Rich Internet Applications (RIA)

Session title: Agile and Secure; Can we do Both?
Speakers: Jason Li & Jerry Hoff, Aspect Security

 Goal: To try to get developers to think about security early on in the development process.

Jason begins with a brief description of a common security flaw (in AJAX apps at least) XSS, which typically involves replacing regular text with a malicious piece of JavaScript. Example attack: The JS steals the end-user’s cookie by querying the DOM. A cross-site request forgery might subsequently be mounted by using the stolen cookie from within a new application context such as mail in order to delete all the users mail.

Another example – SQL injection – is when part of a SQL statement is replaced with a semi-colon followed by another statement e.g. DROP TABLE… which is obviously bad news.

With that whirlwind tour of web security… how to fix the process which results in such errors?

Speakers refer to the waterfall and explain how in each of the chunky phases activities include (or should include) security; security requirements, security design etc…

Speakers then argue that embellishing the highly iterative agile process in the same way as was done for waterfall is not practical. Blogger agrees… the granularity of the activities is too fine to permit the kinds of security analyses which are required. So what’s the solution?

They recommend…

Leveraging user stories

Prerequisite step: Ensure that all developers have received adequate security training

Another prerequisite step: Get management to fund this (gets a laugh!)
Alternatively: The OWASP Open Web Application Security Project is an organization providing resources which provides heaps of information on attacks points and solutions for these.

Leverage unit testing… and include security tests in the unit tests. This is obviously particularly effective in a continuous integration environment.

To speed up this process, use common security components such as those at Open Enterprise Security. Organizationally, this needs to be communicated across the development team(s).

Leverage and consolidate sprints… and ensure that all security stories are included in each sprint. For dealing with security stories which don’t fit into any particular sprint, run sprints that are focussed solely on security.

Great line (paraphrased): Web apps are a kind of “perfect storm” comprising a complex mixture of technologies, which results both in a large attack surface area as well as numerous subtle edge cases which make us more vulnerable.

Couldn’t agree more!!!

I found this talk excellent both stylistically and, more importantly, in terms of content. There are still voices out there which claim that agile in some way incompatible with quality. Talks like this should go some way to quell those remaining voices. Although the pair used AJAX’s inherent security vulnerabilities to highlight the necessity for a systematic approach to security in agile environments, much of what they recommend applies to any agile environment, whether it is creating AJAX applications or not.

Session title: Securing AJAX Applications
Speakers: Moritz Kuhn, Philipp Färber – AdNovum Informatik AG

The subtitle of this talk is: “New threats and defenses?” Does the question mark imply that they will question the existence of new threats?

Speaker Moritz begins by citing some interesting attacks which took place recently, one of which took down myspace for a period of time – apparently using a simple JavaScript payload.

Proceeds to explain the “Same Origin” policy, which is designed to prevent a JS script in one frame from accessing the DOM in another frame. Note that this is enforced at the Window’s border. However, the rules are very complex and apply to cookies, XHR… and several other areas.

XMLHttpRequest has a stricter security model, which is often a pain for developers because it is inflexible, yet it is too loose for engineers because it is ambiguous.

Cross-Site Scripting (XSS) is an attack which exploits ambiguity in Same Origin rules.

Cross-Site Request Forgery (CSRF) when the victim is logged into an authenticated web application and his browser stores a session cookie for the app. The attackers web page makes the victim’s browser send a request to the vulnerable web app. The victim’s browser appends the cookie to the end of his request.

Speaker demos these attacks by showing how an attacking app can insert JavaScript code into a calendar; points out that the code could contain anything… reading email for example. Scary stuff!

How to combat these threats? Philipp takes to the stage…

Begins by contrasting classic and AJAX architectures, which increases awareness of the technical interactions involved between the parties.

Looking from the server-side, need to consider that the attack-surface is increased in an AJAX architecture e.g. via exposed services, protocols, sessions, domains. Also: code contains call params and service URLs. Finally, there are concurrency issues.

From the client side, new attacks are around like JSON hijacking and DOM-based XSS with URl fragments.

A final observation from the speaker is that one of the consequences of all this is that testing is getting harder. Exhaustive testing is obviously out of the question.

Counter-measures:

Input validation, output encoding, service hardening. Retain awareness of the technologies you are using. Defensive design involves avoiding mashup-like services, KISS and using separate domains for public and private data. Points out the fact that the Google domain strategy is open to XSS attacks.

Some AJAX-specific counter-measures: Know the output’s insertion context (don’t allow angled brackets in the output, for example!); Ensure no sensitive data is sent to the client (be aware what your frameworks are sending!); Prefix all JSON replies e.g. ‘while(1); {”x”:”y”}’; Add a random number to a response and match it up when the next request comes in. This can’t be predicted in advance by an attacker (I like this!); Validate services responses – also in the client; Understand and use a secure framework e.g. GWT, prototype, jQuery…

Rigorous testing is obviously a must; Designing for security/testing upfront is a must; Test individual AJAX features individually; Simulate malicious requests…

Conclusion: AJAX means: Old threats + new threats + higher complexity = bad news.

Summary: I never cease to be shocked by the degree of details and complexity which the developer has to be acquainted with in order to make an AJAX-based app secure. The reality of AJAX development is that in most projects the developer will be focussed on delivering the the core business requirements and getting the look and feel right. With this focus security holes are virtually inevitably.

A very worthwhile presentation!

Title: Java SE and JavaFX RoadMap
Speaker: Danny Coward, Chief Architect, Client Software

Danny begins be showing the JavaFX roadmap…

Towards the end of the timeline: “JavaFX.next”
What on Earth could that mean?
In any case: JDK 7 release due early 2010.

Top 5 JDK SE 7 features

1: Modularity
Long overdue, the current JRE is around 14MB and contains a wide range of APIs. The average app only requires a small proportion of these. It also increases startup time.
Danny points out a number of weaknesses in the CLASSPATH concept. This will apparently be addressed by a low-level modularilty system entitled Jigsaw.
http://openjdk.java.net/projects/jigsaw/jcp.prg/en/jsr/detail?id=294
The concept externalizes the package depenencies to a module file… which reminds me of Eiffel’s solution to this issue which is donkeys years old.

2: Broadening the JVM to accelerate runtimes
DaVinci Project should result in a new bytecode model, which enables dynamic invocation, lightweight method handles and a variety of other optimizations.
http://openjdk.java.net/projects/mlvm

3: Java Language Additions
Project coin will result in a few small language enhancements:
http://openjdk.java.net/projects/coin
The switch statement will work with Strings.
Multiple Exception handling
catch (final IOException | ServletException e)

Improved type interence will remove the need to double-declare generics so:
List l = new ArrayList()
Becomes:
List l = new ArrayList ()

Elvis operator eliminates a significant cause of Java’s verbosity:
String s = mayBeNull?.toString() ?: “nothing”;

Integer ival = …
int i = ival ?: -1; // will be set if currently null

Must confess, this is not what I understand by the Elvis operator, but it looks useful nevertheless.

4: Four new I/O APIs
These include: New filesystem API, File notifications, Directory operations, Asynchronous I/O. The latter permits an IO task to be defined using a Future, the Future delivering the result at a later point in time.

5: New GC
New garbage collector “Garbage First” should result in predictably low pauses, few full GCs and good throughput. Can be accessed in Java SE6 update 14 using:
-XX:+UnlockExperimentalVMOptions –XX:+UseG1GC

This will be switched on by default in JDK 7.

Danny notes at this point that numerous other (small) features are also part of JDK 7.

JavaFX 1.2 Top 5
Danny begins by stating that Sun is trying to make up for lost time with JavaFX (as I have blogged in the past).

More platforms
JavaFX 1.2 runs on more platforms i.e. Linux and Solaris in addition to Windows and Mac. LG TV (purchasable in South Korea) incorporates JavaFX1.2. Finally, the HTC developer phone is also mentioned. Danny states that he hopes that phones will be available to consumers on the coming months. Don’t we all!?

New features
New widgets, charts, plus a new look and feel. L&F is possible via CSS, which is obviously a whole load easier than creating an L&F for Swing.
Improved layout management
Layout management: There are three new layout managers, but I know from experience these don’t yet cut it for non-trivial B2B apps.
There follow a series of nice looking demos, which highlight that JavaFx is scenegraph based.

Improved perforamance
Performance up: Realtime streaming for media is now supported, which improves media startup significantly. Various optimizations in generated code and scenegraph. Bytecode footprint is down 30%.

Improved data handling
More and better ways to use data. RSS and Atom feed support. A simple asynchronous framework is also included, plus a simple data storage API.

One final demo is really impressive: Using the bubblemark demo, Danny demos that JavaFX 1.2 performance is significantly better than Silverlight. Now that I would not have expected!

Session: Jsf and Ajax in the Credit Suisse
From: Benjamin Bratkus, Credit Suisse; Micha Kiener, Mimacom AG

It will be interesting to see what CS has been up to with JSF. My last JSF project finished early in 2008. I look back to it with pleasure not primarily because we used JSF but because we really got to use all of the key JEE features under Glassfish – which worked sweetly. JSF (which included facelets), on the other hand…

CS began with JSF in 2004. Corporations begin what they are, this resulted in a pilot (2005). Release 1 of their app took place in 2007. Since then CS claims to have one of the biggest JSF-based component libraries around.

 
Framework must support:

• Realtime data
• Handle huge data sets
• AJAX and JavaScript due to security aspects

…and must achieve acceptance by various architects.

The speakers also used ICEFaces to achieve the required level of interactivity and security. Specifically: Direct-to-DOM rendering (D2D), page level AJAX on existing components, AJAX Push capabilities.

Key to achieving efficient push: Asynchronous server push, which will apparently become standardised in the next version of ICEFaces. This approach frees up threads on the server-side, which is obviously essential for scalability.

Summary: Good talk, competent speakers. I still feel sorry for the average AJAX developer, who despite frameworks like ICEFaces is confronted with myriad non-trivial technical details. Plus, I imagine CS is not confronted with the other big pain for browser-based RIA: Multiple browsers.

Session title: Java Rule Engines (JBoss’ Drools, IBM’s iLog)
From: Raed Haltam, WEGA Informatik

Claim: Rules engines can reduce development time.

Raed makes the valuable clarification that a usable Rules Engine needs to address storage, versions, security etc. and is therefore best described as a Business Rules Management System (BRMS). He also takes care to distinguish the Business Object Model (BOM) from the Execution Object model (XOM).

Both iLog and Drools use the algorithm RETE. All rules follow the format:
when X then Y

Rules can be grouped into packages.

Both iLog and Drools allow higher level business language descriptions of rules.

Business rules can be made secure on various levels down to the statement level. In other words different editing privileges can be assigned to to different roles, which control the parts of a rule which can be edited under a given role.

Both tools support Complex Event Processing, which amounts to responding to patterns of conditions in a predefined way.

Raed presents a convincing sounding car financing case study from (JPMorgen Chase.) Rule deployment takes place at 8pm and are executed from 8am the following day.

Conclusion: Quite a nice, objective short summary (it was a short talk after all) on business rules for those unfamiliar with the technology.

Title of this session: Development for the iPhone from a Java Perspective
From: Software Architect Ognen Ivanski, Netcetera

Note: Netcetera developed the wemlin app for the iPhone – a useful tool for navigating public transport in the Zürich area.

Ah… it’s become apparent to me that Ognen will tell us about his personal experience with becoming an iPhone developer, having previously been a Java developer. I have gone through this process myself and so it will be interesting to compare notes…

Ognen states that the first realisation was that performance, startup-time and UI were kind of new priorities for him. Not really the case for me, I must say. Canoo is known for its RIA experience and therefore these are issues we’ve been dealing with for some time. For the record: The issues which I found most difficult when switching to the iPhone SDK and XCode were:

- No garbage collection: Clearly I’ve been spoiled by Java
- XCode: Powerful but nowhere near as comfortable as a typical JavaIDE
- SCM support: We managed to get Subversion working, but kept running into trouble with things getting out of sync anyway. Best to use the command line

I certainly agree with Ognen’s observations on XCode: Like me, he missed features such as refactoring and the countless options for viewing, navigating and outlining code.

Ognen notes that XCode’s visual builder is difficult to get used to but delivers in the end. Possibly like many Java/would-be iPhone developers, I shied away from the visual designer, opting to code from hand instead. Perhaps for my next iPhone app I’ll take a look at it again.

I agree with Ognen’s observations on Objective C syntax. It’s got a “familiar and yet somewhat strange” feel to it. The behaviour around “nil” seems odd at first, but one quickly learns to appreciate that it pays not to have to check for null values all the time, as in Java code.

There follows a lot of examples of Objective C Syntax.

Patterns of note in the iPhone world: Delegate pattern, Target/Action pattern, MVC – which is perhaps truer to the original Smalltalk concept that what we typically see in Java swing, say.

In summary: A good presentation, but no new insights for someone who’s gone through the process of switching from Java to iPhone development already.

Hi everyone and welcome to Jazoon ’09!

At Sihlcity just a few tram-minutes away from Zurich’s city center, Jazoon ‘09 begins in the biggest auditorium (now full) with some very loud video sequences. Chris – from I don’t know where – tries his best to wake up a clearly very sleepy audience. He fails. More coffee for the audience please!

Next up a rerun of the Monty Python-esque “Brief History of Java” featuring JG… who now takes to the stage!

We’ve already seen James “the man thanks to whom I could purchase my first house” Gosling hanging around the exhibition center this morning. Title of his keynote: “Where we’re heading”.

JG puts the network at the center of things; emphasises the ubiquity of Java (nice observation: more Java devices than humans on the planet!) Other rough estimates: 6M Java developers (most of them rubbish, I should note – OK I suppose that was a bit harsh) and 15M JRE downloads per week on average – not including the PC’s that are rolled out with a JRE!

Some impressive examples of major Java apps: Brazilian healthcare, Large Hadron Collider (at the physics research institute CERN near Geneva etc. etc. This is indeed true: Java is everywhere. I don’t know how many JavaCards I have in my wallet.

JG now emphasises the VM, giving it more importance than the Java language. I naturally think of Google’s Android and the completely re-architected VM called Dalvic.

Next up: JG demos Glassfish V3 and in particular talks about the simplifications that have taken place since V2. Annotations and injections are basically the key to this. I’m reminded of a project I did on V2 a little while back. Other than the integration with MQ Series (which proved a little tricky) Glassfish turned out to be one of the most satisfying App Server experiences I’d ever had. Glassfish succeeds in combining the characteristics of being super-easy to install and configure, and yet it is clearly highly scalable; IBM please take note. I’m not on Sun’s payrole, I promise!

JG now demos the Hudson integration server as well as Kenai, which he describes as a cloud service for development. Amongst other things, this allows development for hardware which one may not actually own or have access to.

Next up: Java Real Time. The challenge: How to garbage collect (GC) deterministically. JG talks about the balance GC designers needs to find between performance and determinism. Rightly notes that there are even stock exchange apps, which require this level of control.

Talking of “control”, JG describes Neal Young’s LincVolt car and the degree of control that Real Time Java has and how this leads to superior efficiency.
And on the subject of efficiency, JG compares Java performance with C++ and is happy to note that in most everyday situations Java is way ahead.

A subject close to my heart: JSR248, the Mobile Services Architecture which is designed to unify a bunch of individual JSRs. The motivation for this is that to-date mobile hardware vendors have consistently delivered different combinations of JSRs, which basically makes a joke of write-one-run-everywhere. The bad news from JG: MSA still has a way to go. Good news for Android?

Changing direction, JG notes that the Web is now the face of the organisation. JavaFX will (apparently) deliver a Flash-like (to use JG’s expression) experience to address the expectations of the next generation of end-users.

JG describes some of the basic JavaFX features and talks about the graphical design tool that was demo’d at JavaOne – but stresses that it’s a long way from GA. Back to what can be done today: Using Photoshop and Illustrator to create a static UI design, which can be subsequently programmed out by the JavaFX developer. This is precisely what I talked about at J1 a few weeks ago.

Exit JG stage left to applause.

Well, it’s now off to the sessions. Tune in later for some more live session blogging!!!

At the Jazoon, the international conference on Java technology (Zurich, June 23-25), James Gosling, the father of the Java programming language, will deliver the opening Keynote. So if you missed JavaOne this year, just attend Jazoon’09 and benefit from inside information and updates, but also get latest news about the future of Java. 

Besides James Gosling, Jazoon’09 features many other interesting speakers from the Java world including Neal Ford, Ivar Jacobson, Adrian Colyer and Danny Coward. As a special guest we are pleased to announce Linda Cureton, CIO of the National Aeronautics and Space Administration (NASA) Goddard Space Flight Center in the USA. She will deliver the Jazoon’09 closing Keynote.

Moreover, as the first developer conference in Europe, Jazoon’09 launched a competition for young speakers aged 26 and under. Out of the several dozen submissions, an expert jury has selected the three most promising. The finalists of the Canoo sponsored “Jazoon Rookie 2009” are:

João Arthur Brunet Monteiro - Brazil
Bettina Polasek - Hungary
Deni Lukmanul Hakim - Indonesia

On 24 June 2009, the conference audience and the jury will vote on the winner. Canoo is very exited to be involved in such an event, as the contest is an opportunity for creative minds under the age of 26 to present their ideas to a broad public of experts. Facing the present shortage of skilled IT specialists, it was an obvious decision for Canoo to actively support the advancement of young professionals and new ideas. 

Here’s an overview of the technical sessions that Canoo will be presenting at this year’s Jazoon from 23rd to 26th June, 2008 in Zürich.

Sibylle Peter and Dieter Holz are presenting “Why RIA is not only about technology”. See also my recent write-up.

Canoo CTO Bruno Schaeffer is presenting “Against all odds – efficient Rich GUI development in Java” together with Christoph Henrici and Daniel Buffet.

Dierk Koenig is presenting two talks:
“Grails: all you need for Java Enterprise webapps”
and “Automated functional testing of web applications” .

Andreas Hoelzl and Christian Stettler are presenting a talk on RIA for mobile devices, “Google Android and developer expectations: a ‘real world’ report”.