February 05, 2014

Software [in]security and scaling automated code review
As the tools have matured to cover a broad range of vulnerabilities, they have in general evolved for integration into a build process on a big build server. That means in some cases they may not be feasible for use at the developer desktop. Simply put, the industrial-strength tech eats a workstation alive. ...  If a developer has to tie up her development workstation for two to three hours to run a scan on a single build component, the result is that her productivity diminishes as she waits around for results.

Interview: The Need for Big Data Governance
There are three main ways bad data gets into systems, and they’re all essentially technology-agnostic. The first is during data migration. Before you go live on a new system, you will normally bulk load some information. If your initial data load contains poor quality data, it can be really expensive to fix. If you’re talking about an ERP system, it can break essential business processes like being able to bill customers. A big data project could lose credibility with the users if they see a lot of data issues. It’s simpler and cheaper to prevent bad data getting in in the first place.

British intelligence used DDoS tactics against Anonymous, Snowden documents show
The British spy agency GCHQ secretly waged war against the hacker collective Anonymous a few years ago, according to documents taken from the NSA by Edward Snowden and revealed late Tuesday by NBC. At the time, certain members of Anonymous were themselves waging war against British government institutions and various companies.

Audit committees increasingly uncomfortable about cyber threats
“Given the rapidly growing public, political and media profile of the cyber threat, it is very worrying that audit committee members feel more concerned now about the issue than they did a year ago,” said Stephen Bonner, partner at KPMG. “It shows that either companies are losing the battle against cyber criminals, or they are still not yet fully engaging with the threat. It is a difficult issue that takes many executives and non-executives out of their comfort zone. However, it is simply too big and fast-growing a risk for companies to tackle half-heartedly.”

Those many faces of fraud
The past few years have seen several headline-grabbing incidents of corporate fraud in India. These have not just tested the Indian ‘trust-based’ business framework, but also sent ripples across the business community and stock markets. In many ways, India woke up to the reality of fraud in the past few years. It realised that it was not a Western phenomenon, but a universal one. Greed is, after all, a human failing. Predicting a fraud before it occurs is, at least for now, the subject of science fiction.

Strategies and Code for Creating Fluent APIs
There are numerous ways to implement a fluent API, depending on the degree of control you want to maintain over the API, how many classes you want to be able to use it with, and how you want to extend your API. Here are your options. In an earlier column, "Implementing a Fluent Interface," I showed how to create a fluent API for a single class. However, there are other strategies that offer more flexible solutions.

When No One Is Just a Face in the Crowd
“Just load existing photos of your known shoplifters, members of organized retail crime syndicates, persons of interest and your best customers into FaceFirst,” a marketing pitch on the company’s site explains. “Instantly, when a person in your FaceFirst database steps into one of your stores, you are sent an email, text or SMS alert that includes their picture and all biographical information of the known individual so you can take immediate and appropriate action.”

Senate cybersecurity report finds agencies often fail to take basic preventive measures
“Almost every agency faces a cybersecurity challenge,” said Michael Daniel, special assistant to the president on cybersecurity policy. “Some are farther along than others in driving awareness of it. It often depends on whether they’ve been in the crosshairs of a major cyber incident.” ... The report concluded that the department had failed even to update essential software — “the basic security measure just about any American with a computer has performed.”

SHA-1 to SHA-2: The future of SSL and enterprise application security
Organizations should push ahead with the upgrade to SHA-2 now and not hope for a last-minute reprieve despite the fact that no SHA-1 collisions have yet been found. The areas that will require the most work are legacy systems that make SSL connections, and software and hardware such as game consoles, phones and embedded devices that rely on hard-coded certificates. These certificates will all need to be replaced and have the software updated if they are unable to currently support SHA-2 encryption.

12 predictions for the future of programming
To help you prepare for -- or at least start contemplating -- a future that's screaming across the sky faster than we can see, we've compiled a dozen predictions about how the next five years of programming will shake out. Our crystal ball is very subjective, and some of the following conjectures might not prove universal. Some won't be fully realized in five years. Others are already true, but the extent of their truth is not as well-established or widely known as it will be fairly soon.

Quote for the day:

"Concentration comes out of a combination of confidence and hunger."-- Arnold Palmer