For this particular post, I would like to share a white paper I recently came across summarizing a major research on the security of various types of software from off the shelf to custom built applications either by in house or by 3rd party developers.
As a software architect, looking back from my own experience over 20 years, I can easily agree with the results in this paper. While it's foolish to think any software is 100% secure, it's undeniably true, aside from financial sector, business software is many times built with minimal focus on security. In fact I would go as far and add, the levels of security obtained in the software is many times directly related to the level of experience the developer or team involved has.
In a room of 3 developers, with 1, 5, and 10 years of experience each, each would claim to have developed good and secure software based on the scope of their knowledge at the time. All three can develop a sound solution meeting the functional requirements from the perspective of business or product owner. However, as with any practiced discipline, the developer with 10 years of experience will usually build some additional safe guards for security or at a minimum is aware of certain of advanced topics such as code signing, etc. where such is unbeknownst to the less experienced developers. Consequently the level of security in each is starkly different and is not easily measurable without explicit validation.
How do we apply metrics and quantify the level of security? A business owner, unaware of programming details, is not able to measure this. A manager similarly, would be primarily concerned about timely delivery of functional aspects over any security needs which may delay the actual deliverable. Furthermore as the paper mentions, less than 20% "of organizations surveyed view security as the most important criterion when developing custom applications internally or when having customer software developed by third parties".
As a result, a concerted effort must ensue for education on secure development. Similarly a concerted effort must ensue to adopt patterns for security validation much like we have validation for functional requirements. Some can be automated while some require human validation similar to automated unit tests and manual human tests of functional aspects in software.
In this day and age, its abundantly clear the software we write for the web is directly exposed to thousands and even local software running on computers or devices, is indirectly accessible by just as many -- security should be at the forefront moving forward.
Here is the white paper, which although shocking, I vouch for it's factual findings and is a worth while read for anyone in the business delivering quality secure software.
ISC_The Need for Improved Software Quality_0.pdf (1.90 mb) |
|
c3ebfb23-8706-48e7-ad25-7ce8f1ec4ba5|0|.0
Quick Start
Details of how this works
I had a few Apple gift cards laying around and now using apple's Touch ID more often, I wanted to place these into Passbook for safe keeping and easier access. So how do we go about adding Apple gift cards to Passbook?
First, the simplest way to add a gift card to passbook is tapping the "Add to Passbook" button when receiving a gift card over email. It looks something like this.
However, what if you already have a physical gift card and want to add this one to Passbook? It turns out it's not too easy or straight forward. Some people recommend downloading the Gyft iPhone app which allows you to import many gift cards from many merchants, however I'm a little skeptical of adding them to an app from a 3rd party other than Apple. This app, and others similar to it, require you to enter all the confidential information from the gift card into the app and transmit it over the internet to their servers. Although I'm pretty sure these are legit applications, I still had concerns over the security of my information. Are the connections from the app to their cloud servers secure? How secure are the servers themselves, etc.
So I then started to investigate the URL apple generates for "Add to Passbook" button. Part of the URL includes the card number, but the remainder of the URL seems to be some unrecognizable encoded string. Not relenting, after some research over the web, I discovered Apple has a specific URL they use to add Apple store gift cards to Passbook. Since this URL is hosted by apple over a secure SSL connection, I feel quite comfortable using it to add my gift cards to passbook. The url is:
https://storepass.apple.com/pc/v1/card/9999999999999/AAAAAAAAAAAA
where 9999... represents the card number and AAAA... represents the PIN of the card.
When I enter this URL into Safari on the iPhone, Safari reports it as an invalid card even for a valid one. The Passbook app however expects to scan a QR code to add cards, so I then searched online for a free QR code generator and came across this open source javascript project on github1 which generates a QR code on the clients browser with JavaScript. After reviewing the code to make sure there was no transfer of information, I used it to generate a QR code for the URL above replacing the 9999... and AAAA... with the numbers on the back of one of the Apple gift cards. Once the QR code was generated, I then used the Passbook app to scan this code successfully adding my gift cards to passbook as shown.
I added all of my remaining cards with out issue.
I'm now embedding the generator for anyone to use as the wish here. This is pure javascript running on your browser and no information is delivered from your browser elsewhere. Intact, the QR code changes in real time as you enter digits or letters. Simply enter your gift card number, pin number and then scan the generated QR code with passbook to add it to your passbook.
1. http://davidshimjs.github.io/qrcodejs/ |
|
cd160cc3-3362-40c9-a7e2-10e0d30ca4cb|24|3.3
Over the fall quarter of 2012, we created the Bank Failures app for iOS. I thank a colleague of mine for the detailed graphics and CSV parsing library we ended up using extensively for this and other apps. The idea is very simple -- banks have been failing at a very fast pace since 2008 and there is no easy way to access this information in an organized way to search or simply filter this data by year or by state.
Since we were applying techniques in iOS development, we decided to leverage this need while at the same time applying advanced UI techniques in iOS such as UITableView among others. A recently blog covers some interesting details with UITableView's.
The following are some screenshots of the app as submitted to the Apple App Store. In a future blog update, I will decompose the entire application from the nightly process which pulls bank data from us government web sites to the filtering, tab views, etc.
|
|
f2248c02-8c23-4f48-8c87-24a27b872b2a|0|.0
Update 5/9/2012:
-------------------------------------------------
Yusnier Viera, a former co-worker and current world record holder in calendar mental calculation, brought to my attention the concept of cross multiplying. After learning the basics and practicing over time, I have been able to successfully multiply upto four digit by four digit computations in my head. Since the exercise is stimulating and to a certain extent entertaining, I decided to build an iPhone application to easily practice.
Unlike paper and pencil, using an iPhone app allows for immediate feedback while entering the answer. I've been learning how to develop iOS apps for both iPhone & iPad and I am on the verge of releasing this application. Since I'm anxious to get it out to the world, I have defer creating the tutorial, the statistics page as well as game center integration, until future updates.
I decided to give the app a representative iconic person, so Einstein fit the bill.
Once loaded, you are presented with the home screen where you can link out to a video tutorial or simply start the app.
Once started, you can interactively create up to 4x4 multiplications to test your mental calculating abilities. In a future update, I'll hook it up to game center and keep track of best times for each type as well as increase the scale up to 8x8.
|
|
b4f6fff6-40df-44a4-afa6-47d9ee6287fd|0|.0
I have a MacBook Air 2010 model with the mini display port. At the office we recently ordered an iMac with the thunderbolt port. On occasion, I want to use my MacBook Air at the office so I was exploring the option of using the iMac 27 as an external monitor via the thunderbolt port.
The latest macs, both the 2009-2010 models using mini display ports as well as the 2011 using the thunderbolt ports support a feature referred to as "Target Display Mode". In essence, when properly cabled with either of the two cables, hitting Command/F2 will enable it.
The main question is, what are all the possible combinations? Meaning, here I am with a mini display port MacBook Air and an thunderbolt iMac 27", do they communicate? Turns out no, a mini display port cannot target a thunderbolt machine (or monitor) as a target display. So a little frustrated, I went to them Apple store to sort things out and the Apple employee was super friendly on testing all the combinations with a new thunderbolt MacBook Air and cables I had just bought. Here are the results:
| Source | Destination | Cable Used | Result | Destination iSight Camera works |
|---|
| MBA Mini Display |
Cinema Display (Mini Display) |
Integrated Mini Display Cable |
Worked Fine |
Yes |
| MBA Thunderbolt |
Cinema Display (Mini Display) |
Integrated Mini Display Cable |
Worked Fine |
Yes |
| MBA Mini Display |
iMac 27" Mini Display |
Mini Display Cable |
Worked Fine |
No, MBA prevails |
| MBA Mini Display |
iMac 27" Mini Display |
Thunderbolt Cable |
Did Not Work |
NA |
| MBA Mini Display |
iMac 27" Thunderbolt |
Mini Display Cable |
Did Not Work |
NA |
| MBA Mini Display |
iMac 27" Thunderbolt |
Thunderbolt Cable |
Did Not Work |
NA |
| |
|
|
|
| MBA Thunderbolt |
iMac 27" Mini Display |
Mini Display Cable |
Worked Fine |
MBA Prevails |
| MBA Thunderbolt |
iMac 27" Mini Display |
Thunderbolt Cable |
Did Not Work |
NA |
| MBA Thunderbolt |
iMac 27" Thunderbolt |
Mini Display Cable |
Did Not Work |
NA |
| MBA Thunderbolt |
iMac 27" Thunderbolt |
Thunderbolt Cable |
Worked Fine |
NO, MBA Prevails |
One thing to note, when using target display mode and mirroring, the resolution will default to the lowest resolution device. In my case, I had a MacBook Air resolution displayed on the iMac 27 which didn't look great for extended reading. There are two ways to achieve target display native resolution. One way is to close the MacBookAir and tap on the mouse to wake it up. When it wakes up, it will adjust to the target display resolution. With the Thunderbolt MBA, you will need to have the magsafe power plugged in. I am not sure if this is required also for the Minidisplay MBA.
The second way entails setting up a second monitor side by side (uncheck mirroring). The problem here is, if you want to ignore the MBA's monitor and solely use the target display, the dock and menu bar are annoyingly on the MBA monitor making it very cumbersome to work. We accidentally came across a nifty solution by trying out various options. We discovered, just like you can move the orientation of the second monitor, you can move around the menu strip too. So while viewing the monitor orientation window, click and drag the little white strip above one of the monitors and drag it to the other. This in essence moves the doc and menu over to the target display monitor. At this point, you can either dim the brightness of the MBA and you are all set to go. Thanks!
Unfortunately WordPress didn't make it convenient for migrating blogs out of their system. As a consequence, I'm linking to the original posting for this topic so others can have access to the comment history. Moving forward I will be updating this blog.
http://mike952.wordpress.com/2011/07/21/thunderbold-and-minidisplay-mac-compatibility-101/
|
|
0df9f090-4475-4799-9aa0-efe7a477edfa|4|4.8
Wouldn't it be great if you could edited a document at work and seamlessly can continue editing it on your laptop while waiting for your flight home and finally finish proofing it on your home desktop computer without copying it or transferring it from one computer to the next? And once completed, regardless of size, deliver it with the same ease as an email? If so, the next few minutes will be worth your time Sharing has been around since the dawn of time. As we evolve in this digital world, how does one share documents with ever increasing efficiency? In the old times, one would make a xerox copy and deliver by mail while today one may simply email them a copy they already have on their computer. Notice the there are two important concepts here, (a) making a copy (xerox or copying a file) and (b) transporting the copy (mail or email). The focus of this post is on the later and how transporting has been completely reinvented and why one needs to break from the past and leverage the changes time brings to be effective in every day work. Briefly looking at history you can easily see how disadvantaged one would be if they hadn't adopted and changed from the means of the previous era.
| PRE-COMPUTER ERA |
|
courier, postal mail, FedEx, UPS, briefcase ** |
| COMPUTER ERA |
|
courier, postal mail, FedEx, UPS, floppy disk or cd media ** |
| EARLY INTERNET ERA |
|
FTP, POP EMAIL (minimal attachments), USB flash drive ** |
| MODERN INTERNET ERA |
|
FTP, IMAP EMAIL (attachments), larger USB flash & portable drives ** |
** how people transport large files for themselves typically to/from work In the past, one would have to carry a briefcase, a floppy or cd, or more modern times a USB drive.
We'll the next era is here and one of the first successful incarnations of this era's transportation concept is a company called DropBox. DropBox is quite simply a folder on your computer which is automatically and seamlessly available on all of your computers -- including your mobile devices. Unlike having the files reside in the cloud like google docs requiring connectivity to the internet for accessing them, they reside locally on your machine and are transparently replicated to your other machines in realtime as modifications are made. Oh yea, forgot to mention, when you are finished editing the document and are ready to share it with someone, simply right click the file to get the public URL to the file and send this link to whomever you would like share the file -- the era of attachments which are too large to email is also over.
The product and concept speaks for itself, to see a tour of drop box and download it, use this link: Drop Box Download |
|
db4f8e20-5398-4d18-9e26-f6978a9316d5|0|.0
| During Apple recent press conference showcasing all their new hardware and software toys, Jobs introduced a new feature called High Dynamic Range photos (HDR) where the iPhone combines an under exposed picture with an over exposed picture making a strikingly beautiful combined picture.
Well, as part of his presentation he also previewed iOS 4.2 to be released in November. As he introduced it, he mentioned all the various features coming to the iPad ..including multitasking, folders, new printing feature, etc. and HDR photos. How can HDR photos exist if the iPad doesn't have a camera?...Well that's the new guessing game...
I say we have a 7" iPad coming to town in November. If it were the same size iPad, this may alienate some existing iPad customers, but if they introduce a newer model with slightly new hardware features, they are set for the holiday season smash! |
|
8f42f633-a35a-4d41-9d5a-82fccf582e41|0|.0
| This is a nifty little feature I just came across and verified with my Windows 7 installation. With Microsoft's recent updates, they are hiding more and more of the nitty gritty details making you either search for them or in futile simply switch back to classic view from within control panel. To the rescue is recently discovered GodMode setting and works with any Windows 7 version.
Simply create a folder anywhere on your harddrive and rename it to the following guid:
GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
Once, you do this, you'll see the folder's icon changes to a icon similar to the control panel and once you double click you have quick access to a plethora of Windows customization options. |
|
91a48e23-0681-4531-97bd-b78061c06997|0|.0
| I haven't blogged in a while, but today is another inflection point along the expansion of the internet as we know it and it was certainly worth blogging about.
As many know, ICANN, short for Internet Corporation for Assigned Names and Numbers, is in charge of managing top level domain names and corresponding root servers. In short, all domain names, while individually managed by the respective ISP's through delegation, are ultimately registered and referenced by one of ICANN's root servers.
Today, Oct 30, 2009, ICANN voted for allowing non-latin characters. This simply means domains, which now must have characters from A to Z and numbers from 0-9 and some basic symbols, can now have characters from any foreign language. So pizza.com in theory can be πίτσα.com in greek, or 薄饼.com in chinese.
While this move is great for the world at large from a freedom perspective, allowing countries to interact and express themselves with native URL's, one must question what impact will this have with regards to information availability. Today, if it were not for translators, languages present a natural barrier to communication and information flow. Internet names would logically have the same barrier as a latin based keyboard would have an extremely difficult time typing in Chinese or Greek based url -- let alone the natural barrier itself.
How many languages are there in the world? How many times would company now have to seek out and preregister in other languages to keep the trademark safe? I see this as simply a metastasis of domain names in the making.
Is this really a good move? |
|
33f68fa8-7f33-437b-a8b9-a9f631be0027|1|5.0
Continuing with the inertia of all things digital movement, we are now approaching the official transition of electronic books into the mainstream. Yes, we have had ebooks and ebook readers, but there were always obstructions preventing them from reaching critical mass. Digital rights & copyright surely have their fair share objections, however technology has also been an inhibitor. Take for example low resolution screens. The human eye, when compared to traditional measurements of resolution, can process the equivalent of "324 megapixels" (1) camera. So transitioning from reading magazines, with a relatively high print resolution, to a low resolution screen would be a painful experience for long periods of reading. On the flip side, the benefits of digital reading are profound. The ability to select a word and obtain it's definition on the spot without much effort or interruption is a dream to any highschool student -- at least that was my biggest complaint back then. How about searching for a specific section of a novel to extract an excerpt? How about simply accessibility -- who would want to lug around 4 or 5 books. Now with technology all caught up -- extremely high resolution screens, awesome processing power with advanced CPU's, and great battery technology and the connectivity of the cloud thrown in to boot -- the time has come! Let me break away for a sec to compare this to CD's. When compared to music CD's there was a time where we would pack our CD boxs on our weekend trip -- not all, but your favorite set for sure. Today, you surely carry hundreds of albums on your iPhone (yes, I'm biased) as a second thought. Well, books are on their merry way too -- and with a vengence IMHO. Music took a while too take a foothold to digitization primarily becuase the world was simply adjusting to the digitization shock. I recall first hearing about MP3 around the middle of my BS degree around 1995 to 1996 time period -- yet the first mover risk syndrome still took a heavyweight like Apple an additional 5 years to release the first iPod. Now, roughly 14 years after mere MP3 awareness, we have a proliferation of digital music to the point where by the music titans are forced to rethink the concept of the album and the CD album insert, etc. from a digital perspective and make it a reality by collaborating with the new digital music titan -- Apple and iTunes (2). So, I feel we are just at the beginning of a similar digital turning point with books. Amazon, naturally and without much turbulence, took the first step with their Kindle in late 2007 early 2008. Their reader suffered from what I would call the newcomer syndrome. Amazon is not known for building hardware nor software, yet here they are with a device on center stage. With sufficient top down support (Bezos practically reserved Kindle as his next child's name) adoption is certain. The level of endorsement has parallels with Bill and his digital ink / tablet initiatives. In short, what struck a chord to write this blog is Sony's entry into the market. Sony's is known for building hardware -- particular for consumers with their walkman of the 80's and other eletronic devices having a sliver of software with them as their modern handycams. Sony just yesterday announced a economically priced eReader for just $199. Price attracts and with a brand like Sony, surely it will sell and will be a prominent second footing (3). My bets however are with my good old trusted expert in hardware/software combos with a keen focus on consumer -- yes, Apple. Apple has been on the rummor mill now for years with a tablet -- even having a patent exposed for a tablet with touch screen. My guess is they have no choice but to introduce a tablet or some type of reading / entertainment device leveraging their touch experience with the iPhone. Perhaps even by the holiday season if rumors have their way this season unlike previous failed attempts to resurect it. As a shareholder, I would almost be disappointed if they don't given the feaverish rush in this arena.
(1) http://www.clarkvision.com/imagedetail/eye-resolution.html
(2) http://tech.yahoo.com/blogs/patterson/55013/report-apple-music-labels-hope-to-revive-the-record-album/
(3) http://www.dailytech.com/Sony+Announces+199+Pocket+Reader/article15887c.htm |
|
1dc6bf11-7594-4be5-8388-2c8483f10b35|0|.0