-and-performant implementation of the Javascript of today is both super-hard (if even possible) to get right, and is ignoring the bigger problems of language-for-web, namely interoperating with all the script that is out there.”
The accusations fly
Wilson and other critics have complained that their concerns are being suppressed and ignored by Brendan Eich and others. Several participants in the ES4-discuss mailing list claim that Adobe and Mozilla are authoring the spec in a manner that best suits their interests without consensus and that other parties are simply shouted down or ignored.
“I think it’s a shame that dissenting opinion has been hidden from view, and not publicized,” said Wilson. “I also think it’s a shame that the response to any dissent has equated to shouting the dissenters down. The string of blog posts over the last week, and the immediate and somewhat incendiary comments from ES4 proponents, has been a good example of that.”
Eich and those who are satisfied with the current process and direction regard those allegations as FUD—baseless nontechnical criticisms that add nothing of value to the ECMASCript 4 process. In an open letter to Chris Wilson, Eich criticizes Wilson and accuses him of dishonesty.
“You seem to be repeating falsehoods in blogs since the Proposed ECMAScript 4th Edition Language Overview was published, claiming dissenters including Microsoft were ignored by me, or ‘shouted down’ by the majority, in the ECMAScript standardization group. Assuming you didn’t know better, and someone was misinforming you, you (along with everyone reading this letter) know better now. So I’ll expect to see no more of these lies spread by you,” wrote Eich in his open letter to Wilson. “At best, we have a fundamental conflict of visions and technical values between the majority and the minority… There certainly was no shouting down of the dissenters—that’s a bold lie in view of the well-attended and friendly dinners sponsored by the face-to-face meeting hosts.”
A way forward?
Although Microsoft representatives haven’t stated outright what they would propose for a new web scripting solution, the writing is pretty much on the wall. Microsoft’s Silverlight rich Internet application framework uses .NET and the Dynamic Language Runtime, which brings support for IronPython and IronRuby to web scripting. Using languages based on Python and Ruby for next-generation client-side scripting solutions makes a lot of sense on many different levels. A growing number of developers already have experience with those languages and many tools already exist to ease development with them. A single multilanguage runtime could be used in the browser to support JavaScript as well as more modern scripting languages.
Mozilla has already tacitly endorsed this approach with its own (prodigiously cool) IronMonkey project, which aims to build a bridge between Microsoft’s open-source Dynamic Language Runtime and Mozilla’s Tamarin virtual machine, which will be used to run ECMAScript 4 code. When we reported on IronMonkey back in July, more than a few Ars readers posted comments expressing a desire for a future in which client-side web scripting could be done entirely with Python and Ruby rather than with JavaScript.
As a developer with experience in Python, Ruby, and JavaScript myself, I know that I would definitely prefer Python and Ruby to a new dialect of JavaScript that liberally incorporates features of those languages. That said, it is worth noting that advancing JavaScript with the ECMAScript 4 standard as envisioned by Mozilla and Adobe doesn’t preclude the possibility of adopting multilanguage web scripting platforms.
The real question is whether or not it still makes sense to extend ECMAScript regardless of whether or not alternate languages are made available as well. Eich argues that ECMAScript 4 is important for furthering standards-based web scripting, but critics are still concerned that extending ECMAScript in the manner proposed by Eich will fail to address critical security and interoperability issues while putting backwards compatibility at risk. Eich still doesn’t believe that anybody has adequately articulated these problems in a way that shows real concern about the technical merits of ECMAScript 4.
Meanwhile, parties on both sides of the debate are becoming increasingly accusatory and have taken to publicly criticizing each other’s motives. Web scripting needs to move forward, and it’s unfortunate that the process has become mired in controversy.
Read the rest of this entry »
Posted in Internet, Microsoft, Mozilla, Programming | 1 Comment »
The Eclipse Foundation will make available Monday Eclipse RAP (Rich Ajax Platform) 1.0, an AJAX (Asynchronous JavaScript and XML) server for building and deploying rich Internet applications.
Leveraging the Eclipse component model that based on the OSGi (Open Services Gateway initiative) standard, RAP 1.0 is suited for enterprises and enables development of component-based applications that can integrate with existing systems. RAP 1.0 is freely downloadable.
With RAP, developers can build AJAX applications “completely in Java,” said Jochen Krause, project leader for RAP at Innoopract.
“The benefit is many developers know [how] to write Java code,” he said. “If you look at enterprise IT, you find very few people that are seasoned in JavaScript.”
“Our key strength is we can use the Eclipse component model,” deploying plug-ins to extend applications, said Krause.
Featured in RAP 1.0 is the ability to build RIA or Eclipse RCP (Rich Client Platform) applications from the same Java code base. Also included are Java development tools and frameworks for building AJAX applications that support user interfaces, complex widgets, and data-binding.
RAP’s ease of use was cited by one early user.
“RAP is very easy if you have skills in Eclipse/RCP technology. Even if you have developed Java desktop applications, RAP has a lot of similar concepts,” said Roberto Sanchez Custodio, CEO of Autonomind, which has used RAP for developing a public Web application.
Using RAP, though, has had its trials. Using Milestone 2, there were typical issues such as API changes, bugs and poor documentation. But most of these problems have been solved now, Custodio said. There also have been some features missing that other Java Web frameworks have, such as a visual graphical editor for Windows, he said.
Custodio also said he thinks RAP is too oriented to Eclipse/RCP developers instead of Java Web developers.
RAP differs from another AJAX project at Eclipse, the AJAX Toolkit Framework (ATF), in that ATF features an IDE for tooling while RAP is a server-based runtime for AJAX applications, Krause said.
Read the rest of this entry »
Posted in Hardware, Programming, Web 2.0 | No Comments »
