Archive for the ‘standards’ Category

2009 CWE/SANS Top 25 Most Dangerous Programming Errors

Monday, January 12th, 2009

This is a handy list to have. This is the top 25 most dangerous programming errors relating to the web and keeping websites (and user data) safe. Be sure when you are building and using frameworks that you do test or expect these types of behaviors.

The Top 25 is organized into three high-level categories that contain multiple CWE entries.

Insecure Interaction Between Components

These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.

CWE-20: Improper Input Validation

CWE-116: Improper Encoding or Escaping of Output

CWE-89: Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)

CWE-79: Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)

CWE-78: Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)

CWE-319: Cleartext Transmission of Sensitive Information

CWE-352: Cross-Site Request Forgery (CSRF)

CWE-362: Race Condition

CWE-209: Error Message Information Leak

Risky Resource Management

The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.

CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer

CWE-642: External Control of Critical State Data

CWE-73: External Control of File Name or Path

CWE-426: Untrusted Search Path

CWE-94: Failure to Control Generation of Code (aka ‘Code Injection’)

CWE-494: Download of Code Without Integrity Check

CWE-404: Improper Resource Shutdown or Release

CWE-665: Improper Initialization

CWE-682: Incorrect Calculation

Porous Defenses

The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.

CWE-285: Improper Access Control (Authorization)

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

CWE-259: Hard-Coded Password

CWE-732: Insecure Permission Assignment for Critical Resource

CWE-330: Use of Insufficiently Random Values

CWE-250: Execution with Unnecessary Privileges

CWE-602: Client-Side Enforcement of Server-Side Security

Tags: architecture, error, reliability, security, software
Posted in mob, philosophy, programming, standards, technology | 1 Comment »

Mono 2.0 Officially Released

Monday, October 6th, 2008

Mono 2.0 the open source .NET framework has been released. Mono has made it’s way into many great systems by now from websites to even 3d engines such as Unity3D. It is great to have a toolkit that is powerful, has a great language set from C# to Boo and that is available on multiple platforms. From Windows, to *nix to of course Mac OSX built on unix, it all just works.

Having 2.0 solid and complete is a great step to making production apps run off of it.

Microsoft Compatible APIs

ADO.NET 2.0 API for accessing databases.

ASP.NET 2.0 API for developing Web-based applications.

Windows.Forms 2.0 API to create desktop applications.

System.XML 2.0: An API to manipulate XML documents.

System.Core: Provides support for the Language Integrated Query (LINQ).

System.Xml.Linq: Provides a LINQ provider for XML.

System.Drawing 2.0 API: A portable graphics rendering API.

Mono APIs

Gtk# 2.12: A binding to the Gtk+ 2.12 and GNOME libraries for creating desktop applications on Linux, Windows and MacOS X.
Mono.Cecil: A library to manipulate ECMA CLI files (the native format used for executables and libraries).
Mono.Cairo: A binding to the Cairo Graphics library to produce 2D graphics and render them into a variety of forms (images, windows, postscript and PDF).
Mono’s SQLite support: a library to create and consume databases created with SQLite.
Mono.Posix: a library to access Linux and Unix specific functionality from your managed application. With both a low-level interface as well as higher level interfaces.

Third Party APIs bundled with Mono

Extensive support for databases: PostgresSQL, DB2, Oracle, Sybase, SQL server, SQLite and Firebird.
C5 Generics Library: we are bundling the C5 generics collection class library as part of Mono.

Compilers

These compilers are part of the Mono 2.0 release:

C# 3.0 compiler implementation, with full support for LINQ.
Visual Basic 8 compiler.
IL assembler and disassembler and the development toolchain required to create libraries and applications.

Tags: .net, 2.0, 3.0, 3.5, linq, mono, multi-platform, open, source
Posted in announcement, baseplane, languages, news, programming, standards, technology, toolkits | 5 Comments »

Mono Now Has .NET 3.0 Support and 3.5 Features like LINQ and Expression Trees

Friday, July 25th, 2008

Great news! Mono has made it to .NET 3.0 support and this includes some of the latest stuff like LINQ expressions.

I am pleased to announce that Mono C# compiler (gmcs) has now full C# 3.0 support. Most of the features has been available since Mono 1.2.6 release. However, with the upcoming Mono 2.0 release we will also support complex LINQ expressions and mainly expression trees which is fairly overlooked new feature with a lot of potential.

For anyone interested in compiling and running this LukeH’s slightly extreme LINQ example I have good news. It compiles on Mono and it runs as fast as on .NET.

Tags: .net, 3.0, baseplane, code, dev, development, linq, mono, open, open source, platform, programming, source
Posted in announcement, baseplane, languages, market formats, news, open, programming, source, standards, technology | 1 Comment »

REST Pattern

Monday, June 30th, 2008

UNIVERSITY OF CALIFORNIA, IRVINE

Architectural Styles and
the Design of Network-based Software Architectures

DISSERTATION

submitted in partial satisfaction of the requirements for the degree of

DOCTOR OF PHILOSOPHY

in Information and Computer Science

Roy Thomas Fielding

2000

Dissertation Committee:
Professor Richard N. Taylor, Chair
Professor Mark S. Ackerman
Professor David S. Rosenblum

PDF Editions

1-column for viewing online

2-column for printing

Dedication

Acknowledgments

Curriculum Vitae

Abstract of the Dissertation

Introduction

CHAPTER 1: Software Architecture

1.1 Run-time Abstraction

1.6 Patterns and Pattern Languages

1.7 Views

1.8 Related Work

1.9 Summary

CHAPTER 2: Network-based Application Architectures

2.1 Scope

2.2 Evaluating the Design of Application Architectures

2.3 Architectural Properties of Key Interest

2.4 Summary

CHAPTER 3: Network-based Architectural Styles

3.1 Classification Methodology

3.2 Data-flow Styles

3.3 Replication Styles

3.4 Hierarchical Styles

3.5 Mobile Code Styles

3.6 Peer-to-Peer Styles

3.7 Limitations

3.8 Related Work

3.9 Summary

CHAPTER 4: Designing the Web Architecture: Problems and Insights

4.1 WWW Application Domain Requirements

4.2 Problem

4.3 Approach

4.4 Summary

CHAPTER 5: Representational State Transfer (REST)

5.1 Deriving REST

5.2 REST Architectural Elements

5.3 REST Architectural Views

5.4 Related Work

5.5 Summary

CHAPTER 6: Experience and Evaluation

6.1 Standardizing the Web

6.2 REST Applied to URI

6.3 REST Applied to HTTP

6.4 Technology Transfer

6.5 Architectural Lessons

6.6 Summary

Conclusions

References

List of Figures

Figure 5-1. Null Style

Figure 5-2. Client-Server

Figure 5-3. Client-Stateless-Server

Figure 5-4. Client-Cache-Stateless-Server

Figure 5-5. Early WWW Architecture Diagram

Figure 5-6. Uniform-Client-Cache-Stateless-Server

Figure 5-7. Uniform-Layered-Client-Cache-Stateless-Server

Figure 5-8. REST

Figure 5-9. REST Derivation by Style Constraints

Figure 5-10. Process View of a REST-based Architecture

List of Tables

Table 3-1. Evaluation of Data-flow Styles for Network-based Hypermedia

Table 3-2. Evaluation of Replication Styles for Network-based Hypermedia

Table 3-3. Evaluation of Hierarchical Styles for Network-based Hypermedia

Table 3-4. Evaluation of Mobile Code Styles for Network-based Hypermedia

Table 3-5. Evaluation of Peer-to-Peer Styles for Network-based Hypermedia

Table 3-6. Evaluation Summary

Table 5-1. REST Data Elements

Table 5-2. REST Connectors

Table 5-3. REST Components

[Next]

[How to reference this work.]

Tags: architect, ontology, platform, REST, semantic, unique, uri, web3
Posted in baseplane, generation, mob, open, philosophy, programming, services, standards, technology | No Comments »

Restlet RESTful Lightweight Kit for Java

Friday, June 20th, 2008

Finally rest for all that boilerplate in Java. At each turn of lots of Java frameworks you are bombarded with layers. I felt this long ago and see it in the developers eyes that work with Java. Java can be easy, it can be RESTful and it will make you look sharp.

Lightweight REST framework for Java

Do you want to embrace the architecture of the Web and benefit from its simplicity and scalability? Leverage our innovative REST engine and start blending your Web Sites and Web Services into uniform Web Applications!

Java is making things more lightweight now with lots of emerging kits that compete with other web ready platforms like Python, Ruby, .NET, PHP etc. After this many years things get bloated and need to be simplified. I think this will start winning people over in this direction.

Tags: java, jax, REST, RESTful, Restlet, service, servlet, web
Posted in baseplane, formal, generation, howto, languages, market formats, programming, services, standards, technology, toolkits, utility | No Comments »

The Common Baseplane Method to Caching — memcached

Tuesday, May 27th, 2008

If you have ever worked on a massively high trafficked website, you know that cache is very important to keeping the server count down and being a superhero to your database servers. Cache can be bad and overly optimized but when you hit a certain threshold, relational databases, databases that are dimension modelled for data warehouse, and even server resources get exhausted. At that point you have two options, buy more servers, or more likely, cache read data.

Each platform has their own way to do this, but there is a common baseplane way to do caching, yes even in .NET. That is with memcached. Memcached is a very common and useful tool that makes caching data and cache layers in an application something that can be the same on every platform. The benefit of using memcached is it is open, common and it has APIs for nearly every popular web development platform (and can be wired in easily to platforms that don’t have their own cache mechanism). Why write your caching layer specific to a certain platform when you can memcache?

If you write high performance web apps and don’t memcache, I feel bad for your server budget and your late nights when that ad buy hits or something popular on your site becomes all the rave.

Perl API

An object-oriented Perl module can be found on CPAN as Cache::Memcached or in Subversion (ChangeLog). (GPL/Artistic)

The Perl API takes advantage of the server’s opaque flag support and sets its “complex” flag whenever the object being stored or retrieved isn’t a plain scalar. In that case, the Storable module is used to freeze and thaw the value automatically going in and out of the memcached.

There is also Cache::Memcached::Fast—another Perl client written in C, largely compatible with the original Cache::Memcached. Available on CPAN at http://search.cpan.org/dist/Cache-Memcached-Fast/.

PHP API

There are tons of PHP libraries available, in different conditions. But it now seems there’s an official one:

PHP PECL memcached client — official PHP client

Python API

The Python client we’d previously released was just a prototype, and we don’t have regular Python programmers on hand. The folks at Tummy.com have took over maintenance. See ftp://ftp.tummy.com/pub/python-memcached/ for the latest versions.

Ruby API

http://www.deveiate.org/code/Ruby-MemCache.html
gem install memcache-client
http://blog.evanweaver.com/files/doc/fauna/memcached/. C backed client wrapping libmemcached.

Java API

A Java API is maintained by Greg Whalin from Meetup.com. You can find that library here:

http://www.whalin.com/memcached/ — Java API for memcached

An improved Java API maintained by Dustin Sallings is also available. Aggressively optimised, ability to run async, supports binary protocol, etc. See site for details:

http://bleu.west.spy.net/~dustin/projects/memcached/ — Improved Java API for memcached

C# API

There are multiple C# APIs:

https://sourceforge.net/projects/memcacheddotnet/
http://www.codeplex.com/EnyimMemcached/ – Client developed in .NET 2.0 keeping performance and extensibility in mind. (Supports consistent hashing.)
http://code.google.com/p/beitmemcached/ – Client developed by BeIT with many new features.

C API

Multiple C libraries for memcached exist:

apr_memcache by Paul Querna; Apache Software License version 2.0
libmemcached by Brian Aker; BSD license. This is a new library, under heavy development.
libmemcache by Sean Chittenden; BSD license. This is the original C library. It is no longer under active development. You should try libmemcached instead.

Postgres API

The pgmemcache project allows you to access memcache servers from Postgresql Stored Procedures and Triggers. More details and downloads are available at:

http://pgfoundry.org/projects/pgmemcache/

Chicken Scheme

http://chicken.wiki.br/memcached — Chicken Scheme library

Lua

http://luamemcached.luaforge.net/ — Lua library

MySQL API

The memcache_engine allows memcache to work as a storage engine to MySQL. This means that you can SELECT/UPDATE/INSERTE/DELETE from it as though it is a table in MySQL.

memcache_engine

A set of MySQL UDFs (user defined functions) to work with memcached using libmemcached.

MySQL UDFs for memcached

Protocol

To write a new client, check out the protocol docs. Be aware that the most important part of the client is the hashing across multiple servers, based on the key, or an optional caller-provided hashing value. Feel free to join the mailing list (or mail me directly) for help, inclusion in Subversion, and/or a link to your client from this site.

The best part, they support all good platforms and even Lua, and wisely they left out VB.NET, no worries, VB.NET’ers will never know. Only kidding…

Finally, memcached is distributed, most cache layers included with platforms listed above are in process and per machine. If you are running your code on a webfarm memcached is the only way to go.

Tags: apis, architecture, cache, common, layers, memcached
Posted in baseplane, generation, howto, languages, programming, rom, services, standards, technology, toolkits, utility | No Comments »

Is Your .NET Application/Assembly Mono Ready? Find Out With MoMa

Saturday, May 17th, 2008

Well Mono has finally reached 2.0. This is great news! .NET skills now can span *nix, OSX, and Windows platforms. But is your app or assembly capable of running on Mono? Find out with MoMa.

Of course this is just a heuristic check and only finds out if your application on the surface has issues with running on a mono platform such as calls to p/invoke to windows apis or unsafe code that uses native calls but it is a great place to start.

The Mono Migration Analyzer (MoMA) tool helps you identify issues you may have when porting your .Net application to Mono. It helps pinpoint platform specific calls (P/Invoke) and areas that are not yet supported by the Mono project.

While MoMA can help show potential issues, there are many complex factors that cannot be covered by a simple tool. MoMA may fail to point out areas that will cause problems, and may point out areas which will not actually be an issue.

Use the results provided as a guide to get you started on porting your application, but remember the true test is actually running your application on Mono.

For a description of the errors that MoMA detects and how to deal with them, see MoMA – Issue Descriptions.

I have recently been really interested in making platforms and applications that aren’t limited by the OS they are contained in. Thus mono is a very interesting platform now that it supports 2.0 fully and all the generic goodness to limit boxing/unboxing, common code between .net 2.0 apps (which are pretty much mainstream now) and developing for more of a standard that ensures your apps are portable.

Granted .NET 3.0 and 3.5 (pretty much the same version really with the addition of new frameworks such as WCF, LINQ which is very cool and functional as well as Silverlight) but most places deployed code is still .NET 2.0 and the poor souls working on very constricting .NET 1.0 and 1.1.

Also, recently Moonlight the Mono version of Silverlight has been released for alpha.

Tags: 2.0.moonlight, moma, mono
Posted in announcement, baseplane, languages, market formats, open, programming, standards, technology, toolkits | No Comments »

Baseplane Tool: Is PureMVC the Cross Platform MVC Toolkit You Have Been Looking For?

Saturday, March 29th, 2008

PureMVC is quite a versatile MVC kit. With implementations for AS3, .NET (c#), Python, PHP, Silverlight and other platforms it is quite a system and domain to spread that far and have consistency. There are small changes but for the most post the MVC is the same structure across the platforms. This can be very beneficial for a service firm or for a product base that needs to support many different platforms.

PureMVC is a lightweight framework for creating applications based
upon the classic Model-View-Controller design meta-pattern.
This free, open-source framework is implemented in ActionScript 2 and
3, Java, C# and a number of other popular programming languages.
This allows development on a wide variety of platforms including:

Mobile Environments: FlashLite, .NET Compact Framework, J2ME

Server Environments: ColdFusion, J2EE, PHP, Python

Browser Environments: Flash/Flex, JavaFX, Silverlight

Desktop Environments: .NET, AIR, FLASH, J2SE

For Flex PureMVC happens to be my favorite MVC kit. I only use one if absolutely necessary but PureMVC keeps it clean. The great thing is that is works with or without Flex unlike Cairngorm and it is always up to date. It is just an added bonus that is spans so many other platforms. There are a few things I don’t like about it in other platforms like the url naming but it is much better than kits out there now and Microsoft’s ASP.NET MVC most likely wont’ be cross platform *wink*.

Some info on the PureMVC framework (caution PDF):

PureMVC Manifold

Ports

Tags: actionscript3, architecture, as3, c#, controller, flash, flex, model, mvc, php, puremvc, python, silverlight, view
Posted in baseplane, market formats, open, programming, standards, technology, toolkits | 1 Comment »

Big O Notation in Design Theory

Saturday, March 22nd, 2008

Big O Notation is based on complexity theory and is something engineers and architects should know about do determine complexity and orders of magnitude in their data and scalability formal blueprints. Whenever you use any algorithm or port a formal function into code, math and reducing the orders of magnitude is what separates the fast from really fast.

Optimization can be evil, but solid base starting points are desired. Many times formal knowledge can be as needed as logical or physical separation and understanding service and standards format layering in your applications for the best evolution and versioning as well as performance. Formal engineering is what is separating companies like Google from the pack. Do you do formal?

Orders of common functions

Here is a list of classes of functions that are commonly encountered when analyzing algorithms. All of these are as n increases to infinity. The slower-growing functions are listed first. c is an arbitrary constant.

Notation Name Example

$\mathcal{O}\left(1\right)$ constant Determining if a number is even or odd

$\mathcal{O}\left(\alpha(n)\right)$ inverse Ackermann Amortized time per operation when using a disjoint-set (union-find) data structure

$\mathcal{O}\left(\log^* n\right)$ iterated logarithmic The find algorithm of Hopcroft and Ullman on a disjoint set

$\mathcal{O}\left(\log n\right)$ logarithmic Finding an item in a sorted list with the binary search algorithm

$\mathcal{O}\left(\left(\log n\right)^c\right)$ polylogarithmic Deciding if n is prime with the AKS primality test

$\mathcal{O}\left({n^c}\right), 0<c<1$ fractional power searching in a kd-tree

$\mathcal{O}\left(n\right)$ linear Finding an item in an unsorted list

$\mathcal{O}\left(n\log n\right)$ linearithmic, loglinear, or quasilinear Sorting a list with heapsort, computing a FFT

$\mathcal{O}\left({n^2}\right)$ quadratic Sorting a list with insertion sort, computing a DFT

$\mathcal{O}\left({n^c}\right), c>1$ polynomial, sometimes called algebraic Finding the shortest path on a weighted digraph with the Floyd-Warshall algorithm

$\mathcal{O}\left({c^n}\right)$ exponential, sometimes called geometric Finding the (exact) solution to the traveling salesman problem (under the assumption that P ≠ NP)

$\mathcal{O}\left(n!\right)$ factorial, sometimes called combinatorial Determining if two logical statements are equivalent^[1], traveling salesman problem, or any other NP-complete problem via brute-force search, finding the determinant of a matrix with expansion by minors

$\mathcal{O}\left({n^n}\right)$ n to the n

$\mathcal{O}\left(c_1^{c_2^n}\right)$ double exponential Finding a complete set of associative-commutative unifiers^[2]

Not as common, but even larger growth is possible, such as the single-valued version of the Ackermann function, A(n,n). Conversely, extremely slowly-growing functions such as the inverse of this function, often denoted α(n), are possible. Although unbounded, these functions are often regarded as being constant factors for all practical purposes.

Notation	Name	Example
$\mathcal{O}\left(1\right)$	constant	Determining if a number is even or odd
$\mathcal{O}\left(\alpha(n)\right)$	inverse Ackermann	Amortized time per operation when using a disjoint-set (union-find) data structure
$\mathcal{O}\left(\log^* n\right)$	iterated logarithmic	The `find` algorithm of Hopcroft and Ullman on a disjoint set
$\mathcal{O}\left(\log n\right)$	logarithmic	Finding an item in a sorted list with the binary search algorithm
$\mathcal{O}\left(\left(\log n\right)^c\right)$	polylogarithmic	Deciding if n is prime with the AKS primality test
$\mathcal{O}\left({n^c}\right), 0<c<1$	fractional power	searching in a kd-tree
$\mathcal{O}\left(n\right)$	linear	Finding an item in an unsorted list
$\mathcal{O}\left(n\log n\right)$	linearithmic, loglinear, or quasilinear	Sorting a list with heapsort, computing a FFT
$\mathcal{O}\left({n^2}\right)$	quadratic	Sorting a list with insertion sort, computing a DFT
$\mathcal{O}\left({n^c}\right), c>1$	polynomial, sometimes called algebraic	Finding the shortest path on a weighted digraph with the Floyd-Warshall algorithm
$\mathcal{O}\left({c^n}\right)$	exponential, sometimes called geometric	Finding the (exact) solution to the traveling salesman problem (under the assumption that P ≠ NP)
$\mathcal{O}\left(n!\right)$	factorial, sometimes called combinatorial	Determining if two logical statements are equivalent^[1], traveling salesman problem, or any other NP-complete problem via brute-force search, finding the determinant of a matrix with expansion by minors
$\mathcal{O}\left({n^n}\right)$	n to the n
$\mathcal{O}\left(c_1^{c_2^n}\right)$	double exponential	Finding a complete set of associative-commutative unifiers^[2]