Java

Over the past week, there have been several articles, blog posts and security institutes discussing the latest release of the OWASP top 10 and now I think the time’s right to join the discussion. All this chatter doesn’t come as a surprise to me (and likely others) who have been actively involved in the application security business for the past decade. I would argue that the relative constant nature of the top 10 (or at least the top 5), can be interpreted 2 ways. It can be as much of an indicator to poor secure development practices as it can be interpreted that we’ve gotten better at finding the top 5 security issues in the first place. Depending on which day you ask me, I can fall on either side of the line. For me, one of the more interesting aspects of the latest top 10 is what’s changed. In this case, one of this biggest (and depending on your involvement with the top 10 the most controversial) is the introduction of A9, using components with known vulnerabilities. On the surface, this seems to be a no brainer, some may argue whether something so basic even belongs on this list since it seems so obvious. But the reality is most people simply don’t even know they are using components with known vulnerabilities. . This basic security blocking and tackling is missing from many secure development initiatives (trust me I’ve seen my fare share and this has never been a focus). All of this discussion surrounding basic security blocking and tackling reminds me of some guidance my son’s teacher gave him and his classmates at graduation day. As you can imagine (and maybe you have heard the same), my youngest child just recently moved from grade school to middle school and his grade school teacher spoke to all the parents on graduation day and reminded the kids (then mostly 10/11 year olds) how important good hygiene is when children are maturing. He reminded us of the obvious but yet a thought that can be so easily forgotten. Reminding us that peers and teachers appreciate a diligent approach to hygiene basics. This approach is like OWASP adding A9 to a security threat list. It’s easy to take these basic principles for granted, but sometimes we just need to be reminded. Much like you don’t want to start your day without the basic elements of hygiene; you shouldn’t start your application’s journey based on a bad foundation Which is why I’m happy to see that something that on the surface seems so basic is getting the needed attention. Recognizing not to use components with known vulnerabilities starts the right security discussion. I am glad OWASP recognizes the need for basic hygiene. It may seem ironic that arguably one of the most well-known security lists for web-based vulnerabilities in the world includes language to not use components that are vulnerable.  I would argue (and I welcome the argument) this is one of the most important points on the list and one everyone should be aware of. I consider this one of the foundational elements of any secure application development initiative. Having spent the last decade focused on application security, I can share many lessons learned but one of the biggest lessons I’ve learned is how security professionals can have the greatest influence on development. It’s not as difficult as one may think.  It starts by delivering solutions that fit the “practice of the practitioner”. What does this mean? It means not only delivering tools that work within the existing developer ecosystem, almost all would argue they do, but it also means delivering the functionality most useful to that group scaled by their capacity to effectively use it in the first place. I would argue most do not fill this last piece. One of the benefits of working with Sonatype now, an organization that understands modern software development, is that we aren’t just another security company building security tools for security people. We are an organization with a passion for both s

Precautions to safeguard client data & infrastructure is an MSPs responsibility-this extends beyond client's sphere of access to MSP employees & consultants. MSPs must employ some degree of security to cover their own access, not just that of their clients. A man walks into the doctor’s office. He hasn’t been feeling well. A virus has been floating around the office and the man feels he’s caught it. Doctor walks in, smiles and picks up the chart. He starts examining the man and as he writes a prescription advises he keeps sanitary and wash his hands several times a day. Do you trust this doctor.especially after he prescribes vigorous hand-washing, but forgot to wash his own before poking and prodding during the exam. Obviously this doctor loses credibility. This moral is a lesson that MSPs (managed service providers) must heed. MSPs frequently tell their clients to treat data in a secure fashion lest it compromised-by hack, by carelessness or by lax standards. It is only natural to expect your MSP to abide by certain security practices to prevent client data from becoming exposed.read more

By working with IT across the software development lifecycle via cloud-based DevOps, development teams can decrease software bottlenecks, increase code output and be seen as drivers of the business. I have a confession. I am Shadow IT. I am the guilty party operations and security love to hate because I expense tens of thousands of dollars in cloud services...every month. Truth be told, my team and I couldn't afford to wait in line for IT to provision the resources we needed to begin work. We had goals to meet and objectives to achieve - all of which didn't include waiting in line for IT to give us virtual machines, development platforms or set up sandboxes so we could begin work. With a lengthy approval process and cost justifications, there was no way I would have been able to secure either the physical infrastructure or cloud vendor approvals I needed to achieve the business unit's goals. And, honestly, the risk of choosing a vendor that would leak our data, or otherwise put the business at risk, seemed a lot lower than the risk of not getting my job done. So, even though my monthly cloud bill continued to rise, it didn't surprise me too much that I was never questioned about the expense because my team was delivering. And, that is exactly what everyone from the business side of things cares about - is development creating new applications and/or services that can be brought to market before the competition? Can we secure ‘first-mover' status or market leadership because development is firing on all cylinders? These are the questions marketing, business development, and other teams ask. Not, did central IT get you those VMs you needed?read more

In a previous post we showed how we hooked up our blog’s WordPress application with the new Compuware APMaaS offering. Since WordPress is a PHP application we use PurePath for PHP to monitor it. We highlighted that we got an alert about a response time violation on some of our blog posts. In this follow-up article I want to show you how we get to the root cause of this problem which turns out to be a third-party WordPress PHP plugin that detects Bad Requests including requests from Bots that try to put spam messages in blog comments.read more

In the course of IT history, many schemes have been devised and deployed to protect data against storage system failure, especially disk drive hardware. These protection mechanisms have nearly always been variants on two themes: duplication of files or objects (backup, archiving, synchronization, remote replication come to mind); or parity-based schemes at disk level (RAID) or at object level (erasure coding, often also referred to as Reed-Solomon coding). Regardless of implementation details, the latter always consists of the computation and storage of “parity” information over a number of data entities (whether disks, blocks or objects). Many different parity schemes exist, offering a wide range of protection trade-offs between capacity overhead and protection level - hence their interest.read more

Big Data as we know it today is more aligned to the analytical processing of large quantities of data. All the predominant use cases identified by the big data product vendors are more aligned with analytical processing. For example one of the major use case of Big Data is about utilizing social media data to get into advertisement targeting. Naturally these kind of processing analyzing lot of unstructured data and come up with predictions on customer preferences and this use case is aligned with analytical processing. To support these kinds of analytical processing Columnar databases have emerged as a natural extension to Big Data processing. Columnar databases only reads columns involved in the query and not the entire row and making it a perfect fit for analytical processing.read more

Cloud computing is the game changer for the life sciences industry, according to an article on PharmaBiz.com. Globally, pharma majors are deploying cloud technology because it provides data security, compliance and transparency, according to Vikram Anand, associate vice president, cloud-based technology & product delivery services, ArisGlobal. “Cloud is changing the way we deploy technology. Eli Lily uses cloud services for research and development efforts. GSK has chosen to replace its existing Lotus Notes, Domino, and Postini services for its 96,500 employees worldwide, with everything being hosted on the cloud. Roche uses pre-clinical SaaS solution to consolidate several key application areas and harmonize all its sites worldwide,” he said. The benefits of moving to the cloud computing is the on-demand delivery of IT resources via the Internet with "pay-as-you-go" pricing. It allows enhanced collaboration, lower upfront investment, provides increased return on investment and greater flexibility and faster scale up of operations. Cloud computing drastically lowers the total cost of ownership, improves collaboration, operational efficiency and speeds up the R&D processes. Security of data on the cloud is better than in-house systems. Data on the cloud is secure and compliant, Anand added.read more

Eclipse Day China will take place on June 29, 2013 in Beijing, China. View the full agenda and register here.

Eclipse-IntelliJ Shortcuts Mapping:EclipseIntelliJDescriptionControl-1Alt-EnterQuick FixClick the "sync" button on Navigator panelAlt-F1 -> "1.Project view"Navigate to opened file in NavigatorCtrl-Shift-FCtrl-Alt-L or Ctrl-Alt-IFormat code / Identation

This post comes from Vladimir Šor at the Plumbr blog. Preview Text: Some of you have been there. You have added -Xmx option to your startup scripts and sat back relaxed knowing that there is no way your Java process is going to eat up more memory than your fine-tuned option had permitted. And then you were up for a nasty surprise. ...