Software developers to get a standardized security test

Software developers, sharpen those No. 2 pencils. A standardized test on your knowledge of secure programming may soon be coming your way.

The Secure Programming Council unveiled Tuesday a proposed standard for companies to test their software developers’ knowledge of secure programming. The aim is to create a situation in which companies can ensure that their developers, whether in-house or outsourced, have a base level of knowledge about wrapping security into software applications.

The council is rolling out its “Essential Skills for Secure Programmers Using Java/JavaEE” (PDF), the first of six standards initiatives. It plans to later add skills tests for C and C++, as well as languages .Net, PHP, and PERL.

The council is opening up the Java/JavaEE proposed standard for public comment via e-mail over the next 60 days.

Some of the proposed areas of testing will include data handling, authentication, and session management and access control. For example, under the data handling task, Java programmers must be able to write programs that read input from interfaces, properly validate the data, then disseminate it. The programmers would also need to be familiar with such malicious-attack scenarios as cross-site scripting and SQL injections.

The skill testing is designed to not only ask developers whether they know what encryption is but whether they understand the differences between PKI encryption and other forms of encryption, said Ryan Berg, co-founder of Ounce Labs and a member of the Secure Programming Council’s Java and JavaEE steering committee.

More than 40 companies, government agencies, and security firms have participated in helping to establish the standards, largely coming from the financial services, manufacturing, aerospace, military, and outsourcing industries, said Alan Paller, director of research at SANS Institute.

“One large financial institution has told its developers that they had to pass the test by August 1, or they won’t touch a line of code,” Paller said. “The financial industry is taking the lead because they have the most to lose.”

SANS will administer the tests, which are scheduled to begin on December 5 in London and continue for the next eight months in cities through out the United States and Europe.

The tests, which don’t actually require a No. 2 pencil, cost between $50 and $450, for participants ranging from students to employees of large corporations.

Read more »

Is ECMAScript 4 the future of web scripting?

The process of creating ECMAScript 4—the next-generation JavaScript dialect—has become increasingly acrimonious as major stakeholders argue about the future of web scripting. The latest feud is between JavaScript creator Brendan Eich and Microsoft representative Chris Wilson, who have differing views about the long-term viability of the ECMAScript standard.

The vast majority of web developers acknowledge that JavaScript in its current form is anachronistic compared to modern dynamic scripting languages. The ECMAScript 4 draft process hopes to resolve weaknesses with the language by adding additional syntax elements, many of which are heavily influenced by Java and Python. ECMAScript 4 is largely backwards compatible with conventional JavaScript, which means that it provides a clean glidepath for updating legacy code.

Critics like Microsoft and Yahoo argue that certain characteristics of the language (particularly the prototype-oriented object model) make it impossible to add modern language features to ECMAScript without dramatically increasing the complexity of the language, breaking existing code, and creating new interoperability problems. Such critics believe that the focus should be on improving interoperability between existing ECMAScript 3 implementations and that modern scripting capabilities would be best provided by using a completely different scripting language.

Although this approach could provide a cleaner language for web scripting, it would mean that all existing JavaScript code would be trapped forever in the ECMAScript 3 standard and would have to be completely rewritten in order to benefit from much-needed modern language features. There are also serious concerns that new alternative languages would be less standards-oriented than ECMAScript.

“[T]he ES4 proposal introduces a lot of new language functionality that essentially changes the character of the language,” wrote Wilson in a recent blog entry. “I don’t personally have a problem with that language as a language—but I think grafting that different-in-character-language together with a compatible-and-performant implementation of the Javascript of today is both super-hard (if even possible) to get right, and is ignoring the bigger problems of language-for-web, namely interoperating with all the script that is out there.”

The accusations fly
Wilson and other critics have complained that their concerns are being suppressed and ignored by Brendan Eich and others. Several participants in the ES4-discuss mailing list claim that Adobe and Mozilla are authoring the spec in a manner that best suits their interests without consensus and that other parties are simply shouted down or ignored.

“I think it’s a shame that dissenting opinion has been hidden from view, and not publicized,” said Wilson. “I also think it’s a shame that the response to any dissent has equated to shouting the dissenters down. The string of blog posts over the last week, and the immediate and somewhat incendiary comments from ES4 proponents, has been a good example of that.”

Eich and those who are satisfied with the current process and direction regard those allegations as FUD—baseless nontechnical criticisms that add nothing of value to the ECMASCript 4 process. In an open letter to Chris Wilson, Eich criticizes Wilson and accuses him of dishonesty.

“You seem to be repeating falsehoods in blogs since the Proposed ECMAScript 4th Edition Language Overview was published, claiming dissenters including Microsoft were ignored by me, or ’shouted down’ by the majority, in the ECMAScript standardization group. Assuming you didn’t know better, and someone was misinforming you, you (along with everyone reading this letter) know better now. So I’ll expect to see no more of these lies spread by you,” wrote Eich in his open letter to Wilson. “At best, we have a fundamental conflict of visions and technical values between the majority and the minority… There certainly was no shouting down of the dissenters—that’s a bold lie in view of the well-attended and friendly dinners sponsored by the face-to-face meeting hosts.”

A way forward?
Although Microsoft representatives haven’t stated outright what they would propose for a new web scripting solution, the writing is pretty much on the wall. Microsoft’s Silverlight rich Internet application framework uses .NET and the Dynamic Language Runtime, which brings support for IronPython and IronRuby to web scripting. Using languages based on Python and Ruby for next-generation client-side scripting solutions makes a lot of sense on many different levels. A growing number of developers already have experience with those languages and many tools already exist to ease development with them. A single multilanguage runtime could be used in the browser to support JavaScript as well as more modern scripting languages.

Mozilla has already tacitly endorsed this approach with its own (prodigiously cool) IronMonkey project, which aims to build a bridge between Microsoft’s open-source Dynamic Language Runtime and Mozilla’s Tamarin virtual machine, which will be used to run ECMAScript 4 code. When we reported on IronMonkey back in July, more than a few Ars readers posted comments expressing a desire for a future in which client-side web scripting could be done entirely with Python and Ruby rather than with JavaScript.

As a developer with experience in Python, Ruby, and JavaScript myself, I know that I would definitely prefer Python and Ruby to a new dialect of JavaScript that liberally incorporates features of those languages. That said, it is worth noting that advancing JavaScript with the ECMAScript 4 standard as envisioned by Mozilla and Adobe doesn’t preclude the possibility of adopting multilanguage web scripting platforms.

The real question is whether or not it still makes sense to extend ECMAScript regardless of whether or not alternate languages are made available as well. Eich argues that ECMAScript 4 is important for furthering standards-based web scripting, but critics are still concerned that extending ECMAScript in the manner proposed by Eich will fail to address critical security and interoperability issues while putting backwards compatibility at risk. Eich still doesn’t believe that anybody has adequately articulated these problems in a way that shows real concern about the technical merits of ECMAScript 4.

Meanwhile, parties on both sides of the debate are becoming increasingly accusatory and have taken to publicly criticizing each other’s motives. Web scripting needs to move forward, and it’s unfortunate that the process has become mired in controversy.

Read more »

Eclipse offers AJAX server

The Eclipse Foundation will make available Monday Eclipse RAP (Rich Ajax Platform) 1.0, an AJAX (Asynchronous JavaScript and XML) server for building and deploying rich Internet applications.

Leveraging the Eclipse component model that based on the OSGi (Open Services Gateway initiative) standard, RAP 1.0 is suited for enterprises and enables development of component-based applications that can integrate with existing systems. RAP 1.0 is freely downloadable.

With RAP, developers can build AJAX applications “completely in Java,” said Jochen Krause, project leader for RAP at Innoopract.

“The benefit is many developers know [how] to write Java code,” he said. “If you look at enterprise IT, you find very few people that are seasoned in JavaScript.”

“Our key strength is we can use the Eclipse component model,” deploying plug-ins to extend applications, said Krause.

Featured in RAP 1.0 is the ability to build RIA or Eclipse RCP (Rich Client Platform) applications from the same Java code base. Also included are Java development tools and frameworks for building AJAX applications that support user interfaces, complex widgets, and data-binding.

RAP’s ease of use was cited by one early user.

“RAP is very easy if you have skills in Eclipse/RCP technology. Even if you have developed Java desktop applications, RAP has a lot of similar concepts,” said Roberto Sanchez Custodio, CEO of Autonomind, which has used RAP for developing a public Web application.

Using RAP, though, has had its trials. Using Milestone 2, there were typical issues such as API changes, bugs and poor documentation. But most of these problems have been solved now, Custodio said. There also have been some features missing that other Java Web frameworks have, such as a visual graphical editor for Windows, he said.

Custodio also said he thinks RAP is too oriented to Eclipse/RCP developers instead of Java Web developers.

RAP differs from another AJAX project at Eclipse, the AJAX Toolkit Framework (ATF), in that ATF features an IDE for tooling while RAP is a server-based runtime for AJAX applications, Krause said.

Read more »

China to map ‘every inch’ of moon surface

China aims to chart every inch of the moon’s surface, the chief scientist of the country’s first lunar exploration program said in comments published on Friday.

China, which plans to launch a lunar orbiter called “Chang’e One” in the second half of 2007 to take 3D images, would aim to land an unmanned vehicle on its surface by 2010, official news portal Chinanews.com quoted Ouyang Ziyuan as saying.

“Currently, our country’s lunar exploration program is divided into three phases — orbiting the moon, landing on the moon and returning back to Earth,” Ouyang said.

The second phase would see an unmanned craft land on the moon to “meticulously” survey a certain area, and the third phase would aim to “bring samples back to earth”, he added.

China’s space exploration program has come far since late leader Mao Zedong lamented that China could not even launch a potato into space.

In 2003, it became only the third country after the former Soviet Union and the United States to launch a man into space aboard its own rocket. In October 2005, it sent two men into orbit and plans a space walk by 2008.

But China’s space plans have faced increasing international scrutiny amid fears about a potential space arms race with the United States and other powers since it blew up one of its own weather satellites using a ground-based missile in January.

Read more »

Facebook source code leaked

TechCrunch just received a tip that the source code for the Facebook main index page has been leaked and published on a blog called Facebook Secrets. There are at least two possible ways that the source code got out - the first is that a Facebook developer has sent it out, or the more likely option that a security hole or other method has been used on either one of the Facebook servers or in their source code repository to reveal the code. The blog that published the code only has a single post on it, so it was created exclusively to publish this code - meaning that whoever is behind this both isn’t taking credit for the hole and doesn’t want to be associated with it. While there is no certain way to verify if the code is actually from Facebook, by taking a quick look through the code and by double-checking some paths that have been referenced, we can say with some certainty that this seems to be both real and also a recent version of the main Facebook page.

There are a number of clear ramifications here. The first is that the code can be used by outsiders to better understand how the Facebook application works, for the purposes of finding further security holes or bugs that could be exploited. Since Facebook is a closed source application, without access to the code security holes are usually found through a process of black-box testing, whereby an external party will probe the application in an attempt to work out how the application behaves and to try and find potential race conditions. In closed source applications it is common that developers rely on the closed nature of the application to obfuscate poor design elements and the structure of the application. An attacker getting access to the source code more often than not leads to further security holes being discovered. It is for these reasons that it is often claimed that open source software is more secure than closed source software, since there are many more eyes auditing the code and obfuscation can’t be used as a security measure.

The second implication with this leak is that the source code reveals a lot about the structure of the application, and the practices that Facebook developers follow. From just this single page of source code a lot can be said and extrapolated about the rest of the Facebook application and platform. For instance, the structure doesn’t follow any object oriented development practices, and it seems that the application is one large PHP file with a large number of custom functions living in the same namespace (they also seem to be using the Smarty templating engine).

This leak is not good news for Facebook, as it raises the question of how secure a Facebook users private data really is. If the main source code for a site can be leaked, then it can be said that almost anything is possible. Facebook has become such a success and has such a high profile that it has become a magnet for attacks against its systems. Most large scale applications suffer a breach at some point or another, since the odds are always stacked in favor of attackers, but companies can respond in a number of ways and the hope here is that Facebook will handle this situation gracefully. I don’t doubt that Facebook will pursuit this case with a lot of energy to both find the cause of why the code has leaked as well as to find who was responsible. They will also need to take some very quick short term measures to mitigate the risk to users since you can bet that right this minute there are hundreds of potential attackers pouring through the leaked code and probing their systems. At a quick glance, I know that I can see some obvious things in the code that both reveal certain hidden aspects of the platform and give a potential attacker a good head start.

Brandee Barker from Facebook left a comment on the TechCrunch post:

I wanted to clarify a few things in your story. Some of Facebook’s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way. The reprinting of this code violates several laws and we ask that people not distribute it further.

Read more »