Does your code really work until it's Secure?

So as you may have noticed from my earlier posts, to me it is hard to be a software engineer without being a bit of a web designer these days. Well, in this day and age (and quite frankly for quite a long time) it has been impossible to be a good developer without coding with security in mind. Yes, yet another thing that we have to learn and keep up to date with.

The plethora of security minded folks that are friends of mine help - but do the various security groups that I belong to. I'm a member of CapSecDC - The Capital Area Security Group that meets once a month here in the nation's capital. It's generally wings and beer, some security talk - but basically a group of people hanging out that also keep in touch online throughout the month.

And then there is OWASP - which I believe that most developers need to become familiar with. OWASP is an international organization that it dedicated to Web Application Security. Its right there in its name - Open Web Application Security Project - yet, the wonderful meetings that are held all over the DC area are usually attended by security people, network people, and unfortunately not very many software people.

I hazard to guess that in the room of 80+ people at the DC/Virginia chapter meeting on April 9, 2009 on Penetration Testing that I was one of 2 or 3 that wrote software for a living. It was a presentation of top 10 list of web hacks. Something that you would think would be of interest to Software Developers - yet most everyone in the room had more of a systems or network bend to them.

And the White Hat Security List is even different then the OWASP Top 10, which sadly I fear most developers aren't familiar with either. Those are things that I hope will change over time - because I get tired of defending developers when I hear "Software People aren't THAT concerned about Security".

The OWASP organization, its various tools such as webgoat, and the Enterprise Security API deserve its own post, so I will give them one, but my call out for developers to "Code Securely" could wait no longer. If you aren't familiar with OWASP, or one of the CitySec groups, I urge you to seek them out.

As for The White Hat Security Top 10 list, Jerimah Grossman's website/blog, the CTO of White Hat Security, is probably the best reference for that:

Jeremiah Grossman
Twitter: jeremiahg
jeremiah@whitehatsec.com

But expect this to be the first of many posts on Web Application Security, OWASP's Enterprise Security API (ESAPI), the OWASP Top 10 and the WebGoat application for teaching engineers how to protect against these well known vulnerabilities, and AppSecDC - the OWASP National Conference that is going to be held here in the nation's capital later in the year. And in case you were wondering if this stuff is relevant to you, consider the toolkits that exist for ESAPI now:
ESAPI Toolkits
# Java EE
# .NET
# Classic ASP
# PHP
# ColdFusion
# Python
# Haskell
And to wet your appetite, here is the OWASP Top 10 list....
# Cross Site Scripting (XSS)
# Injection Flaws
# Malicious File Execution
# Insecure Direct Object Reference
# Cross Site Request Forgery (CSRF)
# Information Leakage and Improper Error Handling
# Broken Authentication and Session Management
# Insecure Cryptographic Storage
# Insecure Communications
# Failure to Restrict URL Access

See...you did know those. We'll talk more in a later post on how to protect your software against them.

Web Typography

I have a blog called translucent-development that focuses on my day-to-day thoughts and discoveries with the world of development, and I have a blog called translucent-design that deals with the fact that most developers are also part designer in this day and age of the web. I keep most of the posts on these blogs separate, but I thought this might be of interest to both.



Even though I'm an engineer, I'm surrounded by designers all the time - and I love their creative energy. I often rely on them to help me with various design tasks, but I also like to keep my own creative juices flowing. It is one of the reasons that I'm an active member of the RefreshDC group. We have regular meetings where various aspects of design are discussed. On November 20, 2008 Jason Cranford Teague came and presented at Viget Labs on Typography - more specifically, on Web Typography.



I'm sure that for most designers these are things that they know by heart, but there were quite a few things that I learned.

There are 11 core web fonts

We also discussed the Microsoft TrueType core fonts for the web, which are apparently no longer available for download.


So if there are only 11 core web fonts, why do you see so many fonts on there. So while there are only 11 core web fonts, depending on what OS your target audience is running and what software they have installed - you can utilize fonts that are already on their machine....but is that wise?

Web Safe Fonts

Windows XP - 9 fonts
Vista - 7 fonts in addition
Mac - 30 additional fonts
iLife - 13 additional fonts
Office 2007 - 121 additional fonts
Office 2008 Mac - 68 fonts
Office - 62 overlapping fonts between the OS
73 fonts that are websafe for mac and pc
200 Fonts that you can consider from his list - Western Fonts only
View them here and see where they are available. Pay special attention to their rank to see which ones you should consider using in your web projects.



In your CSS, you should list your default fonts PLUS fallbacks so that you control what your content looks like


CSS can download fonts as well
* issue is file format (.ttf, .otf)
* EULA (many don't allow for font outside of an image on the web
* Embedded Open Type (.eot), but has DRM

Open Type Fonts - but are they being used?

There are too many barriers to entry so nobody makes them, and availableon IE only.

Safari is opening up what fonts can be used/downloaded

Firefox and Opera working on it

There are issue of security on downloading a font because it can have malicious code in the font

Downloading Fonts

Can't render text until it is downloaded and you have to download the ENTIRE font file

4 sources for fonts on the web

download

websafe

core web

generic web fonts


And if you are interested in mobile development, there are various application available on the iPhone to show you the fonts that are available there...and of course our friends over at nclud have some nifty fonts of their own for the iPhone that you should check out!



If you find this interesting, I encourage you to check out Jason's website at www.speaking-in-styles.com/web-typography

The "How" of GeoCoding

Last night I went to the RefreshDC presentation on GeoCoding. This I believe was my third presentation on GeoCoding - the first being at one of the No Fluff conferences, and the second being a presentation at BarCampDC II. The presentation was excellent, but may not have been as of much interest to the designers that make up the typical Refresh meeting. But for me, I loved it. I have done a very little bit of Geocoding, but I am about to try using Mapstration as my dependency injection framework of sorts for a project I am working on. The slides are available as a link off of Andrews blog, so I have just included my own notes from the meeting below with is a launching off point for my own research. The Notes...

The "How" of Geo

Andrew Turner

FortiusOne - GeoCommons

andrew@fortiusone.com
Andrew's blog

A typical unplanned geo database probably starts off with these fields. This isn't enough....
id, name, rating, lat, lon (lat and log are bad in case there are multiple sites on top of each other)

Software

Get PostGIS
SpatialLite - lightweight
SQLite + Spatial Types
GeoHash

Where to get the data?

free of terms and licensing restrictions
GeoNames - has local and foreign(exonim) name for a place/location
Implicit GeoData - correlated with Flickr for pictures of places
geocodr "Happiness in New York"

OpenStreetMap - opensource data
- yahoo is using it for flickr (olympics)

Flickr photos has images of maps - shows "human" boundaries too
OpenAerialMap - free, opensource
ESRI data - check out dc.gov data

Sharing Data

GeoRSS
GeoFeedExplorer GeoNames GeoRss
KML - Google Earth; keyhole - object format; open
KML Extended Data
GeoJSON - really nice
GeoWeb
OpenSearch - search.org
OpenSearch-Geo

Why should I share my data?

GeoStack
Create, Publish, Aggregate, Consume

Visualization

Mapstraction - map provider abstraction; API; dependency injection
filters, markers, overlays, time and space
OpenLayers - hardcore tile imaging and overlays
Easy CSS styling for map control panels
ModestMaps - Flash
hurricanewiki.org - Microsoft Basemaps
GeoCommons Maker - maker.geocommons.com

Analysis

WalkScore - using mapserver for heatmaps
My Society House Price versus Travel Time
Open Source Routing - pgRouting
ridethecity.com
Fuel Efficiency Routing

Cartography

MapWarper - tile hand drawn maps to look more natural
burningmanearth.org

ColorBrewer

Books

making maps
designing better maps
mapnik

GeoClue - talk to mobile devices (GPS, Sun, etc)
Core Location - iPhone

Geotagging pacers

what if the device doesn't have GPS
fireeagle,
BBC Bangladesh Boat Journey

Mobile Devices

Mobline Placemarkings
Socialight
Android - wertago, life360, cab4me
Ambient Location - Omnifocus: getting things done
Urban Spoon

Java 6 and EJB 3.1

I'm a regular member of the NovaJUG in the DC area, but I wasn't sure I wanted to go to the Java EE6/EJB 3.1 session. We had a similar session a month or two before, but I had heard Reza Rahman speak before, and I thought it was worth the few hours. And I have to say that I am excited about Web Beans and to see Java start to shed the bloat and boilerplate code and follow down the path that Spring and others paved years ago. This means that you no longer have to fight people who claim "but we need the stability and performance of J2EE" Web Beans help show that it doesn't need to be hard to be robust, and proves that Sun (and Microsoft with their bloated COM/DCOM) had it wrong. Web Beans will help the rest get back to business, and hopefully reduce the repository size and number of lines of code that have to be maintained in the future. After all, do you really seen a SessionHome, a SessionRemote, and another file filled with boilerplate code to get your business logic done?

Okay, off of the soap box. I'm really behind in my blog entries, so I'm basically going to share with you the notes that I took at that meeting. I'm sure that Reza's presentation is online, and I'll track it down and update this entry with its location.

Java EE 6/EJB 3.1
Presenter: Reza Rahman
He has a series of EJB 3.1 article on theserverside.com

Pruning, Profiles, Innovation

WebBeans

JSF 2.0

EJB 3.1

JPA 2.0

Servlet 3.0

JAX-RS 1.1

deprecating JAX-RPC (in favor of JAX-WS)

JAXR being deprecated

Deployment (including EAR versus WAR)

Profiles
Web Profile planned as only profile for now
Will use EJB 3.1 Lite
Issues of whether or not Web Beans is going to be included. Some issues of cross-cutting concerns,
and IBM has stepped up and said that there are issues with JSR-299 not sticking to its spec.

Web Beans 1.0
stateful, conversations, type-safe DI, enhancements to model, decorators, annotations meta-programming

Interceptors -
@Audited annotation can represent and Interceptor that is used for logging
Interceptor is in the Audited interface and annotated as such:

@Audited @Interceptor


JSF 2.0

RAILS_ENV style development stage (dev, test, prod)

pub/sub

All of faces-config.xml can be done in annotations now.

Managing of other resources (including versioning): CSS, Internationalization

[META-INF]/resources
[localPrefix]/[libraryName/][libraryVersion/]resourceName[/resourceVersion]

Resource resource = FaceContext.getApplication().getResourceHandler().createResource (resourceName[,libraryName]);

// and then use it by name in annotation
@ResourceDependency(name="style.css", library="actionbazaar")
public class HeaderTabs extends UIComponentBase

EJB 3.1
Session Bean interfaces optional
Singleton Beans

cron-style timers (still issues with software down when action is supposed to take place)
@schedule annotation (second="", /* cron style */ minute, hour, dayOfMonth, month, year)
can deal with pausing/canceling of tasks

async bean invocation
WAR packaging when an WAR was required in the past; easier for dynamic language packaging
Java SE support
Standardized the Global JNDI naming across app servers
EJB Lite

Asynchronous

JPA 2.0
Enhanced mapping
Collections, maps, and ordered lists,

lookup tables handled in the class instead of an embedded Entity
Unidirectional one-to-many and many-to-many mappings

JoinColumn must be defined on the "many" side now, but the @OneToMany annotation can be added now.
join tables
first result, max result, unwrapping
CASE, NULLIF, COALWSCE
Locking, JDBC
Criteria API
Second Level Caching
Pessimistic locking


Servlet 3.0
annotations from ground up
optional web.xml
intelligent defaults (convention over configuration)
Modular web.xml fragments in framework library jars (many web.xmls in various jar files)

allows better reuse
Programattic addition of Servlets, Filters, and Listeners through the ServletContect
Asynch processing support in Servlets

Isn't it all just pretty colored paints anyways?

[http://raibledesigns.com/rd/entry/david_sachdev_on_web_framework]

The number of web frameworks out there is just astonishing, and in alot of ways I think that there is need for some consolidation in some way, shape or form. If you work in the Java world there is a sense of consolidation in the ORM space these days with JPA (the Java Persistence API). Sure if you are working strictly with JPA it is a bit more limiting then working directly with Hibernate, iBatis, or TopLink - but you no longer worry that you have made a critical misstep in your architecture by tying yourself do a particular ORM implementation. Similarly Spring gives you that similar "loosely coupled" feel that if Google's Guice becomes appealing to you, you don't feel like you've wasted all your framework foo on Spring. But web frameworks....that's another story.

I think if you had asked me a few months ago, I would have told you that the industry is promoting JSF (Java Server Faces). Everything from support in the IDEs to the availability of AJAX frameworks...and of course a flexible life cycle that allows for alternate implementations and various code to plug or be weaved in to the life cycle. And that while JSF on its own left quite a bit to be desired, the JBoss Seam project really has filled in the gaps in JSF, and in fact brought Java web development closer in agility to the Rails and Grails of the world that tout quickly built and deployed web applications.

But the thing that you continue to hear is that programming in JSF is painful. And you hear that EVERYONE used to use Struts. And that it is time to move past Struts. And given that, you have to consider Webwork and the merger of Struts2 into that framework - and their claims of rapid development. But you also have to consider Spring WebFlow and how that may help solve your JSF ills given that everyone is building off of the Spring Framework and they have been so good about keeping the framework updated and integrating the best of what is out there while innovating themselves. And then if you are looking at Spring WebFlow, you kinda have to go "Wait, but what about Spring MVC?"

Given its age, you might quickly dismiss Spring MVC until you realize that Grails is build upon it. Grails, that web platform that every java developer is either working with, or intends to work with soon. (Come on, you all have made the Ruby/Rails, Groovy/Grails, JRuby decision in favor of G2, right? I mean all the flexibility of what is out there in the Java world on top of the JVM, with a language that doesn't suck the life outta you....) And then you have to wonder that if you build upon Spring MVC as well as using Groovy and Grails where appropriate, might you be able to make that killer app in half the time.

But wait, you didn't think your choices were nearly that simple did you? There is this wonderful software company out in Mountain View that we need to pay attention too. In Google We Trust, right? And even if you don't worship at the Temple of the G (TOTG) like Sprout, you don't want to ignore them. And, if you've looked at the Google Web Toolkit (GWT) and weren't at least slightly impressed, I would be surprised. And if you are looking at the GWT, you can't totally ignore Yahoo's YUI - maybe with some of the what Prototype, Scriptaculous, or DoJo offer you. And then someone will come over and point out Echo2 to you, and well you have to admit, their demo looks nice. And well, there is Adobe Flex, and OpenLaszlo - I mean after all isn't Web 2.0 all about Rich Internet Applications. And surely you've heard that the performance of Swing is so much better these days and the "power of the modern Java applet"

So at the end of it all, you've got yourself alot of R&D to do, and just as you thing you've got a good grasp for the offerings out there, new and improved versions are out. And don't worry, someone else is also busy working on a new and greater web framework that you have to consider.

There are so many different aspects of software development and technology, that it isn't always appropriate to post then into a single blog. To aggregate or not....

Well, here on this blog you will get a chance to see a melding of posts that are on translucent development, which is very software and secure coding focused with the Web 2.0/Content Management/Design posts that are hosted on translucent design

I hope you enjoy and look forward to your feedback.

on blogging

So I have had a livejournal account for quite a while now - but I don't feel that I have a journal at all. I allow myself to write freely from time to time, but how do you remove the audience? And is the goal even to remove the audience. After all, if I were just writing for myself, then obviously a blog isn't the appropriate place. Sharing, feedback, and divergent ideas are all aspects of blogging. But somewhere in the last few years livejournal seemed to have become a requirement in the circle of people I know. And instead of a place for interesting and intriguing writing, it has become instead a daily account of when and where people do anything and everything. Don't get me wrong, I'm interested in what is going on in some of these people's lives - but quite frankly I don't want to know what the majority of you had for breakfast, or at what time it exited your body.

And when almost anyone and everyone that you come in contact with in any social way are all connected via one network - no longer for an appreciation for one's writings, but rather an extension of socializing - there will be drama. And sometimes it feels that to avoid drama is to avoid writing. And that wasn't the intent of blogging when I first started.

So I've considered for a while actually starting another blog and not really mentioning it to many people (or possibly nobody at all) and instead just write - and if people drift in that's great. If not, that will be great too. The plan can come later, but for nowI just want to be able to get some thoughts out.