Elbtal mit Dampfern (just an impression)

My view on THE Web-OS

Many people are talking about a Web-OS. Just do a quick search via Google (one of the key player in this WebOS area). The results will be very different: some kind of decent information and ideas, some kind of rumors, all this stuff… I do believe in the idea of a Web Operating System which will be one of the top technology trends for 2008 or later. But I really miss a cool approach to bridge an existing gap. This is not about putting a web server on each client. This is about the technologies running in the browser which is still the one-and-only client for web applications. HTML is a markup language for documents, period. JavaScript is a scripting language, easy. Any combinations of both technologies might lead to more functionality and even to new trends like Web 2.0. But this comes with high complexity, security issues and huge problems to maintain code (and I’m not talking about debugging). My point is, HTML, JavaScript and AJAX are not the robust and durable building blocks to create a new operating system. This kind of homework must be done before establishing a new operating system; even it is “just” web. Disappointed?
___

Die Frauenkirche in Dresden

Convergence of SOA and Software as a Service

People might argue that SOA is just another hype in software development. That is definitely true for many applications with the SOA Sticker on the box. There is also some kind of misconception of the underlying implementation techniques. For many “experts” is the web service technology the one and only choice (I can’t agree on this!). But the concept of SOA is especially helpful in the phase of mapping use cases (and work flows) to implemented functionalities in scenarios where the interaction (between the functionalities) is changing constantly. This flexibility is one reason to make SOA happen (but, please, not for all types of software applications). In addition, I do see a great opportunity to match the business scenario of – Software as a service – with the idea of a Service Oriented Architecture. I’m pretty sure that such companies got this already on the agenda. Me too.

IT Security in the Software Engineering Process

We don’t need to discuss about the significance of security in today’s world. Globalization and worldwide networking come with a lot of opportunities and might lead to more prosperity. But risks and issues must be addressed. We do see many threat vectors increasing. Many attacks are more sophisticated, very focused on a specific target and driven by high criminal energy. This is a big challenge for Serious Software Development. It is a misconception to understand IT Security as a compilation of appliances and components like firewalls, IDS or anti-malware. This is not enough! Security must be addressed very early in the development process, latest in the phase of requirement engineering. As a result, a security architecture that is professionally designed, implemented, put in place, enforced, and maintained must be expected. This process comprises a lot of activities: coding principles, security features, threat assessments, testing (and testing and testing) and many more. And, teams should strive for less complexity. I know, it’s easier said than done. But it is nearly impossible to „make a complex system secure“. Upcoming posts will cover this topic in more detail.

Will conventional virus scanner still work in the future?

Most of today’s virus scanners are signature based. This means that they need a footprint of the malware in order to detect and remove the malicious code. There is nothing new about it. It is also a matter of fact that the Zoo of malicious code is growing each and every day. Unfortunately, there is no issue with endangered species to determine (unfortunately just in this case talking about computer worms and viruses). This day-by-day increase got impact on the signature repository and the time and load a virus scanner needs to check on a computer. You can check this at home. It takes longer and longer to run a complete scan. What’s the way out? Do we need a separate processor core just for scanning the system? This is probably not the best solution. Anti-malware must be reworked, a new approach is needed. This will lead to a merge of different product types: conventional virus scanner and systems checking on anomalies, flaws and vulnerabilities.

My Hometown Dresden

Just an impression from May 2007. It was a beautiful evening, two days before I turned the 43.

Why do we need a Software Architecture?

Why do we need a Software Architecture? Pretty old question, right? I have compiled an answer by using a simple example. Here we go, in German again:

Warum benötigen wir Softwarearchitektur?

Die Antwort findet sich wie so oft im realen (nicht virtualisierten IT-) Leben. Jeder der ein Haus bauen möchte, wendet sich zuerst an einen Architekten. Der Architekt ist, neben dem Bauleiter, oft die wichtigste Person über die gesamte Bauzeit hinweg. Warum ist das so? Weil Häuser und Software komplexe Gebilde sind. Weil man Know-How und Erfahrung benötigt, um ein Haus aus unzähligen Komponenten zusammenzusetzen. Weil der Bauherr nicht nur ein funktionales Haus möchte, sondern auch ästhetische Anforderungen und viele andere Wünsche hat, die er vielleicht nicht explizit ausspricht, aber trotzdem voraussetzt. Bei der Übergabe erwartet er ein Haus, das funktional, sicher, robust, haltbar, wartbar und effizient, beispielsweise in Bezug auf Energie, ist. Dazu bedarf es einer Architektur, wie im richtigen IT-Leben. :-)

Software Companies in the Media

There was a article about Google and Microsoft in the German Newspaper Welt last week. I have sent a comment which was not published. Here we go (I will translate later):

Leserbrief zu Wachablösung für Microsoft

Leider erfolgt die Darstellung der Firmen Microsoft und Google in den Medien oft sehr einseitig und voreingenommen. Beide Konzerne werden als bedrohlich dargestellt und manchmal regelrecht verteufelt. Dabei wird vollkommen ausgeblendet, welchen Beitrag beide Firmen für eine moderne und vernetzte Welt geleistet haben. Microsoft hat es geschafft, dass Millionen von Menschen auf der Grundlage eines Standards Dokumente austauschen können. Google wiederum erlaubt den sekundenschnellen Zugriff auf Informationen. Damit wurde der Fortschritt der Menschheit ohne Zweifel beschleunigt und neue Chancen für ein globales Wachstum eröffnet, von den vielen neuen Arbeitsplätzen einmal ganz abgesehen. Daran sollte vor allem die EU denken, wenn sie immer wieder neue Prozesse gegen Microsoft (uns sicher auch bald gegen Google) anstrengt, die oft jeder Grundlage entbehren.

CISSP, Finally ...

... I made it. I passed the exam for CISSP (Certified Information Systems Security Professional) last month. The test has a scope of 250 multiple choice questions (in 6 yours). The title is good for one year.

Friday Nite Television

There was a film on German's ARTE "Wer hat Angst vor Google?" (Who is afraid of Google?) Friday nite. It was pretty decent stuff. It is amazing how fast this company is growing. It was also fascinating how Google defines CREATIVITY. No wonder that these guys are successful as they are. It was also interesting how the Google guys were fighting to keep their homepage as it ist, without any ads.

AJAX and Security

This is bad news. AJAX spawns more vulnerability to web applications by increasing and adding attack vectors. This is because of the extensive usage on client side scripting. Typical attack scenarios are imaginable:
- Method Discovery
- Parameter Tampering
- XSS (Cross-Site Scripting)
- XSRF (Cross-Site Request Forgery)

This is not just true for poor coding. Existing frameworks are prone to such security leaks too. And, such attacks don’t demand extensive geek-knowledge. A couple of reasons can be identified. The fact that JavaScript has no inherent security model might be the most important one. The asynchronous model increases the chance to guess and tamper parameters. Request that return JavaScript are especially vulnerable. In general, the increased complexity of client-side scripting makes it harder to avoid un-secure

Distributed Computing

I'm looking for people interested in distributed computing; especially with experience in MPI / OpenMP. I do see a lack of solutions / tools /frameworks to leverage the power of multi-kernel CPU's and multi-processor architecture. More is about to come ...

My critical view on today’s web client utilization

Using web clients (aka thin clients) comes with a lot of advantages. It’s cool, it’s deployable, it does juts depend on the web browser, not on the underlying operating system, and and and… There are a couple of other reasons why web applications are state of the art for many stake holders in today’s user interface development. I do support this; but not for all use cases. It’s for sure, e-commerce web sites have no other choice and this is cool and okay.But I would like to remind all the excited folks that web applications using a simple paradigm: web browser, DHTML (HTML, JavaScript) via HTTP and web server. The bottleneck from the technical perspective is HTML. HTML is basically a markup language for text, not for interaction and gimmicks. As a result, today’s web applications using frameworks based on script languages to recreate user interface behavior. The results are complex, hard to maintain and often not stable. And, I do believe that big player in this game are doing research for new concepts; especially regarding the logic on the client (which is basically JavaScript these days).

AJAX and Security

AJAX is everywhere. No AJAX, no cool website. Well, interactive behaviour is mandatory; I do agree. But is anybody investigating what AJAX means for web application security? I did some research. More on this later this week.

The beginning is the beginning ...

Hey, this block is about software; software architecture in general. My objective is to post information (based on some experience) on current topics. And, I dont wanna stress buzzwords. Everybody is excited about SOA, not me. I'm interested in good software. I know. It sounds simple. But it is hard work do develop decent code, not talking about big project and a crystal clear architecture. Well, let's go.