The Eclipse open source community is celebrating a birthday this month, as we reported last week. So is one of the founding members of the Eclipse Foundation: Genuitec announced the availability of version 10.0 of its MyEclipse Java EE IDE.
The Flower Mound, Texas-based Genuitec's MyEclipse, is both a Java EE IDE and a Web development tool suite for the Eclipse platform. The company promotes the tool for developers using UML, JSP, XML, Struts, JSF and EJBs. It supports Ajax, Web Services development, Java Persistence, extended database support and application server integration.
MyEclipse Workbench Enterprise Edition 10.0 is built on Eclipse Indigo (v3.7, released in June), and it continues the company's support for the Apache Maven build automation and software comprehension technology.
The production release supports HTML5 and Java EE6, and comes with new support for JPA 2.0, JSF 2.0, Eclipselink 2.1 and Apache's OpenJPA 2.0 release. The company overhauled the MyEclipse in-workspace deployment in this release, making it easier to collaborate and share their workspace settings or user profiles among team members. MyEclipse Blue Edition supports the latest build of WebSphere Portal Server 7.0, WebSphere 8, as well as WebSphere 6.1 and 7. IBM's DB2 series is supported with database integration connectors on both Windows and Linux operating systems. My Eclipse for Spring incorporates a suite of Spring-specific add-ons for Eclipse, including bean wizards, bean editors, Spring configuration editors, Spring Web Flow editors, content assist, refactoring support, project validation, Spring DSL and bean dependency graphs.
I've had the pleasure of interviewing MyEclipse CEO Maher Masri several times, and I've found him to be a keen observer of the Eclipse ecosystem. In the press release for this product announcement, he said, "Genuitec was born in 2001 out of sheer frustration that the tools market did not do a better job supporting developers, so in 2003 -- with the founding of the Eclipse Foundation -- we introduced MyEclipse... The mission of Genuitec has remained the same over these 10 years: to give developers an enterprise technology driven by their demands at a price they can pay out of their own pocket if necessary...."
When I talked with Masri in 2008 about the MyEclipse 7.0 release, he said, "Most people think of Eclipse as a platform for development tools. We subscribe to the idea that Eclipse can be a framework for any kind of application."
In 2007, when I talked with Masri about the then-new Eclipse Pulse, an online social network and product catalog combo for Eclipse users, he observed, "The Eclipse Foundation walks a fine line between providing a platform and consuming its own ecosystem. It relies on companies like us to take that work forward -- to provide tooling and technologies on top of the platform, and to consume that platform. And that enlarges the overall ecosystem."
When I talked with Masri back in 2005 about MyEclipse 5.0, he said, "The tooling is just a stepping stone into what is becoming a very exciting market."
Posted by John K. Waters on November 9, 20110 comments
I keep thinking of JetBrains as a Java tool maker because of the enduring power of its IntelliJ IDEA code-centric Java IDE. But that's a mistake. The Prague-based company makes tools for software developers, some of whom are Java jocks. That fact was brought home to me this week by Eugenia Dubova, JetBrains' indefatigable marketing manager, who let me know that her company has added another dev tool to its ever growing product catalog.
The new one is an IDE for Objective-C developers, dubbed AppCode. The company is billing its new offering as "a perfect choice for developing iOS and Mac OS Apps," because of its integration with Xcode (the suite of tools for creating apps for Mac OS X). The Xcode interoperability is seamless -- you just open or create Xcode projects from within the AppCode IDE.
But the tool set comes with a bunch of features and capabilities, including the ability to run and debug iOS apps on a device or in a simulator; a visual unit test runner for OCUnit; automatic memory leak detection with a quick-fix option; support for such iOS 5 features as Automatic Reference Counting; and Version Control Systems integration with a unified UI for most popular VCSs (Git, SVN, Mercurial, Perforce, CVS). Look also for intelligent code completion (a JetBrains trademark), refactorings, auto-import, one-click code navigation, automatic code formatting and an integrated graphical debugger over GDB or LLDB.
Maxim Shafirov, the AppCode project lead at JetBrains, says his company's goal with the new IDE is to help developers maintain the high quality of their code "so it equals the high standards for UI and user experience that iOS and Mac OS platforms apply."
In a statement, he added: "After 11+ years of successful IDE development, we have formed a set of development best practices and code quality standards that we think will benefit the fast-evolving community of Objective-C developers. Thanks to tight integration with the existing set of tools provided by Apple, we can see AppCode quickly becoming a key tool in the arsenal of professional Objective-C developers."
Canned but cool.
JetBrains was among the first dev tool maker to support Rails 3.0, which it did via its RubyMine IDE. The company also makes a Python tool (PyCharm); a PHP tool (PhPStorm); a slew of .NET tools; performance tools; CI and build management tools; a bug and issue tracker; and a tool for JavaScript, HTML and CSS (WebStorm), among others.
There's a free 30-day trial version of AppCode available now for download on the JetBrains Web site.
Hodně štěstí. (Hoping that's Czech for good luck.)
Posted by John K. Waters on October 28, 20110 comments
Zend Technologies CEO Andi Gutmans isn't one of Silicon Valley's most dynamic executive conference keynoters, but he's still one of my favorites. Benioff and Ellison are true showmen and fun to watch, but nobody cuts to the chase like Gutmans. He just walks onstage and tells you what his company is doing, clearly and in context. No yacht race videos. No musical tributes to our 50th state. No chats with celebs or digs at competitors. It's truly a beautiful thing.
But Gutmans slipped his Zen-like reserve yesterday during a post-ZendCon-keynote sit-down with a handful of industry reporters when the topic turned to the long-term implications of the cloud for developers
"Everyone is always talking about how developers are important, but in my opinion very few are actually doing anything about it," he said. "They're focused on their production environments and prettying them up to attract developers. We think that there really can be a step function improvement in how developers develop."
"Step function" is math geek for a big, sudden change, and it's a fair description of Zend's new phpcloud.com. Gutmans introduced his company's new platform and partner ecosystem for the development and delivery of PHP-based Web applications to attendees of the annual ZendCon PHP conference gathered in the Santa Clara, Calif., Convention Center. A key component of the new platform is the Zend Developer Cloud, a toolset designed to exploit the inherently collaborative nature of the cloud.
"I really think that companies have to think very differently about how people develop and engage in the cloud," Gutmans said. "The cloud actually gives you the opportunity to foster engagement and collaboration. It's not that it's impossible to do it on-premise, but it's very hard...Think about the Web frameworks -- Zend Framework (PHP), Rails (Ruby), Django (Python) -- they emerged about five years ago. I think there's another step function that we can add, and it's around enabling developers to better collaborate to make the life cycle smoother. Even Zend now is just scratching the surface of what is possible."
"The sheer fact that you have all these developers now in a centralized location," he added, "where you have proximity of storage and proximity of communications, and so on -- our ability to build on top of that and make it easy for them to communicate is going to make many things possible. We've been thinking about how we get these developers actually engaged in best practices, how we get them communicating. Maybe something like Twitter, where they say, 'Hey I've got a question. I've got this function that isn't working for me.' And then one of 10,000 developers online at that moment gives you an immediate answer. That's really for me the biggest piece that I'm excited about."
Forrester Research analyst Jeffrey S. Hammond was also at that meeting, and he observed that one of the most powerful current drivers of cloud adoption is mobile application development.
"The data are showing us a rapid ramp up the S curve in terms of technology adoption and the number of developers that are writing mobile apps, either web based or native," Hammond said. "When we dig into those mobile applications and look at how they're constructed, I think what we're seeing is mobile driving demand for cloud adoption. Because essentially the cloud-based scale-out services are great ways to back those mobile apps when you have no idea how quickly they're going to take off, and to do that very economically."
"It's almost like this Reese's Peanut Butter Cup thing," he added, "where the cloud makes mobile better and mobile makes the cloud better."
Hammond also compared the results of a 2010 Forrester survey of the Eclipse community, which showed that around 19 percent of respondents intended to deploy on private clouds, with a 2011 survey, which showed that about 25 percent of respondents were cloud bound.
"There's really only one reason developers are going to the cloud," Hammond said. "It's fast. They get much quicker feedback on what they're doing in a realistic environment. And they're saying, If the ops guys can't give that to me on my private cloud, I'm just going to the public space."
Gutmans said that the Zend Developer Cloud will continue to be one of his company's top initiatives "What we showcased today is a big step up," he said, "but it's just the beginning."
Posted by John K. Waters on October 19, 20110 comments
During the Tuesday morning keynote at last week's JavaOne conference, Rob Benson, director of runtime systems at Twitter, took the stage to announce that his company would be joining both the OpenJDK community and the Java Community Process (JCP). Twitter wants to work with members of the JCP and the OpenJDK Community, Benson said, to help evolve the Java platform.
In a blog post on the Twitter Developers site, Twitter's open source manager Chris Aniszczyk wrote, "The JVM and its rich ecosystem are critical to our infrastructure and have helped us scale up as a business. Additionally, the polyglot nature of the JVM allows programming languages such as Java, Scala, Ruby, Javascript and Clojure to coexist seamlessly and, thus, lets Twitter choose the optimal language for the task at hand."
Twitter was also among five new candidates for seats on the JCP's Executive Committee (EC). During a JavaOne press panel, JCP chair Patrick Curran reminded reporters about the current election, which, according to the JCP Web site, will be in its "ballot open for voting" phase until October 31. The other candidates include Azul Systems, CloudBees,The Central Ohio Java Users Group and Software AG.
The EC currently counts two other Java user groups among its members: the Brazilian group SouJava and the London Java Community. "Both are working really well to bring the regular Java developers into the process," Curran said, "as a way of focusing their energies and helping them to understand how the process works."
"This is much more competition than we've seen in recent elections," Curran added, "and I see that as a very positive sign."
When Curran took over as chair of the JCP in 2007, he said, the organization didn't have the best reputation.
"People called us commissars," he said. "We were accused of being authoritarian and secretive, and just not community oriented. From the beginning I said that, should I have the opportunity, I'd like to open up the process and turn this into a real community organization, to allow the millions of Java developers out there who wanted to, to actively participate. I think now we've made some significant steps in that direction."
The committee took a big first step in the form of Java Specification Requests (JSR) 348, proposed in May and led by Oracle and the combined Executive Committees as the Expert Group, which aims to "update and revitalize" the JCP itself.
"We're revising the process through the process," Curran said.
JSR 348 ("Towards a new version of the Java Community Process") tackles four areas, including Transparency, Participation, Agility, and Governance. The longest list of proposed changes comes under the "Transparency" heading. The JSR calls for greater transparency into Expert Group (EG) operations of the JCP with a mandate that certain recommended practices become requirements. The example listed: "requiring all EG business to be carried out on public mailing lists, requiring issues and comments to be tracked through a publicly viewable issue-tracking mechanism, and requiring EGs to respond publicly to all comments."
The JSR also seeks greater transparency into the operations of the EC itself, the election process and the licensing process.
"We wanted to work on things that were important, but relatively non-controversial, and so, easy to do in a short period of time," he said. "We picked the low-hanging fruit... primarily focusing on transparency [of the process]. In the future we are going to mandate that all expert groups do their work out in the open, basically with public mailing lists and public issue trackers, making it very easy for members of the developer community to participate."
Next on the committee's to-do list: the merger of the two JCP ECs: the SE/EE EC and the ME EC.
"It seems like the right thing to do," Curran said, "that we should have a single executive committee which will deal with all of the three platforms -- because it is one platform with three flavors."
Down the road, Curran expects the EC to take on tougher intra-organizational changes, including issues around intellectual property rights, the Java Specification Participation Agreement (JSPA) and the Technology Compatibility Kit (TCK).
"We decided to put off tackling some of the more difficult issues so that we would actually achieve something this year," Curran said, "including revising the JSPA and looking at the whole question of licensing."
Although things were "kind of quiet" during the last year or two of Sun's stewardship of Java, Curran said, since Oracle assumed that role, things have "heated up" at the JCP. He estimated that since the JSRs for Java SE 7 were approved in December, about 17 JSRs have been submitted. That's compared with a handful submitted in the previous few years.
"The JCP is definitely unstuck," Curran said.
Posted by John K. Waters on October 12, 20110 comments
JavaFX was something of a darling of JavaOne this week. Oracle not only came through on its promised update of the Java user interface (UI) platform, it delivered additional features, such as a new HTML editor and the new WYSIWYG GUI design tool, Scene Builder, with this release. And JavaFX Script (which still exists as the open source Visage) has been replaced by Java APIs, so Java jocks can use their favorite IDEs to develop, compile and debug JavaFX 2.0 applications.
JavaFX 2.0 also adds support for Flash XML (FXML), an XML-based declarative markup language for defining the user interface in a JavaFX application. Scene Builder is essentially an FXML editor.
Oracle explains why FXML is a good thing on its JavaFX 2.0 documentation page:
"One of the advantages of FXML is that it is based on XML and is familiar to most developers, especially web developers and developers using other RIA platforms. Another advantage is that FXML is not a compiled language; you do not need to recompile the code to see the changes you make. A third advantage is that FXML makes it easy to see the structure of your application's scene graph. This, in turn, makes it easier to collaborate on user interfaces among the members of your development team."
JavaFX Script was created by Sun Microsystems engineer Chris Oliver back in 2006 as something called F3 ("Form Follows Function"), which, as he wrote in his blog back then, was created "to explore making GUI programming easier in general."
Oracle threw a spotlight on JavaFX 1.3 last year when it announced the Composer plug-in for NetBeans 6.9, which provided a visual layout tool for building JavaFX GUI apps along the lines of the Swing GUI builder for Java SE applications.
During Tuesday's keynote presentation, Nandini Ramani, vice president of development for Client Java at Oracle, and Adam Messinger, Oracle's VP of development for Fusion Middleware, demo'd JavaFX running on both an Apple iPad and a Google Android-based Samsung Galaxy tablet. "We want to hear from the community, Ramani said. "If this is something you want to see, we're happy to make it a priority." The next release of JavaFX (version 3.0) will be bundled with Java SE 8, Ramani told reporters yesterday.
She also disclosed Oracle's plans to open source JavaFX. Oracle will submit a proposal to open source the JavaFX platform as a new project within the OpenJDK Community she said, "ASAP." The company plans to start by contributing the JavaFX UI controls and related libraries, and will contribute other JavaFX components in multiple phases.
"I think [open sourcing JavaFX] is the right decision," Ramani said. "Now that we've reverted back to Java APIs, it's part of Java and makes sense there. And we believe that clients on the UI side need an updated, state-of-the-art set of APIs, and JavaFX is the right solution for that. It just makes sense for it to be in the community."
One of the many sessions at this year's conference that I regret not being able to attend is Gorilla Logic senior software developer Eric Bruno's Monday presentation, "JavaFX on Wall Street." This session looked at a project Bruno has been engaged in for "a leading national bank" in New York City, and his work with teams to build and deploy JavaFX components in an existing Java Swing application used by companies globally. Bruno deployed JavaFX 1.3.1 successfully, and is now moving to JavaFX 2.0.
With two conferences to navigate, it's not surprising that I was unable to connect with IDC analyst Al Hilwa, who was also onsite this week. But I managed to get his views on Oracle's JavaFX announcements via e-mail.
"Overall I like what I am seeing in the way JavaFX is moving," said IDC analyst Al Hilwa, who attended the conference. "Turning it into a framework to be used from within Java is definitely a better approach... I would love to see it [turn] Java back into a tool for cross-platform mobile development."
Posted by John K. Waters on October 6, 20113 comments
I spent Tuesday morning at the Hilton on JavaOne duty, but I made the long trip back to the Moscone Center after lunch to chat with some Oracle customers. My favorite of the day was Mike Riley, president of the Oracle Development Tools User Group (ODTUG). Riley is a big, affable guy with more than 20 years of experience in the field and what you might call a self-conscious passion for Oracle tools and the community that uses them.
"That's just another way of saying I'm an old fart," he said.
The ODTUG was founded about 18 years ago "by developers, for developers," Riley told me. It's an independent, not-for-profit, global organization that aims to provide education, support, advocacy and networking opportunities for developers working on Oracle Databases. Members, who number close to 25,000, Riley said, design applications, model data, write code, manage app systems, maintain legacy code and, as the Web site puts it, "are key to the middle-tier technology in Oracle Fusion."
The group started with a focus on Designer, and evolved into several different technologies, Riley said. Today, it supports virtually any tool that can be used to develop applications against an Oracle DB, whether that's Oracle's own tools (JDeveloper, Application Express, Forms and Reports, SQL Developer) or tools from a third party.
Riley was happy about many of Oracle's announcement at this year's show, including the new Exalytics Intelligence Machine, a hardware-plus-software business intelligence management appliance designed to handle relational, unstructured, and multidimensional data. He said it would be very good for the business intelligence and Hyperion users. But he was particularly excited about one of the quieter announcements at this year's conference: the release of 11g R2 Forms.
"We're thrilled with that news," he said. "It shows that Oracle is extending their commitment to Forms even further down the line, which is important for a lot of our users."
Oracle Forms, of course, is software for developing screens that interact with an Oracle database. It's a component of Oracle's Fusion Middleware stack, and it's widely used to design and build enterprise applications. On its website, Oracle pledges to continue supporting Forms. The company "remains committed to the development of this technology, and to the ongoing release as a component of the Oracle platform."
Many of the organizations in which ODTUG's core membership work are heavily invested in Forms, Riley said, including his own employer. Riley's day job is project manager and development DBA for Hortica, a company that specializes in providing insurance and employee benefits for the horticulture industry (garden centers, nurseries, florists, landscape contractors, etc.). The company was founded in the 1800s by a group of florists who wanted to protect their greenhouses from the ravages of hail.
"Oracle Forms is what we do," Riley said. "We've developed a lot of custom Forms that we're hoping that we don't have to get out of."
When Riley started with Hortica, the company had just purchased Oracle 6, and Forms was in the 2.3 release, so he's seen a lot of changes in the technology.
"Most of them have been good," he said. "It's nice to have an integrated solution that's optimized for the entire stack. You have no questions about the parts you get not being optimal for your software or the database behind it."
Riley is also one of 25 user-group leaders promoting a new tool developed by the International Oracle Users Group Community (IOUC) at this year's conference. Dubbed the "Your Path to Understanding Fusion Applications" tool, it's designed to help users... well... understand Fusion applications. The tool reportedly takes the form on an online map that resembles a London Tube map. It was drawn by Sten Versterli from the Danish Oracle User Group. I say "reportedly" because it won't be live for another two months.
"Because we do the Fusion development tools, we feel that we are a critical component of the Fusion application ecosystem," he said. "So it makes sense for us to participate in this project."
Riley was quick to plug his organization's upcoming Kscope 12 Conference in San Antonio, Texas, June 24-28 at the JW Marriott. Formerly called ODTUG Kaleidoscope, the event features sessions and presentations on a pretty wide range of technologies, including Hyperion and Essbase, not to mention Forms and Reports.
"If you use Java, PHP, ColdFusion, Toad, Visual Basic, or Visual C++, among others, ODTUG is the forum for talking about your approach and learning what other developers are doing," the website declares.
"We have a lot of good resources for the community," Riley says. "But we're not the only user group out there. My message to the customers of Oracle is definitely to get involved in a user group. They're that extra layer of support, and influence, that users really need."
Posted by John K. Waters on October 5, 20110 comments
The annual Oracle OpenWorld conference got underway this week, and I was among thousands of attendees swarming into San Francisco's Moscone Center to hear Larry Ellison's keynote opener on Sunday night, and then again this morning for the early a.m. presentations.
So far, it's been kind of a pitchfest on the keynote stage, with Oracle execs flogging existing product lines, announcing some new ones and pounding on its conference theme: "Hardware and Software: Engineered to Work together."
But one announcement -- the company's planned Big Data Appliance -- was generating rumor-buzz a couple of weeks ago, largely from the NoSQL community. The BD Appliance is an "engineered system" that combines Apache Hadoop, the framework for working with data-intensive distributed applications that's based on Google's MapReduce; the R software environment for statistical computing and graphics; and Oracle's version of the NoSQL database.
It's the NoSQL news that generated the buzz.
NoSQL, the non-relational, distributed, schema-free, open-source, horizontally scalable DBs that emerged around 2009, have been getting attention as the most effect DB for the Web, the cloud, and mobile computing. There are quite a few of them out there: Google, Amazon, Facebook, and LinkedIn all have NoSQL databases.
Oracle was short on details about its NoSQL database. A company Web page offers only a couple of paragraphs, in which it's described as "a commercial grade, general-purpose NoSQL database using a key/value paradigm," which "allows you to manage massive quantities of data, cope with changing data formats, and submit simple queries." There was no indication that it would be open source, and Oracle has not commented about that.
I heard from two NoSQL vendors before the show when the rumors were circulating about Oracle's plans. The first, Couchbase, a Mountain View, CA-based provider of DBMSs built with the Apache CouchDB document-oriented database that can be queried and indexed in a MapReduce fashion using JavaScript, sent me an e-mail. In the message, the company's CEO, Bob Wiederhold, offered an opinion that slaps Big O on the back with one hand, and (gently) in the face with the other.
"To date, Oracle has told their customers that NoSQL is useless or, at best, should be used only for a very limited set of use cases, Phillips wrote. "Despite this, over the past two years, we are unaware of a single, Internet application for which Oracle was picked as the database. If Oracle is now ready to join the party on the scalability, performance and data-model-flexibility advantages of NoSQL, we welcome them. We know firsthand that NoSQL is a huge market opportunity, and Oracle would be missing the boat on a major disruptive force in the database market were they to ignore it."
Couchbase co-founder and SVP of products James Phillips noted that Oracle has been, historically, cautious about touting new technologies "that could be viewed as disruptive to their core business model."
"The unveiling of their NoSQL and Big Data technology next week indicates that Oracle is now validating what we at Couchbase have long accepted as the new market reality," he wrote, "[that] there is a fundamental shift in how modern applications are being built, and what those applications need from a data management system. Customers are investing time and money across the 'big three' themes in data management: Big Data, NoSQL, and mobile. And Oracle clearly doesn't want to miss yet another market shift."
I also talked on the phone with Max Schireson, president of 10gen (and a former Oracle employee). 10gen is the creator and chief commercial sponsor of MongoDB, another open source, document-oriented database, written in C++, and first released in 2009.
"I think the interesting question is around the distribution model," Shireson said. "Is it going to be open source? If it's traditional expensive enterprise software, my guess is there won't be a ton of interest. But open source is a disruptive business model that's challenging for a company like Oracle. I can't imagine it would be very attractive to them. But the database space is growing rapidly, and the question becomes, how much of that growth is going to be syphoned off by new players."
Shireson says that his company -- a relatively new player -- is seeing customers moving off Oracle and onto alternative databases. He points to photo-sharing site Shutterfly's recent move from Oracle to MongoDB for the storage of that site's considerable photo metadata. "They did it for the flexibility primarily," he said. "But they got great benefits in terms of scalability and price performance. When that happens often enough, it makes you want to play in that new space."
Schireson blogged about Oracle's then-rumor NoSQL announcement last month. It's worth a look.
Stay tuned for ongoing Oracle OpenWorld/JavaOne rants in this space.
Posted by John K. Waters on October 3, 20110 comments
The intrepid trio of app security mavens who decided back in 2009 that it was about time the world had a set of best practices for developing and growing an enterprise-wide software security program based on actual data has unveiled the third version of their innovative Building Security In Maturity Model (BSIMM).
A "maturity model" describes the capability of an organization's processes in a range of areas, from software engineering to personnel management. The Capability Maturity Model (CMM) is a well-known example from software engineering. The BSIMM (pronounced "bee-simm") is the first maturity model for security initiatives created entirely from real-world data.
BSIMM3 which is distributed free under a Creative Commons license, provides insight into 42 of the most successful software security initiatives in the world. The list of companies studied for BSIMM3 includes Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Fannie Mae, Google, Intel, Intuit, McKesson, Microsoft, Nokia, QUALCOMM, Sallie Mae, SAP, Scripps Networks Interactive, Sony Ericsson, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Visa, VMware, Wells Fargo and Zynga.
Dr. Gary McGraw, CTO of Cigital; Sammy Migues, director of knowledge management at Cigital; and Dr. Brian Chess, chief scientist at Fortify Software (acquired by HP last year), are the co-authors of this on-going, multi-year study. The purpose of the project, McGraw told me, is to build a "measuring stick," so that companies can compare themselves to companies in their industries who have managed successful software security initiatives. Using the BSIMM measuring stick, McGraw, Migues, and Chess conducted a series of in-person interviews with executives in charge of software security initiatives.
McGraw emphasized that the model is fact-based. "We wanted to turn from the early days of evangelism and advocacy in software security and science," he said. "And this is how to do it."
The project has grown considerably since BSIMM1, which looked at only nine companies. BSIMM3 describes the work of 786 software security professionals working with a satellite of 1,750 affiliated professionals to secure the software developed by 185, 316 developers. The participating organizations represent eight overlapping industry verticals, including: financial services, independent software vendors, technology firms, telecommunications, insurance, energy, media, and healthcare. The current release includes 109 updated activity descriptions and a longitudinal study describing the evolution of eleven of the forty-two firms over time.
BSIMM3 describes 109 activities in 12 practices with 2 or more real examples for each activity. Eleven of the participating firms were measured twice, providing longitudinal study data; those data showed measurable improvement, McGraw said.
The BSIMM3 data set has 81 distinct measurements; some firms were measured twice, while some had multiple divisions measured separately. Among the revelations in this version of the study is the fact that the
leading firms on average employ two full-time software security specialists for every 100 developers.
"It's exciting to see something that started out as kind of a backyard science experiment bust out of its test tube and take on a life of its own," McGraw said.
BSIMM3 results conclude that "mature" software security initiatives are "well rounded," with activities in all twelve practices, including: strategy and metrics, compliance and policy, architecture analysis, code review, security testing, penetration testing and configuration management.
"One of the coolest side effects of the project is the community that's growing up around it," McGraw said. "We held a conference last year in Annapolis, and 22 of the 30 firms [attending] sent the executive in charge of software security. We all got together and talked hardcore software security. There's this feeling now of a community of professionals trying to solve the same problems in software security."
For more information and to access the BSIMM3 study, click here.
Posted by John K. Waters on September 30, 20110 comments
Google is keeping mum on its plans to unveil another new programming language at its upcoming GoTo Conference in Denmark next month, but the buzz is already starting to hurt my ears. The language is called "Dart" (formerly "Dash"), and the conference Web site describes it as "a new programming language for structured web programming." Google's PR rep, Lily Lin, gave me a polite brush off in an e-mail, referring me to the opening keynote presentation at GoTo, during which Google engineers Lars Bak and Gilad Bracha will host Dart's debut.
The closest I'll be getting to anything Danish in the near future is the very-bad-for-me pastries at Le Boulanger in downtown Mountain View. Meanwhile, others are weighing in on Big G's latest language.
Gartner's Ray Valdes discussed with me in an e-mail interview that the internally-spawned Dart appears to be intended as a replacement for JavaScript, and that it's likely to be implemented as a translation layer above JavaScript to support compatibility with older browsers. This translation-layer approach is a recent trend in programming language implementations, Valdes explained. He points to Scala, Clojure, jRuby and Jython, all of which compile to Java or to Java byte codes. Likewise, Iron Python and Iron Ruby run on the .Net language platform (CLR). Another example is Google's GWT user interface library, in which developers write in Java that is then translated to JavaScript to be deployed to the browser.
The drive behind Dart's development appears to be mostly internal, Valdes suggested. "There are developers at Google that have built complex JavaScript applications and have decided that some of the challenges in these large projects were due to design flaws in JavaScript," he said. "Some of them built tools and frameworks to work with JavaScript (GWT, Closure) but apparently they feel the need to go further and replace JavaScript entirely."
Google was similarly motivated when it created the Go programming language in 2009 for its own internal use. The language was developed as an alternative to existing system implementation languages (C++, Java, Python), which Google found were either overly complex, slow to compile, or slow in production, Valdes said. Google hasn't evangelized Go, and Valdes doesn't believe the company will evangelize Dart.
It's clear that Google has "fix JavaScript" on its to-do list. A draft of an internal memo accidentally leaked last year expresses Google's position succinctly: "JavaScript has fundamental flaws that cannot be fixed merely by evolving the language." The memo goes on to mention Dart (then Dash) as part of a "strategy for the future of JavaScript." It would be "a new language that aims to maintain the dynamic nature of JavaScript, but have a better performance profile and be amenable to tooling for large projects."
However, there are others inside the Googleplex who are committed to JavaScript, even with its flaws, Valdes pointed out. "This has led to some internal tension, it seems," he said. "Every large company has people pulling in different directions. It reminds me of the Silverlight versus HTML5 tension at Microsoft."
Google software engineer Alex Russell, who serves as one of the company's representatives to TC39 (the JavaScript standards committee), expressed what you might call the pro-JavaScript position on his Infrequently Noted blog. "So what's the deal with Google and JavaScript? Simply stated, Google is absolutely committed to making JavaScript better, and we're pushing hard to make it happen."
"As committed and enthusiastic as I am about the prospects for JavaScript," he added, "others are just as enthused about Dart. Google is big, can do many things at once, and often isn't of one mind. What we do agree on is that we're trying to make things better the best we know how. Anyone who watches Google long enough should anticipate that we often have different ideas about what that means. For my part, then, consider me and my team to be committed JS partisans for as long as we think we can make a difference."
And by some measures, the JavaScript community is actually on the rise, said IDC analyst Al Hilwa in an e-mail he sent from the Build conference, underway this week in Anaheim, Calif.
"The most important attribute of a programming language is the size of the programmer population that uses it," he said, "and here JavaScript is well represented, and has, in fact, seen a resurgence as the companion technology to HTML5's canvas tag. JavaScript is also beginning to be used on the server as powerful frameworks such as Node.js have emerged. JavaScript has just become a first-class language inside of the Windows 8 operating system, as we learned today at the BUILD conference. It will be a big challenge to topple JavaScript, but if Google is keen on that, it should start by supporting it in its Chrome browser along with JavaScript and let it duke it out for developer mindshare."
Redmonk's James Governor wasn't especially worried about the advent of Dart. "I'd be worried about Google if it wasn't driving core language innovation," said Redmonk's James Governor in an e-mail. "Question though: Did JavaScript succeed because, or in spite of, its initial sloppiness and not being "fit for purpose" as a general purpose dev environment? More central planning doesn't always mean better innovation."
Governor's colleague at Redmonk, Stephen O'Grady, was equally sanguine. "[T]he worrisome thing isn't Dart itself; companies try to improve and/or reinvent runtimes fairly regularly. A few months back, for example, Red Hat irritated the Scala community with Ceylon. It is entirely plausible that Google is both committed to improving JavaScript and simultaneously replacing it."
"The larger concern for many," O'Grady added, "is the language in the leaked e-mail that talks about ‘sweet talking' browser manufacturers and encouraging developers to target Chrome first. This is indicative of the kind of company-first-Web-second mandate that used to characterize Microsoft's efforts around [Internet Explorer]. That's what's got people genuinely worried."
Posted by John K. Waters on September 15, 20110 comments