Software developers to get a standardized security test

Software developers, sharpen those No. 2 pencils. A standardized test on your knowledge of secure programming may soon be coming your way.

The Secure Programming Council unveiled Tuesday a proposed standard for companies to test their software developers’ knowledge of secure programming. The aim is to create a situation in which companies can ensure that their developers, whether in-house or outsourced, have a base level of knowledge about wrapping security into software applications.

The council is rolling out its “Essential Skills for Secure Programmers Using Java/JavaEE” (PDF), the first of six standards initiatives. It plans to later add skills tests for C and C++, as well as languages .Net, PHP, and PERL.

The council is opening up the Java/JavaEE proposed standard for public comment via e-mail over the next 60 days.

Some of the proposed areas of testing will include data handling, authentication, and session management and access control. For example, under the data handling task, Java programmers must be able to write programs that read input from interfaces, properly validate the data, then disseminate it. The programmers would also need to be familiar with such malicious-attack scenarios as cross-site scripting and SQL injections.

The skill testing is designed to not only ask developers whether they know what encryption is but whether they understand the differences between PKI encryption and other forms of encryption, said Ryan Berg, co-founder of Ounce Labs and a member of the Secure Programming Council’s Java and JavaEE steering committee.

More than 40 companies, government agencies, and security firms have participated in helping to establish the standards, largely coming from the financial services, manufacturing, aerospace, military, and outsourcing industries, said Alan Paller, director of research at SANS Institute.

“One large financial institution has told its developers that they had to pass the test by August 1, or they won’t touch a line of code,” Paller said. “The financial industry is taking the lead because they have the most to lose.”

SANS will administer the tests, which are scheduled to begin on December 5 in London and continue for the next eight months in cities through out the United States and Europe.

The tests, which don’t actually require a No. 2 pencil, cost between $50 and $450, for participants ranging from students to employees of large corporations.

Read more »

Super Mario is back!

One can say it many times and in many ways, but the truth remains the same: you should own Super Mario Galaxy.

This game sets the standard for presentation values on Wii. After playing Galaxy, it will quickly become apparent how little effort many developers have put into tapping the power of the console. This is a game that simply could not be pulled off on GameCube; any excuses that the Wii can’t handle ‘next-gen graphics’ should be disregarded entirely. At the same time, Galaxy proves that graphics alone cannot make a beautiful game; only through the seamless mixture of visuals, music and interactivity can a game become truly memorable. Mario’s latest adventure succeeds in all of these ways, and thereby earns The Wiire’s Eye Candy and Audio awards.

This game sets the standard for platformers and game variety. Exploring the game’s 30 galaxies is just as magical, if not more so, than traversing Princess Peach’s castle for the first time in Super Mario 64. Transforming a whole universe into one’s virtual playground is a significant step forward for the genre, one that Mario pulls off elegantly. Just when you think the game couldn’t output more awe-inducing moments, it proves you terribly mistaken. Running, jumping, swinging, collecting, surfing, balancing, spinning, flying, floating - if you can think it, chances are this game has it. Even more impressive is how the developers combined these elements so sensibly; all of the actions feel perfectly integrated with the world. For this, the game earns The Wiire’s Innovative Design award.

This game sets the standard for family interaction. Allowing a second player to control the star pointer as a means of easing them into the gameplay, or just to allow another person to share in the experience, works brilliantly. It would have been nice if players could switch back and forth in their roles without having to physically exchange controllers, but it’s still a fun mechanic that brings people together. For this, the game earns The Wiire’s Family Fun award.

The most dedicated players will still see nearly 20-30 hours of their lives lost if they pursue every star and secret. Other gamers may take weeks, playing in small bursts and cherishing every moment. The game easily accommodates any schedule and play style. When it’s done, many find themselves starting over - the game is that alluring. For this, Super Mario Galaxy earns The Wiire’s Infinite Replay award.

Super Mario Galaxy earns The Wiire’s Editor’s Choice award because it is why you bought a Wii; if you don’t own the console, this game is one of the best reasons to board the bandwagon. Do service to yourself, and to the extremely talented developers at Nintendo’s Tokyo studio, by letting Mario take you on a trip you won’t soon forget.

Read more »

Software-licensing costs predicted to fall

Software-licensing costs are set to fall over the next decade, as IT industry trends converge to give buyers more bargaining power.

Research firm Gartner predicts that vendors will find themselves increasingly challenged as IT departments look to reduce software costs, as they have done with hardware and services.

“Up until now, the unique nature of the software market has meant that buyers had very little negotiating power after the initial purchase of a software license,” Gartner Vice President William Snyder said in a research note. “We expect those dynamics to change considerably over the next 5 to 10 years, giving CIOs and software procurement officers more bargaining power while potentially reducing software vendor profit margins.”

Gartner has identified seven major trends converging to change software delivery models, reduce dependence on the giant application vendors, and force prices down.

These include business process outsourcing; software as a service; low-cost development environments, such as China and India, combined with modular architectures and service-oriented architectures; the emergence of third-party software maintenance and support; growing interest in open source; the rise of Chinese software companies; and the expansion of the Brazilian, Chinese, and Indian markets.

Although Gartner says open source won’t topple the likes of IBM and Microsoft, the firm believes that it will put pressure on traditional software margin structures, particularly in areas such as servers, operating systems, development tools, and database technologies.

Gartner also predicts that a fourth of all new business software will be delivered by software as a service by 2011.

Synder said buyers need to realize that the pendulum is beginning to swing in their favor, with an increasing number of alternatives in the software market.

“We would advise IT organizations to use BPO (business process outsourcing) and open-source alternatives to improve their negotiating power with software suppliers, as well as employing the emergence of third-party vendors as a means to reduce higher maintenance fees on older versions of software,” he said. “(Pricing) out the possibility of using offshore skills to build application functionality as Web services will also help negotiations with vendors.”

Read more »

Gmail 2.0 gets thumbs down from users

A major upgrade to Gmail is getting the thumbs down from users who complain that the new version is extremely slow, often fails to load pages and even crashes their browsers.

People have flooded discussion forums with complaints since Google began “upgrading” users about two weeks ago to the new version, popularly referred to in the blogosphere as Gmail 2.0.

Ironically, Gmail 2.0, which features an upgraded contacts manager, is designed to be faster and more stable. Gmail 2.0 is based on what a Google spokesman calls “a major structural code change” upon which new features will be launched in coming months.

“Most users should see a marked improvement in performance. We recommend using IE7 and Firefox 2 to take full advantage of Gmail’s speedier interface,” said spokesman Jason Freidenfelds via e-mail.

Asked about the problems users are reporting, Freidenfelds didn’t address the complaints specifically but said that Google appreciates the feedback it’s getting. “The new code underlying Gmail should allow us to roll out performance improvements more frequently,” he said.

Users interviewed via e-mail for this article report a variety of performance problems with Gmail 2.0.

The most common complaint is that it is generally very slow, with delays of a minute or more when attempting to display the inbox upon logging on, to record keystrokes when typing text and to respond to mouse clicks. Often the tasks time out. Others report that Gmail 2.0 repeatedly crashes or freezes their browsers, in particular Firefox.

If these users switch to the “old” Gmail version, the problems go away. However, these users say they have to switch manually every time they log on, because Gmail 2.0 automatically became their default version once they got upgraded to it.

When Google upgraded his account last week, Jim Sellers, a software programmer based in Ottawa, Canada, was eager to try Gmail 2.0’s improved contacts manager, but his Firefox 2.0 browser kept crashing both on Windows 2000 and Mac OS X 10.4.

“These problems were very disruptive. I spend at least 25 percent of my day using my browser as one of my main working tools. To have it crash like that made the new version of Gmail a non-option,” said Sellers, an otherwise satisfied Gmail user since June 2004.

As a workaround, Sellers has bookmarked the URL for the “old” Gmail version. However, others expressed worry that Google at some point will phase out access to the “old” Gmail without having fully resolved problems.

Some users interviewed also complained that Google didn’t notify them that they would be moved to Gmail 2.0, or give them an option to decline the upgrade.

Others, on the other hand, trust Google will soon solve the issues. That’s the case of Jack Freeman, a retiree in Oklahoma who, for lack of broadband options in his area, has learned to live with, and make the best of, his relatively slow dial-up connection.

For example, he enjoys posting answers in Google discussion forums, and in recent days has been addressing a lot of questions about the slowness of Gmail 2.0. Freeman’s solution to the delays has been to toggle between the two versions of the service. “It is still my favorite e-mail program,” Freeman said.

Google is moving people progressively to Gmail 2.0, so some users have it and others don’t.

Google didn’t immediately reply to a series of follow-up questions, so it’s not clear what percentage of people have access to the new version and how many are experiencing problems with it. It’s also unclear when Google expects to have everyone on the new version and when the performance problems be solved.

What’s clear is that the problems have unleashed a storm of complaints. A search, sorted by date, for “Gmail slow” in the Gmail Help Discussion forum returns about 35 pages of results related to problems with Gmail 2.0.

Read more »

Firefox 3.0 may ship with a slew of “blocking” bugs intact

Whatever happened to open-source projects being released according to development readiness, rather than an arbitrary release schedule? Mozilla seems to have forgotten this, with the New York Times reporting that the upcoming Firefox 3.0 set to ship with only 20% of its remaining 700 “blocker” (serious enough to justify postponing a release) bugs resolved before it ships.

Of course, Mozilla has already fixed over 11,000 bugs, according to Mozilla developer Asa Dotzler. Even so, that doesn’t answer the apparent fact that the Firefox development community is planning to ship a product before a wide range of known blocker bugs are resolved. (Firefox 3 meeting notes can be perused here.)

For now, the mountain to climb appears quite high, as the New York Times notes:

As Mozilla pushes to post Beta 1 of Firefox 3.0, it has asked developers to prioritize already-identified bugs so that the most important can be fixed. But according to notes of yesterday’s Firefox 3.0 status meeting, that will leave about eight in 10 [remaining] bugs untouched.

“We have 700 bugs currently marked as blockers,” the notes read. “That’s too many. We’re asking [requiring] component owners to set priorities on blockers, as a first pass of what bugs should be Beta 2 blockers. You want it to be about 10% of blockers, or what you can get done in four weeks.”

On the positive side (and I mean that sincerely), Firefox 3.0 continues to miss its stated deadlines. I think this is good. It means that, in fact, Mozilla is prepared to put quality of code before an arbitrary release schedule. My life will go on if I continue using Firefox 2.0. In fact, Firefox 2.0 works exceptionally well.

What I don’t want is to transition to a presumably “ready” Firefox 3.0 only to have it routinely die on me. Fix the bugs first, Mozilla. There’s just no need to hurry the release.

Read more »