Tuesday, November 29, 2011

Security Consultants Needed @ Cigital

Cigital Inc, a company I have been working at for the past 3 and 1/2 years, is rapidly expanding and eager to hire.

So if you have any interest in software security, comment below and I will give you more information about all the opportunities currently available at Cigital. And for all those who love to travel, Cigital has many many opportunities that involve traveling.

Please feel free to forward this announcement to all your fellow software friends and family.

Cigital  has offices at several locations all across the world. A few are listed below:
In USA at Dulles, VA, New York, NY, San Jose, CA,. In Europe at London, UK, Amsterdam, Paris, France and Geneva, Switzerland area.

Tuesday, September 27, 2011

Cigital Announces BSIMM3

Cigital, the company I work for, today announced the third major release of the "Building Security In Maturity Model" (BSIMM) study. BSIMM3 continues to add real-world data defining benchmarks for successfully developing and operating an enterprise software security initiative. The study reveals that firms participating in the BSIMM project show measurable improvement in their software security initiatives over time.

BSIMM3 is a multi-year study of real-world software security initiatives, based on in-depth measurement of leading enterprises including Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Fannie Mae, Google, Intel, Intuit, McKesson, Microsoft, Nokia, QUALCOMM, Sallie Mae, SAP, Scripps Networks Interactive, Sony Ericsson, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Visa, VMware, Wells Fargo, and Zynga.

The BSIMM3 study provides insight into forty-two of the most successful software security initiatives in the world, identifying activities used by these organizations to effectively plan, structure, and execute the evolution of a software security initiative.

Originally launched in March 2009, the BSIMM is the industry's first software security measurement tool built from real-world data rather than based on philosophy and theory. BSIMM2 was released in May 2010 and tripled the size of the original study from nine organizations to thirty. BSIMM3, released today, covers forty-two firms representing a range of eight overlapping verticals including: financial services (17), independent software vendors (15), technology firms (10), telecommunications (3), insurance (2), energy (2), media (2) and healthcare (1). The current release includes 109 thoroughly updated activity descriptions and a longitudinal study describing the evolution of eleven of the forty-two firms over time.


Some highlights for the third major release of the BSIMM:
• BSIMM3 now includes 42 firms
• BSIMM3 describes 109 activities in 12 practices with 2 or more real examples for each activity
• 11 firms have been measured twice (providing Longitudinal Study data) and the data show measurable improvement
• The BSIMM3 data set has 81 distinct measurements (some firms measured twice, some firms have multiple divisions measured separately)
• BSIMM3 reveals that leading firms on average employ two full time software security specialists for every 100 developers
• BSIMM3 results show that mature software security initiatives are well rounded, with activities in all twelve practices including: strategy and metrics, compliance and policy, architecture analysis, code review, security testing, penetration testing, and configuration management.


For more information and to access the BSIMM3 study, which is distributed free of charge under the Creative Commons, please visit: http://bsimm.com/

Saturday, September 10, 2011

EJB 3.1 Cookbook - Review

Title: EJB 3.1 Cookbook

Author: Richard.M.Reese

Publisher: Packt

I received this book to review some time in June this year. Just two days after I received the book, we had to travel to India due to the sudden death of my Mother-in-law.
I came back from India, and was swamped with work for several weeks. Finally, this weekend I had some time to sit in front of my laptop and work on the review.

 I usually don't agree to review any books due to my busy schedule. However, took this offer just because it was a book on my favorite technology, EJB's.

The book covers the latest EJB version, 3.1. Like the name suggests it is a cookbook with lots of examples. If you are already familiar with using EJB and want to know new features of 3.1 than I would recommend you to go ahead and buy this book.

However, if this is the first time you are using EJB's, than this book doesn't cover all the technologies in detail. There are a few sections which I thought was not at all relevant to EJB 3.1, like

  • How to support currency
  • Using time with an EJB
  • Efficient manipulation of strings
And a few sections where the Author goes in detail in explaining how to
  • Validating null fields
  • Validating string fields
  • Validating temporal fields
  • Validation using regular expressions
  • Validating Boolean fields
  • Validating Integer fields
  • Using the Validator class
Do we need examples to know how to validate every type of field?
 
In the past few years I have been consulting, I have seen several Developers who need examples and samples for everything. If you are one such Developer, this is the book for you.
If you want more details about this book, take a look at the link below on Packt web site.
 1. EJB 3.1 Cookbook

So, what would be my rating for this book if you ask?

Packt Publishing launches Sixth Annual Open Source Awards


I am a huge fan of technical books. I used to write several reviews for Javalobby earlier. However, due to time constraints and a hectic job, have not been writing reviews lately. Earlier, most books I read were from Manning, Apress and O'Reilly. In recent days, I read several interesting books from Packt Publishing.

 I am also a huge fan of open source technologies. I haven't contributed much to open source technologies. However, when I heard of the latest open source awards announced by Packt Publishing, I thought I should do my share and let the community know the same.


Packt has announced several categories for the awards.
The categories are:
  • Open Source CMS
  • Open Source Mobile Toolkits and Libraries
  • Most Promising Open Source project
  • Open Source Business Applications
  • Open Source JavaScript Libraries
  • Open Source Multimedia Software
If you nominate you will be entered to win a Kindle. I love my Kindle. :)
As per the press release from PACKT:
"The finalists in the voting stage will be announced at the beginning of September; and the Voting stage begins on 19th September 2011. Voting closes on 31st October 2011, with the winners announced throughout the week commencing 7th November 2011."
Read more details on their web site, and keep voting.

Tuesday, August 16, 2011

Job Opportunities at Cigital

I have seen several emails, and a few comments about how people have been losing jobs, and are unable to find one quickly.The economy is getting worse day by day, and trust me I have seen several people I know who are struggling to find job.

Cigital Inc, a company I have been working at for three years, is rapidly expanding and eager to hire. I am working as a Technical Manager and love what I do for my Job.

So if you have any interest in software security, quality, or product development comment below and I will give you more information about all the opportunities currently available at Cigital. And for all those who love to travel, Cigital has many many opportunities that involve traveling.

Please feel free to forward this announcement to all your fellow software friends and family.

My Company has offices at several locations all across the world. A few are listed below:
In USA at Dulles, VA, New York, NY, San Jose, CA,. In Europe at London, UK, Amsterdam, Paris, France and Geneva, Switzerland area.

Monday, April 11, 2011

Continuous Integration in .NET - Book Review

Title: Continuous Integration in .NET

Authors: 
MARCIN KAWALEROWICZ and CRAIG BERNTSON


Publisher: Manning 


Rating:  Five stars all around!
The book is well written. The authors have gathered so much information in this book that it will help those of you who want to use CI. I'd heartily recommend this book for anyone making the transition to Continuous Integration in the .NET world.

It is simple to rate this book: every .NET team not using Continuous Integration should own and read this book!


I have been using CI in my own team, and have also been assisting several clients in setting up CI. Over the past several years, I have seen many teams using CI just to compile their code. If your team is doing just that, than this is the book you need to read and follow. All CI concepts are illustrated with examples. The authors use a large number of diagrams, tables, and code snippets with detailed explanations.

Note: This was also the first technical book which I read on my Kindle, and the rendering of the diagrams, tables, code snippets was just great.

Target Audience:
The target audience for this book is the entire .NET development team. For a beginner trying to understand Continuous Integration, for a Tester who wants the system to be in a working state before and after integration, and the Manager who want to reduce risks, this book will give a solid foundation of CI and its concepts. It is for all kinds of .NET developers: Beginners, Intermediate as well as Experienced CI users.

Tools Covered:
The authors cover several tools required for setting up a successful CI system, and the book has working examples to setup and use each of the tools listed below. The list below itself makes this book an important part of every .NET developer's arsenal.

1.     CI Servers
  • CruiseControl.NET
  • TeamCity
  • Team Foundation Server 2010
2.      Build Automation Tools
  • Nant
  • MSBuild

3.     Unit Testing Frameworks
  • NUnit
  • Microsoft unit testing framework

4.     Test Coverage
  •  PartCover
5.     UI Testing Frameworks
  • White
  • Silverlight
  • Selenium
6.     Acceptance Testing Frameworks
  •  FitNesse
7.     Code Analysis Tools
  •  FxCop
  • StyleCop
  • NDepend

Thursday, March 10, 2011

ZIP Files - Ant and Maven

How hard it might be to ZIP a bunch of files you think right? Judge for yourself. Like in my previous post of getting the timestamp, I needed to ZIP all the source artifacts to upload to a server.

I could do this in one line in Ant. Yes, literally one line.


Now comes the fun part. Doing the same with Maven. Started browsing the Maven site to see what needs to be done to achieve the same. Sounds easy though, but the XML configured for such a fairly trivial task was not a 1 liner. Several lines to get this to work.


Not sure how many more things I will uncover using Maven. I would have written everything in Ant and asked the client to use the Ant plug-in for Maven, but that is not an option I have.

I am glad I am learning so many things about Maven. By the time I finish writing all the plug-ins for Maven, I am quite confident I will be able to say I am a Maven GURU. Hope that day comes soon.

Wednesday, March 9, 2011

Hudson or Jenkins

I have been using Hudson( now called Jenkins) from early 2008, i.e. almost 3 years. Also, if you have been reading my blogs, you already know I am a huge fan of Hudson.

I had been following what's happening with Hudson and Jenkins closely. Every time I do a presentation at client sites, I get frequently asked about which way I am going. Like "Have you switched to Jenkins, why are you still using Hudson"? What are your thoughts about both of them?

Most of our clients which are big financial institutions are still using Hudson. So, we will have to support Hudson as long as our clients are using. Most of them had no inclination to switch to Jenkins either. They didn't have any opinion when I asked about the switch.

So, for the time being we are using Hudson. However, I did download Jenkins, renamed it to hudson.war and everything worked like a charm. As expected.

So, what are you using? Have you made the switch yet to Jenkins? If yes, may I ask why?

Tuesday, March 8, 2011

Getting Timestamp in Ant (trivial) and Maven (nontrivial)

I have been working on custom plug-ins for Ant and Maven to upload artifacts to a server. These are source files, the binaries and anything required for scanning using a static code analysis tool for security. Having used Ant for more than a decade now getting the time stamp to keep track of the uploads and also the log files was done in a few minutes.

So, it is trivial getting a timestamp from within my build.xml file. Attached is the sample for doing the same.


No surprises, and everything works like a charm.

Now comes the tough part. Getting the timestamp in Maven. After writing several plug-ins for Hudson and Sonar, I was thinking I have some good knowledge about Maven. I was completely wrong. I have been struggling getting the time stamp plug-in to work with Maven.

So, here are the steps I followed when I saw there was a "Build Number Maven Plug-in".

I added the plugin details to my pom.xml file. Attached are the details:

As soon as I ran this, I got an exception as shown below:

artifact org.codehaus.mojo:buildnumber-maven-plugin: checking for updates from central
[WARNING] repository metadata for: 'artifact org.codehaus.mojo:buildnumber-maven-plugin' could not be retrieved from repository: central due to an error: Error transferring file: Connection timed out: connect
Repository 'central' will be blacklisted
------------------------------------------------------------------------
[ERROR]BUILD ERROR
------------------------------------------------------------------------
The plugin 'org.codehaus.mojo:buildnumber-maven-plugin' does not exist or no valid version could be found

Next, I decided to install the plug-in manually on my local repository. So, here I followed the following steps:

1. Downloaded the jar from http://mirrors.ibiblio.org/pub/mirrors/maven2/org/codehaus/mojo/buildnumber-maven-plugin/1.0-beta-4/buildnumber-maven-plugin-1.0-beta-4.jar

2. Installed it locally in my Maven repository as such:
mvn install:install-file -Dfile=buildnumber-maven-plugin-1.0-beta-4.jar \
-DgroupId=org.codehaus.mojo \
-DartifactId=buildnumber-maven-plugin \
-Dversion=1.0-beta-4 \
-Dpackaging=jar

The timestamp was created at this point, and now the plugin complains about the scm url being null.


------------------------------------------------------------------------
[buildnumber:create]
Storing buildNumber: 20110308095006 at timestamp: 1299595806804
------------------------------------------------------------------------
[ERROR]FATAL ERROR
------------------------------------------------------------------------
The scm url cannot be null.
------------------------------------------------------------------------
Trace
java.lang.NullPointerException: The scm url cannot be null.
at org.apache.maven.scm.manager.AbstractScmManager.makeScmRepository(AbstractScmManager.java:181)
at org.codehaus.mojo.build.CreateMojo.getScmRepository(CreateMojo.java:722)
at org.codehaus.mojo.build.CreateMojo.getScmBranch(CreateMojo.java:593)
at org.codehaus.mojo.build.CreateMojo.execute(CreateMojo.java:452)
at org.apache.maven.plugin.DefaultPluginManager.executeMojo(DefaultPluginManager.java:490)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoals(DefaultLifecycleExecutor.java:694)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoalWithLifecycle(DefaultLifecycleExecutor.java:556)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoal(DefaultLifecycleExecutor.java:535)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoalAndHandleFailures(DefaultLifecycleExecutor.java:387)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeTaskSegments(DefaultLifecycleExecutor.java:348)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.execute(DefaultLifecycleExecutor.java:180)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:328)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:138)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:362)
at org.apache.maven.cli.compat.CompatibleMain.main(CompatibleMain.java:60)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.codehaus.classworlds.Launcher.launchEnhanced(Launcher.java:315)
at org.codehaus.classworlds.Launcher.launch(Launcher.java:255)
at org.codehaus.classworlds.Launcher.mainWithExitCode(Launcher.java:430)
at org.codehaus.classworlds.Launcher.main(Launcher.java:375)
------------------------------------------------------------------------
Total time: 2 seconds
Finished at: Tue Mar 08 09:50:07 EST 2011
Final Memory: 24M/224M
------------------------------------------------------------------------

I searched the FAQ section of this plugin at http://mojo.codehaus.org/buildnumber-maven-plugin/faq.html and it says to include the
revisionOnScmFailure 
which like you can see I have included.

At this point, I just gave up using this plug-in.

Have you used this plug-in and have a work around for this problem? Please share your thoughts. Is there anything else easier I can use to get the time stamp?

Update: After several tries using many other plug-ins including the one for Groovy, I found a workaround for some other bug at the following location http://jira.codehaus.org/browse/MRESOURCES-99, and I was able to successfully get the time stamp I need. Huh, I need my 3 hours back Maven......

Wednesday, March 2, 2011

RESTEasy - Connection Release Problems

If you are using RESTEasy client framework, and returning a Response from your service method, you will explicitly need to release the connection.

Here is the stack trace you will see, if the connection isn't released.

Exception in thread "main" java.lang.RuntimeException: java.lang.IllegalStateException: Invalid use of SingleClientConnManager: connection still allocated.
Make sure to release the connection before allocating another one.
at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:101)
at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:72)
at $Proxy25.updateSubmission(Unknown Source)
at meera.rest.main.MYRestWorkflow.main(MYRestWorkflow.java:61)
Caused by: java.lang.IllegalStateException: Invalid use of SingleClientConnManager: connection still allocated.
Make sure to release the connection before allocating another one.
at org.apache.http.impl.conn.SingleClientConnManager.getConnection(SingleClientConnManager.java:199)
at org.apache.http.impl.conn.SingleClientConnManager$1.getConnection(SingleClientConnManager.java:173)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:390)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
at org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:86)
at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:39)
at org.jboss.resteasy.plugins.interceptors.encoding.AcceptEncodingGZIPInterceptor.execute(AcceptEncodingGZIPInterceptor.java:40)
at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45)
at org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:449)
at org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:679)
at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:97)
... 3 more
------------------------------------------------------------------------
[ERROR]BUILD ERROR
------------------------------------------------------------------------

So, in order to fix this issue, RESTEasy has a method for releasing the connections which can be done using the following code:
MyResource resource = MyProxyFactory.create(MyResource.class, "resourcePath");
ClientResponse response = (ClientResponse) resource.create();
//Any REST Resource which returns a ClientResponse, has to call releaseConnection to release all the connections back
//to the connection pool
response.releaseConnection();

Saturday, February 26, 2011

Technical Books and Kindle

I very much enjoy my new Kindle. I had no idea that I would get addicted to this new toy. From the time I got the Kindle, I have already read 4 books.

I uploaded several of my technical PDF books. These books were from Manning, Apress, O'Reilly. However, none of these render properly on the Kindle.

It is hard to flip the pages, the pages don't display correctly, the diagrams also don't show up properly, and code samples are even bad.

So, was wondering how you all use your Kindle to read technical books? Any tips or tricks would really be help.

Wednesday, January 26, 2011

Amazon Kindle

Just yesterday I received the Amazon Kindle as a gift from my company for my hard work. Isn't it a great feeling to know your company recognizes your hard work, and appreciates the same? I always wanted to buy a Kindle, but wasn't sure if it is even going to help me.

It has been less than 24 hours, and I am hooked to this new electronic gadget. It has WI-FI, I can check my email, listen to music, read books. Of course, if you have a Twitter or Facebook account, you can connect to those accounts as well directly from the Kindle. I don't have either one of them, and am not sure will have one soon.

I was able to copy all my technical ebooks to the Kindle. There is however one problem I am unable to solve. The Kindle connects fine to my Mac, I am unable to connect it to my Work Computer which is Windows 7 64 bit. So, had to copy some of my books to the Mac, and from there to the Kindle.

Anyone facing the same problem with Windows 7? Any suggestions?

Time to start reviewing books like I did earlier, right?