Secure those passwords!

Stories about hacked or stolen password files keep coming. One of the most recent is a breech at IEEE.org – where 100,000 plaintext passwords were stolen a few weeks ago. The IEEE confirmed it a couple of days ago:

IEEE Statement on Security Incident

25 September 2012 -- IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected.

IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused.

There are two underlying problems. One we can address. One we can’t.

The problem we need to address is that programmers are sloppy. The application calls for having some sort of login with user names and passwords. So what do programmers do? They store the username and passwords as plain text in some sort of lookup table. They store the password lookup table in a volume where it can be accessed over the Internet.

The fixes are simple.

1. No plain-text storage systems – ever! Encrypt. Hash. Rinse. Repeat.

2. Don’t store the lookup table anywhere where it can be accessed remotely.

3. Don’t record passwords in log files.

4. Forget rules 1, 2 and 3. Instead, don’t let your programmers roll their own identity management system. If one needs to be built, make it a separate project and subject it to serious design work, security auditing and penetration testing.

No matter how trivial the “at risk” data, don’t create a lame login system. Ever. If a login/password system is required, take it seriously from a design perspective. It’s an attack surface!

That brings us to the second problem, the one we can’t address. Humans tend to reuse their passwords. They might have the same username and login in every e-commerce site. You’ve cracked one, you’ve cracked them all. And you know, that same login/password might also be their email access code, their remote network admin login/password, and their corporate portal login/password.

If your system uses an email address as the login, perhaps you’ve made life easier for your end users. You’ve also made it much easier for hackers to target your system, and for them to exploit a stolen login/password list from another site. If chuck@bobobomail.com uses a password of DontGuessMe123 on one site, he’s probably using it on your site too.

Practically speaking, there’s nothing we can do about password reuse. But we can, we must, make sure that our own identity management systems are secure. If the IEEE can fail, we can too.


Reimagining the taxonomy of computing

Interactive whiteboards! Ambient intelligence! A lot can change in 14 years! That’s the conclusion you have to reach after reading the latest iteration of the Computing Classification System, maintained and published by the Association for Computing Machinery.

The ACM’s CCS has defined the computing field since 1964, and was last updated in 1998. This latest update, completed in March 2012 but unveiled this month, can be considered a full list of terms. According to the ACM,

The 2012 ACM Computing Classification System has been developed as a poly-hierarchical ontology that can be utilized in semantic web applications… It relies on a semantic vocabulary as the single source of categories and concepts that reflect the state of the art of the computing discipline and is receptive to structural change as it evolves in the future. 

You can see the entire CCS as a Word document, HTML page or as an XML file.

What’s new in the 2012 classification? Lots, both in terms of organization and in content.

Previously, the CCS was divided into 11 top-level hierarchies: General literature, Hardware, Computer systems organization, Software, Data, Theory of computing, Mathematics of computing, Information systems, Computing methodologies, Computer applications, Computing milieux (my favorite), and Computers and society.

The new 2012 system has 14 top-level hierarchies which better reflect today's world: General and reference, Hardware, Computer systems organization, Networks, Software and its engineering, Theory of computation, Mathematics of computing, Information systems, Security and privacy, Human-centered computing, Computing methodologies, Applied computing, Social and professional topics, and Proper nouns: People, technologies and companies.

Alas, Computing milieux has been renamed into the clearer, but less romantic, Social and professional topics.

Here’s an entire section that didn’t exist before:

Ubiquitous and mobile computing
.Ubiquitous and mobile computing theory, concepts and paradigms
..Ubiquitous computing
..Mobile computing
..Ambient intelligence
.Ubiquitous and mobile computing systems and tools
.Ubiquitous and mobile devices
..Interactive whiteboards
..Mobile phones
..Mobile devices
..Portable media players
..Personal digital assistants
..Handheld game consoles
..E-book readers
..Tablet computers
.Ubiquitous and mobile computing design and evaluation methods
.Empirical studies in ubiquitous and mobile computing

Think of the CCS taxonomy as a giant table of contents or index for our industry. When you look through 2012 CCS, you can see just how big computing is – and how fast it is changing.


Learn how to cope with Big Data

The tangible benefits of Big Data analytics are well known. You can read about them in the IT press – and also in business journals and the daily newspaper. Many books have been published about the "why" of Big Data. Conferences devoted to exploring the trends are happening everywhere.

But what about the “how” of Big Data – how to store, search, share and analyze those gigantic data sets? That’s not what you hear, and it’s hard to learn. That’s why I’m excited to chair the new Big Data TechCon, coming to Boston Apr. 8-10, 2013.

Big Data TechCon isn't another "why" conference. It's the HOW-TO conference for Big Data. Practical workshops. Technical classes. Thorough examinations of the real-world choices in storage, processing, analysis and reporting of Big Data information. Strategies for rolling out Big Data projects in your organization.

Come to Big Data TechCon to learn HOW-TO accommodate the terabytes and petabytes of data from your Web logs, social media interactions, scientific research, transactions, sensors and financial records. Learn how to index, search and summarize the Big Data. Learn how to empower employees, inform managers, reach out to customers.

Big Data TechCon is technology-agnostic. The workshops and classes apply to Big Data in your data center or in the cloud, from hosted environments to your own servers. The sessions apply to relational databases, NoSQL databases, unstructured data, flat files and data feeds.

The faculty have real-world experience that you can tap into, whether you use Java, C++, .NET or JavaScript; whether you like MySQL, SQL Server, DB2 or Oracle; whether you love or hate Hadoop; and whether you are looking at dozens of terabytes or hundreds of petabytes.

Learn from the smartest, hardest-working faculty in the Big Data universe in a way you never could by reading a book or watching a webinar. Mingle with fellow attendees. Talk shop during meals and receptions. Be inspired by keynotes, be informed by general sessions, be impressed by the hottest Big Data tools in the Expo Hall. It's all waiting for you.

The Call for Speakers is open for Big Data TechCon through Sept. 26. Stay tuned to learn more in the weeks ahead.


Software quality assurance by the numbers

What do enterprise software developers think about software quality within their organizations? We asked SD Times subscribers and the results may surprise you.

The research project was conducted in July 2012 by BZ Research (like SD Times, a division of BZ Media). Here’s what we learned:

Does your organization have separate development and test teams?

Some development and test/QA teams are separate, some are integrated 34.6%
All test and development teams are integrated 30.2%
All development teams and test/QA teams are separate 32.7%
Don’t know 2.4%

The net result was the 64.8% of respondents said that some or all of the test and development teams are integrated.

How many testers or test/QA professionals do you have at your company (or the largest company to whom you consult)?

5,000 or more 2.9%
1,000-4,999 3.9%
500-999 2.5%
100-499 5.9%
50-99 7.8%
20-49 11.3%
10-19 9.3%
5-9 15.2%
4 or fewer 41.2%

We found that 34.3% said that they have more than 20 testers or QA professionals at their company.

What background do your test/QA managers and directors typically have?

Both development and test/QA 53.9%
General IT background 38.2%
Test/QA only 23.5%
Development only 21.6%
General management background 21.1%
No particular background - we train them from scratch 14.7%

Who is responsible for internally-developed application performance testing and monitoring in your company? 

Prior to Deployment

Software/Application Developers 60.8%
Software/Application Development Management 52.8%
Testers 50.3%
Testing Management 48.7%
IT top management (development) (VP or above) 36.7%
Systems administrators 24.1%
Networking personnel 21.5%
Line-of-business management 21.1%
IT top management (non-development) (VP or above) 19.6%
Consultants 19.3%
Networking management 18.6%
Service providers 16.1%

After Deployment

Software/Application Development Management 53.8%
Software/Application Developers 47.7%
Systems administrators 45.4%
Testers 41.5%
Testing Management 38.5%
IT top management (development) (VP or above) 34.6%
Networking personnel 31.5%
IT top management (non-development) (VP or above) 30.8%
Line-of-business management 30.8%
Networking management 27.7%
Service providers 23.8%
Consultants 20.8%

Does your company outsource any of its software quality assurance or testing? 

Yes, all of it 4.4%
Yes, some of it 26.6%
No, none of it 65.0%
Don’t know 3.9%

This tabulated as 31.0% outsource some or all software testing.

Is your company developing and testing apps for mobile devices?

No, not developing/testing for mobile application development 42.1%
Yes, mobile software for iPhone/iPad 36.6%
Yes, mobile software for Android devices 33.2%
Yes, mobile software in HTML5 30.2%
Yes, mobile software for Windows Phone 22.8%
Yes, mobile software for Blackberry devices 16.3%
Don’t know 5.4%
Yes, for other devices 3.5%

This tabulated as 57.9% were developing or testing mobile applications.

At what stage is your company, or companies that you consult, using the cloud for software testing?

We are using the cloud for software testing on a routine basis 7.9%
We are experimenting with using the cloud for software testing 17.3%
We are studying the technology but have not started yet 26.7%
No plans to use the cloud for software testing 39.6%
Don’t know 8.4%

What is the state of software security testing at your company?

Software security is checked by the developers 48.0%
Software security is checked by the test/QA team 35.8%
Software security is checked by the IT/networking department 29.9%
Software security testing is done for Web applications 27.9%
Software security is tested by a separate security team 25.5%
Software security testing is done for public-facing applications 24.5%
Software security testing is done for in-house applications 22.1%
We don’t have a specific security testing process 18.6%
Software security is checked by contractors 12.7%
Software security testing is not our responsibility 3.4%

Those are the results. Do they match what you’ve seen at your company or within the industry?

About Me

My Photo
Co-founder and editorial director of BZ Media, which publishes SD Times, the leading magazine for the software development industry. Founder of SPTechCon: The SharePoint Technology Conference, AnDevCon: The Android Developer Conference, and Big Data TechCon. Also president and principal analyst of Camden Associates, an IT consulting and analyst firm.