Security

Vol. 5 No. 1 – February 2007

Security

Articles

Open vs. Closed: Which Source is More Secure?

There is no better way to start an argument among a group of developers than proclaiming Operating System A to be "more secure" than Operating System B. I know this from first-hand experience, as previous papers I have published on this topic have led to reams of heated e-mails directed at me including some that were, quite literally, physically threatening. Despite the heat (not light!) generated from attempting to investigate the relative security of different software projects, investigate we must.

Open vs. Closed

Which source is more secure?

Richard Ford, Florida Institute Of Technology

There is no better way to start an argument among a group of developers than proclaiming Operating System A to be “more secure” than Operating System B. I know this from first-hand experience, as previous papers I have published on this topic have led to reams of heated e-mails directed at me—including some that were, quite literally, physically threatening. Despite the heat (not light!) generated from attempting to investigate the relative security of different software projects, investigate we must.

Understanding why products are (and are not) secure is a critical stepping stone toward building better software.

by Richard Ford

Kode Vicious

A License to Kode

Dear KV, I'm in the QA group for a medium-size startup in Silicon Valley, and one of our VPs sits on the board of a company that makes code-scanning software--you know, the stuff that spits out warnings about all the bad things you can do in C and C++. We've definitely found our share of buffer overflows and other problems in our code, but this stuff is expensive, more than $5,000 a seat and I'm just not sure its worth it. What do you think of these tools?

A License to Kode

A koder with attitude, KV answers your questions. Miss Manners he ain’t.

While it’s sometimes tempting to blame the coders, the seeds of many problems are sown well before any lines of code (dodgy as they may be) have been written. Everything from the choice of tools to the choice of a software license can affect the quality, usability, and commercial potential of a product. This month Kode Vicious takes a step away from coding technique and addresses some of these tough decisions with which developers must grapple. Have something you’d like to ask KV? Please send your missives to kv@acmqueue.com.

by George Neville-Neil

Interviews

Custom Processing

Today general-purpose processors from Intel and AMD dominate the landscape, but advances in processor designs such as the cell processor architecture overseen by IBM chief scientist Peter Hofstee promise to bring the costs of specialized system on a chip platforms in line with cost associated with general purpose computing platforms, and that just may change the art of system design forever.

Custom Processing - Transcript

Transcript of interview with IBM chief scientist Peter Hofstee

Custom Processing - Transcript

MICHAEL VIZARD: Hello, and welcome to this edition of the ACM Queuecast with your host, Mike Vizard. That's me. Today we're going to talk about system on a chip and some of the design issues that go with that, and more importantly, some of the newer trends, such as the work that IBM is doing around the cell processor to advance the whole system on a chip processor. To that end, we've invited Peter Hofstee, Chief Scientist for the cell processor project that is being funded by IBM, Toshiba, and Sony, to talk to us today about how the whole system on a chip marketplace might change in the advent of the invention of the cell processor, and what technology is driving that. Welcome, Peter.

PETER HOFSTEE: Hi, Mike. Good talking to you.

Curmudgeon

DOA with SOA

Adopting this architectural style is no cure-all.

DOA with SOA

Adopting this architectural style is no cure-all

Alex Bell, The Boeing Company

It looks like today is finally the day that we all knew was coming—it was only a matter of time. An ambulance has just pulled up to haul away Marty the Software Manager after his boss pummeled him for failing to deliver on promises of money savings, improved software reuse, and reduced time to market that had been virtually guaranteed merely by adopting SOA (service-oriented architecture). Everything could have been so different for Marty. If only there had been a red-hot market for a software application that fetched the price of London gold, converted the price from pounds to dollars, calculated the shipping costs for the desired quantity, and then returned a random verse from the King James Bible. As opposed to the currently unfolding scenario involving an ambulance, Marty’s mental vision was one of a Brinks truck speeding to the scene to empty coffers buckling under the strain of overflowing cash.

Should anyone really be surprised? After all, Marty is probably still sporting a hook in his mouth from having been reeled in by Victor the Vendor’s SOA fishing pole. The hype and propaganda sprinkled onto the bait that Marty swallowed must have caused a mind-numbing sense of euphoria that resulted in business and technical justification for his decisions being sloughed off as mere annoyances. Despite his headlong charge into the SOA arena, Marty would have had a difficult time describing SOA the same way to three different people.

by Alex Bell

Interviews

Five Steps to a Better Vista Installation - Transcript

Unravel the mysteries and learn the best practices associated with mastering the new application installation routines for Vista applications. In this Premium Queuecast hosted by Michael Vizard, Bob Corrigan, senior manager for global product marketing at Macrovision, and Robert Dickau, principal trainer, reveal the five most crucial things you need to know about Vista application installations.

Five Steps to a Better Vista Installation - Transcript

Transcript of interview with Bob Corrigan, senior manager for global product marketing at Macrovision, and Robert Dickau, principal trainer

MIKE VIZARD: Hello, and welcome to the premium edition of the ACM Queuecast, sponsored by Macrovision, the leading provider of content protection, software licensing and installation, and digital rights management technologies. I'm your host, Mike Vizard, and joining me today is Bob Corrigan, Senior Manager for Global Product Marketing at Macrovision; and Robert Dickau, Principal Trainer for Macrovision. Today's topic is Vista, and the installation routines around Vista and the opportunities that bring developers.

Guys, welcome to the show. It's great to have you here.

Articles

Intellectual Property and Software Piracy: The Power of IP Protection and Software Licensing, an interview with Aladdin vice president Gregg Gronowski

Intellectual Property (IP) - which ranges from ideas, inventions, technologies, and patented, trademarked or copyrighted work and products - can account for as much as 80% of a software company's total market value. Since IP is considered a financial asset in today's business climate, the threats to IP create a real concern. In an interview with ACM Queuecast host Michael Vizard, Aladdin vice president Gregg Gronowski explains how Software Digital Rights Management solutions are the de-facto standard today for protecting software IP, preventing software piracy, and enabling software licensing and compliance.

Intellectual Property and Software Piracy

The Power of IP Protection and Software Licensing, an interview with Aladdin vice president Gregg Gronowski

Queue: Hello, and welcome to another premium edition of the ACM QUEUECAST, with your host, Mike Vizard. This edition is sponsored by Aladdin. We're here today to talk about intellectual property and the whole issue of software piracy and our friends at Aladdin are considered one of the de facto standards today for protecting software IP, preventing software piracy, and enabling software licensing and compliance. So joining us today to discuss that topic is Aladdin Vice President, Greg Gronowski. Greg, welcome to the show.

Gronowski: Thank you. I'm welcomed.

One Step Ahead

Every day IT departments are involved in an ongoing struggle against hackers trying to break into corporate networks. A break-in can carry a hefty price: loss of valuable information, tarnishing of the corporate image and brand, service interruption, and hundreds of resource hours of recovery time. Unlike other aspects of information technology, security is adversarial; it pits IT departments against hackers.

One Step Ahead

Security vulnerabilities abound, but a few simple steps can minimize your risk.

VLAD GORELIK, SANA SECURITY

Every day IT departments are involved in an ongoing struggle against hackers trying to break into corporate networks. A break-in can carry a hefty price: loss of valuable information, tarnishing of the corporate image and brand, service interruption, and hundreds of resource hours of recovery time. Unlike other aspects of information technology, security is adversarial—it pits IT departments against hackers.

To explain why one wins in an adversarial situation, the military has a tool called the OODA loop, created by Col. John Boyd, USAF (Ret). As shown in figure 1, OODA is a circular sequence of steps—observe, orient, decide, and act—that describes the decision-action process of each adversary. The idea is that if you can get inside the decision loop of your opponent, you will win the battle. Speed is a key criterion for victory, but other underlying factors also contribute to winning. These factors include quality and completeness of the information gathered during the observe and orient phases, as well as how well the decisions can be carried out. The same concept applies to cybersecurity—those who can make the right decisions faster based on the best information available, and act on them, will win.

by Vlad Gorelik

Realtime Garbage Collection

Traditional computer science deals with the computation of correct results. Realtime systems interact with the physical world, so they have a second correctness criterion: they have to compute the correct result within a bounded amount of time. Simply building functionally correct software is hard enough. When timing is added to the requirements, the cost and complexity of building the software increase enormously.

Realtime Garbage Collection

It’s now possible to develop realtime systems using Java.

DAVID F. BACON, IBM RESEARCH

Traditional computer science deals with the computation of correct results. Realtime systems interact with the physical world, so they have a second correctness criterion: they have to compute the correct result within a bounded amount of time. Simply building functionally correct software is hard enough. When timing is added to the requirements, the cost and complexity of building the software increase enormously.

In the past, realtime systems have made up a relatively small portion of the total amount of software being produced, so these problems were largely ignored by the mainstream computer science community. The trend in computer technology, however, is toward an ever-increasing fraction of software having some kind of timing requirement.

by David F. Bacon

Interviews

Reporting for Duty

All too often the reporting tools that developers select for their applications are a little more than an afterthought. In this Premium ACM Queuecast, Vice President of Product Management for Actuate, Paul Clenahan, explains why it's in the interest of developer to select richer sets of reporting tools and how these tools more readily accessible though the Eclipse Foundation's BIRT project, spearheaded by Actuate.

Reporting for Duty - Transcript

Transcript of interview with the VP of Product Management at Actuate, Paul Clenahan

MIKE VIZARD: Hello, and welcome to a premium edition of ACM Queuecast, sponsored by Actuate, a leader in business intelligence and enterprise reporting solutions that has made a significant contribution to the Eclipse community in the form of a Business Intelligence and Reporting Tools project, otherwise known as BIRT. I'm your host, Mike Vizard, and joining me today is Paul Clenahan, Vice President of Product Management at Actuate, and a member of the BIRT Project Management Committee, who's here to discuss future trends in reporting tools. Welcome to the show. How are you?

PAUL CLENAHAN: Good, thank you, very good.

Software Operations' Profit Potential

Today's software producer faces many challenges in building and keeping a satisfied customer base. In this ACM Premium Queuecast, Macrovision FLEXnet Publisher Product Manager Mitesh Pancholy discusses how companies can solve their license management challenges and turn their software operations into a profit center.

Software Operations' Profit Potential - Transcript

Transcript of interview with Macrovision FLEXnet Publisher Product Manager Mitesh Pancholy and Abby Domini

MIKE VIZARD: Hello, and welcome to another edition of the Premium Queuecast. This is your host, Mike Vizard, and this edition is sponsored by Macrovision, the global leader in software license management. Joining me today is Mitesh Pancholy, Product Manager for Macrovision, and Abby Domini, also with Macrovision. We're going to talk about license management today. Welcome to the show, folks.

MITESH PANCHOLY: Hey, Mike.

A Conversation with Jamie Butler

Rootkitting out all evil Rootkit technology hit center stage in 2005 when analysts discovered that Sony BMG surreptitiously installed a rootkit as part of its DRM (digital rights management) solution. Although that debacle increased general awareness of rootkits, the technology remains the scourge of the software industry through its ability to hide processes and files from detection by system analysis and anti-malware tools.

A Conversation with Jamie Butler

Rootkitting out all evil

The Silent Security Epidemic

Although the industry is generally getting better with dealing with routine types of security attacks, developers are today being challenged by more complex attacks that not only flow below the radar, but also specifically target certain types of applications. In this Queuecast edition, Ryan Sherstobitoff, CTO of Panda Software describes what new types of sophisticated attacks are being created and what proactive steps developers need to take to protect their applications.

Although the industry is generally getting better with dealing with routine types of security attacks, developers are today being challenged by more complex attacks that not only flow below the radar, but also specifically target certain types of applications. In this Queuecast edition, Ryan Sherstobitoff, CTO of Panda Software describes what new types of sophisticated attacks are being created and what proactive steps developers need to take to protect their applications.

The Power of IP Protection and Software Licensing

Intellectual Property (IP) - which ranges from ideas, inventions, technologies, and patented, trademarked or copyrighted work and products - can account for as much as 80% of a software company's total market value. Since IP is considered a financial asset in today's business climate, the threats to IP create a real concern. In an interview with ACM Queuecast host Michael Vizard, Aladdin vice president Gregg Gronowski explains how Software Digital Rights Management solutions are the de-facto standard today for protecting software IP, preventing software piracy, and enabling software licensing and compliance.

Intellectual Property (IP) - which ranges from ideas, inventions, technologies, and patented, trademarked or copyrighted work and products - can account for as much as 80% of a software company's total market value. Since IP is considered a financial asset in today's business climate, the threats to IP create a real concern. In an interview with ACM Queuecast host Michael Vizard, Aladdin vice president Gregg Gronowski explains how Software Digital Rights Management solutions are the de-facto standard today for protecting software IP, preventing software piracy, and enabling software licensing and compliance.

A Behavioral Approach to Security

The CTO of Finjan, Yuval Ben-Itzhak, makes a strong case for a new approach to security that relies more on analyzing the behavior of suspicious code than signatures that have to developed after the attacks have already started.

The CTO of Finjan, Yuval Ben-Itzhak, makes a strong case for a new approach to security that relies more on analyzing the behavior of suspicious code than signatures that have to developed after the attacks have already started.