Daily Tech Digest by Kannan Subbiah

February 05, 2014

Software [in]security and scaling automated code review
As the tools have matured to cover a broad range of vulnerabilities, they have in general evolved for integration into a build process on a big build server. That means in some cases they may not be feasible for use at the developer desktop. Simply put, the industrial-strength tech eats a workstation alive. ... If a developer has to tie up her development workstation for two to three hours to run a scan on a single build component, the result is that her productivity diminishes as she waits around for results.

Interview: The Need for Big Data Governance
There are three main ways bad data gets into systems, and they’re all essentially technology-agnostic. The first is during data migration. Before you go live on a new system, you will normally bulk load some information. If your initial data load contains poor quality data, it can be really expensive to fix. If you’re talking about an ERP system, it can break essential business processes like being able to bill customers. A big data project could lose credibility with the users if they see a lot of data issues. It’s simpler and cheaper to prevent bad data getting in in the first place.

British intelligence used DDoS tactics against Anonymous, Snowden documents show
The British spy agency GCHQ secretly waged war against the hacker collective Anonymous a few years ago, according to documents taken from the NSA by Edward Snowden and revealed late Tuesday by NBC. At the time, certain members of Anonymous were themselves waging war against British government institutions and various companies.

Audit committees increasingly uncomfortable about cyber threats
“Given the rapidly growing public, political and media profile of the cyber threat, it is very worrying that audit committee members feel more concerned now about the issue than they did a year ago,” said Stephen Bonner, partner at KPMG. “It shows that either companies are losing the battle against cyber criminals, or they are still not yet fully engaging with the threat. It is a difficult issue that takes many executives and non-executives out of their comfort zone. However, it is simply too big and fast-growing a risk for companies to tackle half-heartedly.”

Those many faces of fraud
The past few years have seen several headline-grabbing incidents of corporate fraud in India. These have not just tested the Indian ‘trust-based’ business framework, but also sent ripples across the business community and stock markets. In many ways, India woke up to the reality of fraud in the past few years. It realised that it was not a Western phenomenon, but a universal one. Greed is, after all, a human failing. Predicting a fraud before it occurs is, at least for now, the subject of science fiction.

Strategies and Code for Creating Fluent APIs
There are numerous ways to implement a fluent API, depending on the degree of control you want to maintain over the API, how many classes you want to be able to use it with, and how you want to extend your API. Here are your options. In an earlier column, "Implementing a Fluent Interface," I showed how to create a fluent API for a single class. However, there are other strategies that offer more flexible solutions.

When No One Is Just a Face in the Crowd
“Just load existing photos of your known shoplifters, members of organized retail crime syndicates, persons of interest and your best customers into FaceFirst,” a marketing pitch on the company’s site explains. “Instantly, when a person in your FaceFirst database steps into one of your stores, you are sent an email, text or SMS alert that includes their picture and all biographical information of the known individual so you can take immediate and appropriate action.”

Senate cybersecurity report finds agencies often fail to take basic preventive measures
“Almost every agency faces a cybersecurity challenge,” said Michael Daniel, special assistant to the president on cybersecurity policy. “Some are farther along than others in driving awareness of it. It often depends on whether they’ve been in the crosshairs of a major cyber incident.” ... The report concluded that the department had failed even to update essential software — “the basic security measure just about any American with a computer has performed.”

SHA-1 to SHA-2: The future of SSL and enterprise application security
Organizations should push ahead with the upgrade to SHA-2 now and not hope for a last-minute reprieve despite the fact that no SHA-1 collisions have yet been found. The areas that will require the most work are legacy systems that make SSL connections, and software and hardware such as game consoles, phones and embedded devices that rely on hard-coded certificates. These certificates will all need to be replaced and have the software updated if they are unable to currently support SHA-2 encryption.

12 predictions for the future of programming
To help you prepare for -- or at least start contemplating -- a future that's screaming across the sky faster than we can see, we've compiled a dozen predictions about how the next five years of programming will shake out. Our crystal ball is very subjective, and some of the following conjectures might not prove universal. Some won't be fully realized in five years. Others are already true, but the extent of their truth is not as well-established or widely known as it will be fairly soon.

Quote for the day:

"Concentration comes out of a combination of confidence and hunger."-- Arnold Palmer

February 04, 2014

A Cost Analysis of Media Consumption using System Dynamics Modeling
Compare the heavily discounted cost of $3/GB for disk to the average price of 10¢ to 13¢ per GB for tape. Or in the case of our simulation and model, $102.9M for a disk architecture and $3.4M for a tape architecture. With a difference of more than 30x the cost for disk than tape, one needs to step back and consider if they really want to jump into the world of disk based backup without considering ways to lower the total cost of ownership. The fundamental cost in the average enterprise is the retention of data that is backed up. With altering the retention level of data backed up, we can effect an impact on the TCO.

Satya Nadella's to-do list: Here are the first 10 battles Microsoft's new CEO will have to fight
And now finally Microsoft has finally ended the wait by confirming that Satya Nadella is to be its new CEO. Nadella needs to get moving as soon as possible; after months of Microsoft's staff effectively treading water while waiting for a new chief to be appointed, he'll have an overflowing inbox and many decisions to make about the future direction of the company and its products. Here are some of the knotty interrelated issues Microsoft's new chief executive will have to struggle with sooner rather than later.

Top 10 Ways to Improve Your Cloud Career and IT Skill Set
New data center demands are creating a wide array of new types of specialists. Engineers become architects, programmers become cloud designers, and database administrators become data scientists! There are a lot of new and interesting options out there to help you push your career to the next level. To be successful in the IT and cloud arena you’ll have to optimizeyour existing skill set. With that, let’s take a look at 10 great ways you can accomplish this.

Predictive Analytics: Finding the Future in Big Data
Using PA to properly assess risks based on actuarial data and proven hypotheses can mean the difference between new product ROIs and catastrophic liability. Weather models forecasting everything from hurricanes to sea-ice melt allow scientists to measure the effects of climate change and illustrate future scenarios. Crime prevention, genomics, human and knowledge performance indicators, natural resource exploration, project management, and other disciplines have stakes in PA.

The Persistent Imbalance Between Supply and Demand for Software Development Labor
We're currently in the midst of another structural increase in the demand for software development labor, this time being driven by analytics and smart devices (the alleged "internet of things", from cars to coffee pots), with the odd halo application (e.g., wearable tech) thrown in for good measure. Every indication is that for the foreseeable future, demand for software developers will continue to increase at a rate faster than the supply of software developers available to develop it. What does this mean to the business of software?

Healthcare among most opportunistic use cases for boundaryless information flow improvement
In the healthcare landscape, and in other industries, there are a lot of players coming to the table and need to interact, especially if you are talking about a complex episode of care. You may have two, three, or four different organizations in play. You have labs, the doctors, specialized centers, and such, and all that requires information flow. Coming back to the methodology, I think it’s bringing to bear an architecture methodology like provided in TOGAF.

The Enterprise IT Infrastructure Agenda for 2014
Procurement of hardware, software, and services required to operate an enterprise environment is becoming more challenging for senior infrastructure managers. Even as more procurement spending is devoted to software, many infrastructure organizations continue to use techniques developed for hardware procurement. These techniques are not entirely effective given software’s product fragmentation and relatively high switching costs.

Despite Target data breach, PCI security standard remains solid, chief says
"Any time there's a breach it sheds a spotlight on what we do," Russo said. But instead of pointing fingers at PCI, there should be more focus on working collaboratively to address security issues in the payment card industry, he said. "Everybody is looking for a silver bullet," in the wake of the recent breaches, said Russo, who is scheduled to testify before Congress pn Wednesday on the issue. "As far as I know, no silver bullet exists. It's a combination of people, process and technology."

Debug / Inspect WebSocket traffic with Fiddler
This is my first time writing code project article. Thanks for your supports. I have recently written a project using SignalR, which supports HTML 5 WebSocket. However I cannot find good tools to debug or inspect WebSocket traffic. I know that both Chrome and Fiddler support inspecting the WebSocket traffic, but they are very basic. If you have very high volume of traffic or each frame is very large, it becomes very difficult to use them for debugging. I am going to show you how to use Fiddler (and FiddlerScript) to inspect WebSocket traffic in the same way you inspect HTTP traffic.

Mobile device management vs. mobile application management
Mobile device management and mobile application management are two of the more popular technologies for enabling secure smartphone and tablet use in the enterprise. They have different use cases, but some of their features overlap, and more vendors are combining the two technologies into single products. That means mobile device management vs. mobile application management isn't necessarily the discussion you should be having in your IT department.

Quote for the day:

"If you define your company by how you differ from the competition, you're probably in trouble." -- Omar Hamoui

February 03, 2014

The risks of Agile software development: Overcoming feature creep
It is important not to confuse scope creep with intentional technical debt. In Agile projects, some teams will purposely incur debt because delivering to the market can trump the quality or completeness of the solution. Developers have to get something out there because the competition has some functionality that their product lacks. That said, developers must plan to prevent scope creep even when they incur intentional technical debt.

OpenStack creates innovation for private clouds + competition
Giving large enterprises the power of a large cloud platform isn’t in Kemp’s opinion just about technology. Technology is important in order to make things possible, but “you are dealing with a cultural transformation.” “You are dealing with a different way of thinking about building software and with a lot of existing applications that are not going to run very well in the ideal cloud architecture that we see the Amazon-style cloud companies leveraging,” said Chris Kemp.

Oracle's cloud growth: Will it measure up?
What Goldmacher is trying to solve for with Oracle's cloud growth is going to be a common problem for the industry. Mixed revenue models---licensing, support and cloud subscriptions---ultimately mean less transparency by product line. While Workday, Salesforce and NetSuite are easier to understand regarding cloud growth, tech giants can talk growth with a lot of footnotes and other assumptions. Simply put, cloud washing is an epidemic.

Data classification for cloud readiness
Several types of processes exist for classifying data, including manual processes, location-based processes that classify data based on a user’s or system’s location, application-based processes such as database-specific classification, and automated processes used by various technologies, some of which are described in the ”Protecting confidential data” section later in this paper. This paper introduces two generalized terminology models that are based on well-used and industry-respected models. These terminology models, both of which provide three levels of classification sensitivity, are shown in the following table.

Big Data Goes Legal
Attorneys are fighting back against the seemingly insurmountable onslaught of big data as it relates to their litigation practice. Legal analytics, a term often made interchangeable with technology assisted review or predictive coding, attempts to help an attorney be a “copilot” in the matrix of litigation, with big data guiding the focus and prioritization of data review and categorization. Leaders and innovators in the legal technology space are now in an arms race to create the most defensible, statistically validating tools to sift through data and locate the “smoking gun” as quickly as possible.

New CIOs need at least two years to take charge, research finds
Ninety days is often quoted by management books, such as Michael Watkins’ ‘The First 90 Days: Proven Strategies for Getting Up to Speed Faster and Smarter’, as the critical amount of time an executive needs to succeed in their role. However, Peppard believes that there is a process of learning that all CIOs have to go through until they have mastered the assignment of a new role, which takes much longer.

Hackers use '.enc' trick to deliver Zeus banking malware
Gary Warner, Malcovery's chief technologist, posted on his blog an assortment of spam messages, which spoofed brands and organizations such as the payment processor ADP, the Better Business Bureau and the British tax authority HMRC. The spam messages contain a ".zip" file, which, if opened, contains a small application called UPATRE. That executable file downloads a ".enc" file, which it then decrypts. The decrypted file is GameOver Zeus, a variant of the notorious Zeus malware.

Dell offers bare-metal switches through Cumulus partnership
With the right skills in place, an IT organization can greatly reduce the cost of network operations by exploiting the programmability of these bare-metal Dell switches, he said. The capital costs will also be lower. Dell isn't disclosing how much it will charge for bare-metal switches, but Joshipura said the price will be around 20% lower than switches running Dell's proprietary software, depending on volume and type of customer.

Malicious intent can turn Chrome speech recognition into spying device
Ater first reported his findings privately to Google in September 2013. Ater said Google engineers had a fix within weeks. Then a week ago, with no evidence of Google removing the bug from Chrome, Ater decided to go public: “As of today, almost four months after learning about this issue, Google is still waiting for the standards group to agree on the best course of action, and your browser is still vulnerable.”

Data-driven policy and commerce requires algorithmic transparency
Part of the trouble is that big data has long since become a big buzzword, enabling marketers, vendors, media, academics, and politicians to project whatever they like upon it. That bubble is hard to puncture with criticism, real or otherwise. That reality has been acknowledged by close observers of the phenomenon, like Ken Cukier, The Economist's data editor, who suggests thinking about it in terms of its features:

Quote for the day:

"The key to successful leadership today is influence, not authority." -- Ken Blanchard

February 02, 2014

How ISO 31000 standardises risk management
Any organisation’s risk management should be capable of review and evaluation by any risk manager or auditor. ISO 31000 sets a framework for ‘components that provide the foundation and organisational arrangement for designing, implementing, monitoring, reviewing and continually improving risk management processes’. The framework of ISO 31000 follows the Plan, Do, Check, Act model, like other global management system standards.

Enterprise software marketing: Sell the value, not the box
The drive to perfect features before achieving a profound understanding of customer needs, pains, and business context comes from the mistaken assumption that technology, like idealized love, can overcome any obstacle. This mindset pushes many startups to believe their core mission is creating a great product. In a blog post and video, entrepreneur and Stanford professor, Steve Blank, challenges startups to rethink the fundamental nature of their challenge and goal. Instead of pushing for better product and technology alone

Holacracy 101: Could This Nontraditional Business Structure Work for You?
Holacracy is a self-governing, purpose-driven business structure that reassigns authority and responsibility based on the task at hand. The model recently made headlines for sparking the interest of Zappos CEO Tony Hsieh. His company reportedly will become a holacracy by the end of 2014. Here’s a brief explanation of how holacracy works and why it could benefit a small business.

2014 Enterprise Architecture: Increasing Business Architecture ROI
BAs need to focus on creating value to drive value realization as the outcome for our annual work plan for the organization. ... This model is comprehensive, fits with the BA role, and is well-accepted type of concept as it covers the value planning, value creation, and value realization process illustrated below. Simply put, BAs must align and drive the business strategy from the C-suite for realization of the expected business goals and mission outcomes.

4 things I learned from a career in tech startups
Umang Gupta is the former CEO of Keynote, which was recently acquired by Thoma Bravo LLC.Nothing in my childhood would have suggested that I’d grow up to be a Silicon Valley entrepreneur. In fact, the opposite was more likely. ... "With Keynote, I made sure from the beginning to recognize that my job, like any parent, was to give the company its roots and wings, and like any parent when the job was done, I would have to separate my own life from the company’s life. Today, Keynote is a solid, stable company that is a leader in its space, but still has a long way to go before it will have fulfilled its potential."

Building Applications With Hadoop
When building applications using Hadoop, it is common to have input data from various sources coming in various formats. In his presentation, “New Tools for Building Applications on Apache Hadoop”, Eli Collins, tech lead for Cloudera’s Platform Team overviews how to build better products with Hadoop and various tools that can help, such as Apache Avro, Apache Crunch, Cloudera ML and the Cloudera Development Kit.

What Dropbox for Business has to offer admins and users
Administrators with security concerns about Dropbox (and its well-publicized security breaches of the past) can sleep a little easier knowing that Dropbox has also taken some steps to secure data. It now encrypts all stored files using 256-bit Advanced Encryption Standard protection and uses the Secure Sockets Layer protocol to provide a secure tunnel for transferring data. Administrators can take advantage of third-party tools to provide additional encryption, and Dropbox continues to support a two-step verification process beyond just passwords.

How to Hire a Data Scientist
Given the relative newness of the role, many experienced data scientists and value architects come from an experience-based rather than trained background. Because their skills will be aligned to their experience, it is important to plan for targeted training and development. Someone who is a great culture fit, analytical capabilities, and value measurement knowledge but lacks certain programming skills may need to get skilled up in-house. Being prepared to accept someone that doesn’t have every skill needed (supported by an appropriate training program) is a pragmatic approach.

An Integrated Implementation of ISO 31000
ISO 31000 has left open the problem of implementations. That is, ISO 31000 is in large normative in nature. For instances, ISO 31000 describes a generic process to manage risks, but it does not describe how to establish the organizational devices so that the process can be executed; it describes a risk management framework, but it does not explain the dynamics between the risk management process and the framework; it lists several principles reflected in effective risk management, but it does not describe how to realize the principles in implementations

How to use Workshops to Boost Creativity, Team Commitment and Motivation
To be creative, participants have to feel comfortable both with themselves and with the group. They need to know that their ideas will be accepted in the group, and that everyone's opinions count equally. They need to feel welcome in the group and comfortable with the facilitator. Experienced workshop facilitators make a conscious effort to help the participants feel safe, and set the tone that maximizes motivation and creativity in the group.

Quote for the day:

"Regardless of the changes in technology, the market for well-crafted messages will always have an audience." -- Steve Burnett

February 01, 2014

Development teams at risk for making privacy agreement violations

With regard to protecting your own end-user privacy agreements, the first question to ask is: "Have my developers read our privacy policy and do they even know it exists?" Legal counsel, in consultation with marketing and other business functions, typically drafts privacy agreements. The contents of the agreements are often not explicitly communicated to the teams building the systems that handle data with privacy implications.

Insights and Trends: Current Project Portfolio Management Adoption Practices
Another interesting fact that came from the survey was that 76 percent of the respondents still use homegrown spreadsheets internally to manage projects in some capacity. Since 55 percent of respondents have more than 1,000 employees, this can easily lead to PPM data integrity issues and ponderously slow feedback loops. Definitely not a path that enables firms to pivot with rapidly changing business conditions. Moreover, from our experience this manual approach significantly impacts project performance.

Getting Real Value from BI Investments
Now things are different. Database technologies, “big data” storage, in-memory analytics, and the ability to leverage multiple types of data expand the value proposition of what business intelligence has to offer. The challenge becomes understanding the options that are available and making sure that the right choices are made within organizations that not only reflect current needs, but that can also support future needs.

After NSA Backdoors, Security Experts Leave RSA for a Conference They Can Trust
The allegation of the $10 million RSA/NSA deal compounded with leaks earlier in the year about NSA’s efforts to sabotage global cryptography has lead some speakers to withdraw from the 2014 RSA Conference in San Francisco, which attracts some 25,000 attendees each year. Nine speakers have canceled their coveted slots and many have chosen to speak instead at TrustyCon, an alternative conference started this year to provide a platform for speakers who protest RSA and NSA's long-standing collaboration.

Transact-SQL Named 'Programming Language of the Year' for 2013
This "award" further emphasizes the importance of competency in SQL. I earlier wrote about how SQL gurus and other database-related programmers enjoyed excellent job security and how SQL Server developers were in high demand. That's the good news. The bad news, according to TIOBE, "It is a bit strange that Transact-SQL wins the award because its major application field, Microsoft's database engine SQL Server, is losing popularity. The general conclusion is that Transact-SQL won because actually not much happened in 2013."

2014 Developer Opportunities and Challenges, Part II: UX Skills Gap, Crowdsourcing
It's an old problem, he said, but a new opportunity. "UX is one of the big things to get your arms around in 2014," he said. "It presents a great opportunity to outpace your competitors if you do, especially if you recognize that it isn't just important for consumers using your mobile app, it's also important to the productivity and satisfaction of your internal employees." Another opportunity Knipp sees ahead for developers comes from what might for many be an unexpected place: crowdsourcing and hackathons.

How developers could have avoided HealthCare.gov technical problems
As we all know, fixing hundreds of bugs right before a release can have a crippling effect on software and is guaranteed to create additional bugs that will not be caught in the final testing phases. That is, unless you have seasoned testers who know how to expand upon the documented test cases during the final integration testing. Unfortunately, the testers for the October release involved 200-300 government and insurance employees who tested only a few days before launch.

Taking Advantage of the Kinder, Gentler Takeover
This Darwinian scenario benefits both rivals and shareholders. In contrast to the widely held argument—which has been cited frequently in opposition to the rumored Sprint–T-Mobile deal—that mergers have collusive, anti-competitive effects on an industry, most of the evidence suggests that competing firms “learn from the productive efficiency driving the merger, possibly putting some rivals in play for a later date,” the author writes.

Tor-enabled malware stole credit card data from dozens of retailers
Most of the affected retailers are based in the U.S., but PoS infections with this malware were also detected in 10 other countries, including Russia, Canada and Australia, the RSA researchers said Thursday in a blog post. "At this time our research indicates that 119 PoS terminals within 45 unique retailers show evidence of being infected with the ChewBacca malware," said Uri Fleyder, manager of the Cybercrime Research Lab at RSA, via email. Thirty-two of the affected retailers are based in the U.S., he said.

What is the Board’s Role in Strategy and Strategy Execution? Post 1 of 3
It’s a pretty simple two-part argument: What’s the spend on Strategy Execution? What if it’s $5M or $55M? Given that failure rates on strategic initiatives range from 44-70% (see “Time to kill the 70% phantom failure rate”), there is $2.2M - $38.5M directly at risk; and Perhaps even more importantly, does realization of those strategies materially affect the future of the organization? In combination, surely these are equivalent to any of the board’s other responsibilities.

Quote for the day:

"I have been up against tough competition all my life. I wouldn't know how to get along without it." -- Walt Disney