Web Apps and Outdated Software

A particular problem that developers face when creating web apps is that users are notoriously lax in updating their software. A problem piece of software may make it easy for a hacker to gain access to the system. In some cases, the user will blame your application because it depends on software that could be outdated on the user’s system. A recent InfoWorld article, 10 old, risky applications you should stop using, brings the issue to light. Many of these pieces of software see use in Web apps. You may think that the user will rely on the newest version of the software, but the user may, in fact, have a piece of software that’s several generations old, yet runs your web app just fine.

Most of my web development books at least hint at the issue of dealing with outdated libraries, APIs, and microservices. Security for Web Developers makes the strongest case for verifying that web apps rely on the latest third party products to ensure the web app is less likely to cause a security breach, but both HTML5 Programming with JavaScript for Dummies and CSS3 for Dummies discuss the issue as well. The point is that you need to know that a user is relying on the latest software if at all possible. Otherwise, you may find your web app blamed for a security breach actually caused by another piece of software, such as a web browser.

The fear that many users have is that your web app will stop working if they upgrade to newer software. This fear has a strong foundation in broken applications of all sorts in the past. The problem can become quite severe. Looking at the InfoWorld article, you find several interesting bits of information. For example, many existing applications rely on Microsoft XML Core Services 4.x, despite the fact that the software is no longer supported and represents a huge security hole that hackers are only too happy to exploit. If the user removes this software to keep their systems safe, they may also have to give up on one or more mission critical applications. Testing is the developer’s tool of choice in this case. Make sure you test your web apps with the lasted software and then publish the results online. Keep users informed of potential problems and your plan for fixing them so that they can continue making required updates to keep their systems safe.

It may not be entirely possibly to fix every security problem immediately. The fact is that software today is so interdependent on every other piece of software that even when your web app has fully supported underpinnings, the software you depend upon may not. The dependencies cascade in convoluted ways that make it entirely possible that a hacker will find a way to breach your application despite your best efforts. Consequently, you not only need to maintain a firm grasp on testing, but also of potential problems with the software used to reduce your development effort and make the application perform better. In short, you need to have a contingency plan in place for those times when a hacker finds a way to break your web app because a determined hacker will fine a way.

Outdated software is the bane of developers everywhere, yet users remain clueless as to how much damage they invite by not making required updates. One of the issues that I’m constantly striving to solve in my books is this whole concept of software dependency and how it affects application reliability, security, and speed. If you find that some of the materials I’ve put together are especially helpful (or possibly not helpful enough), please let me know about them at John@JohnMuellerBooks.com. I want to be sure that the security features of my books really do help you past the whole outdated software issue because users really won’t be much help at all.

 

Web Application Security Breach Commonality

If you follow the trade news for even a few weeks, you begin to see a recurring pattern of security breaches based on web application deficiencies, social engineering attacks, or some other weakness in the security chain. The latest attack that is making the rounds is the IRS security breach. However, I’m not picking on the IRS, you can find security breaches galore in every arena of human endeavor simply by performing the required search. Everyone gets hacked, everyone is embarrassed by it, and everyone lies through their teeth about the methods used for the attack, the severity of the attack, and the likelihood of dire results. The attacks serve to demonstrate a simple principle I’ve written about in HTML5 Programming with JavaScript for Dummies, CSS3 for Dummies, and Security for Web Developers—if someone wants to break your security, they’ll always succeed.

Later analysis of the IRS attack brings out some important issues that you need to consider as part of your development efforts. The first is that you really do need to expend the effort to create the most secure environment possible. Many of the successful attacks use simple methods to obtain the desired result. Training really does help reduce social engineering attacks, updates really do help close security issues that a hacker can use to access your system, good programming practices keep hackers at bay, make applications easier to use, and reduce errors that result in security issues. All of these methods help you remain secure. However, remaining vigilant is important too. Monitoring your application and the libraries, APIs, and microservices on which they depend are all important. Despite protestations to the contrary, the IRS probably could have done more to prevent the breach, or at least mitigate the results of the breach.

A focal point of the analysis for me is that the IRS currently has 363 people working security and a budget of $141.5 million to ensure your data remains safe. The author is a bit harsh and asks whether the IRS Commissioner Koskinen thinks his people are stupid because he keeps making the claim that these hackers are quite skilled. Yet, the hacks used are really quite simple. Breaches happen to every organization at some point, no matter how much money you want to throw at the problem. Organizations get blindsided because hackers attack from a direction that is unexpected in many cases or the organization simply isn’t keeping track of the current threats. Again, I’m not heaping insult on the IRS, simply pointing out a problem that appears common to most of the breaches I read about. What is needed in this case is a frank admission of the facts and a whole lot less in the way of excuses that simply make the organization look weak or stupid anyway.

The IRS, like many organizations, later came back and increased the tally on the number of individuals affected by the breach. This is another common issue. Instead of investigating first and speaking later, many organizations provide numbers at the outset that really aren’t based on solid facts. When an organization has a breach, the public does need to know, but the organization should wait on details until it actually does know what happened.

The application that caused the breach is now dead. It’s a demonstration of a final principle that appears in many of my books. If you really want to keep something secret, then don’t tell anyone about it. Breaches happen when data is made public in some manner. Yes, it’s convenient to access tax information using a web application, but the web application will be breached at some point and then the confidential details will appear in public. Organizations need to weigh convenience against the need to keep data secure. In some cases, security has to win.

The more I read about security breaches, the more convinced I become that they’re unavoidable. The only way to prevent data breaches is to keep the data in a closed system (and even then, a disgruntled employee could still potentially make a copy). Being honest about data breaches, providing the public with solid facts, and ensuring remediation measures are effective are the only ways to control the effects of a data breach. Let me know your thoughts on this issue at John@JohnMuellerBooks.com.

 

Finding and Employing Data Science Tools

Python for Data Science for Dummies introduces you to a number of common libraries used for data science experimentation and discovery. Most of these libraries also figure prominently as part of a data scientist’s toolbox because they provide common functionality needed for every application. However, these libraries are only the tip of the data science toolbox. Because data science is such a new technology, you can find all sorts of tools to perform a wide range of tasks, but there is little standardization and some of these tools are hard to categorize so that you know where they fit within your toolbox. That’s why I was excited to see, The data science ecosystem, the first of a three part series of articles that describe some of the tools available for use in data science projects. You can find the other two parts of the article at:

The problem for people who want to explore data science and machine learning today might not be the lack of tools, but the lack of creativity in using them. In order to explore data science, it’s important to understand that the tools only work when your prepare the data properly, employ the correct algorithm, and define reasonable goals. No matter how hard you try, data science and machine learning can’t provide you with the correct numeric sequences for the next five lottery wins. However, data science can help you locate potential sources of fraud in an organization. The article, Machine learning and the strategic snake oil reserve, sums up what may be the biggest problem with data science today—people expect miracles without putting in the required work. Fortunately, there are new tools on the horizon to make languages, such as Python, and products, such as Hadoop, easier for even the less creative mind to use (see Python and Hadoop project puts data scientists first).

Even with a great imagination, the tools available today may not do the job you want as well as they should because the underlying hardware isn’t capable of performing the required tasks. The process is further hampered by a misuse of the skills that data scientists provide (see You’re hiring the wrong data scientists for details). As a result, you need a large number of specialized tools in order to perform tasks that shouldn’t require them. However, that’s the reason why you need to know about the availability of these tools so that you can produce useful results on today’s hardware with a minimum of fuss. Asking the question, “How would Alan Turing fix A.I.?” helps you understand the complexities of the data science and machine learning environments.

Data science, machine learning, data scientists with even greater skills, and better hardware will keep the momentum going well into the future. As the Internet of Things (IoT) continues to move forward and the problem of what to do with all that data becomes even larger, data science will take on a larger role in everyone’s daily life. Count on reading more articles like, Google a step closer to developing machines with human-like intelligence, that describe the proliferation of new hardware and new tools to make the full potential of data science and machine learning a reality. In the meantime, getting the tools you need and exploring the ways in which you can creatively use data science to solve problems is the best way to go for now. Let me know your thoughts on the future of data science at John@JohnMuellerBooks.com.

 

C++ Switch Statement Using Strings

Readers sometimes ask me the same question often enough that I feel compelled to provide the answer on my blog so that everyone has the benefit of seeing it. C++ does have a switch statement, but you need to use a numeric value with it as described in my book, C++ All-In-One for Dummies, 3rd Edition (see page 233 for details). A number of C# developers who are also learning to use C++ have asked me about using strings in the switch statement, which is clearly impossible without some fancy programming technique.

Fortunately, I have found a method for implementing switches using strings on CodeGuru. As the author states, it’s not a perfect solution and you may not find it works for you, but it is an ingenious coding technique and you should at least look at it. It’s better than saying the goal isn’t achievable using any means. To get a better idea of the methods other coders have used to overcome this problem, check out online discussions, such as Why switch statement cannot be applied on strings?.

Of course, I’m always on the lookout for other good solutions to reader problems. If you have a solution to this issue of using strings with the C++ switch statement, please contact me at John@JohnMuellerBooks.com. I always want to keep the door open to an even more innovative solutions. In the meantime, keep those e-mails coming!

 

Selecting a Programming Language Version

Because I have worked with so many programming languages and reported on them in my blog, I get a lot of e-mails from people who wish to know which language they should use. It’s a hard question because I don’t really have inside information about the project, their skills, their organization, or the resources at their disposal. Usually I provide some helpful guidelines and hope that the sender has enough information to make a good selection. Of course, I’ve also discussed the benefits of various programming languages in this blog and direct people here as well. The next question people ask is which version of the language to use.

Choosing the right programming language version is important because a mistake could actually cause a project to fail. I was asked the question often enough that I decided to write an article recently entitled, How to Choose the Right Programming Language Version for Your Needs. This article helps you understand the various issues surrounding programming language version selection. As with choosing a programming language, I can’t actually tell you which version to choose and for the same reasons I can’t select a language for you. At issue are things like your own personal preferences. In many cases, the language version you choose depends as much on how you feel about a specific version as what the version has to offer you as a developer.

An interesting outcome of programming language selection requirements is that I have one book, Beginning Programming with Python For Dummies that uses Python 3.3 and another book, Python for Data Science for Dummies that uses Python 2.7. Of course, I’ve had books that cover two different versions of a language before, so there is nothing too odd about the version differences until you consider the fact that Python for Data Science for Dummies is the newer of the two books. The reasons for my selections appear in Where is Python 3?. The point is that even book authors need to made version choices at times and they’re almost never easy.

Precisely how do you choose language versions in your organization? Do these criterion differ from techniques you use for you own choices (if so how)? Let me know your thoughts on selecting a programming language version at John@JohnMuellerBooks.com.

 

Understanding the Continuing Need for C++

I maintain statistics on all my books, including C++ All-In-One for Dummies, 3rd Edition. These statistics are based on reader e-mail and other sources of input that I get. I even take the comments on Amazon.com into account. One of the most common C++ questions I get (not the most common, but it’s up there) is why someone would want to use the language in the first place. It’s true, C++ isn’t the language to use if you’re creating a database application. However, it is the language to use if you’re writing low-level code that has to run fast. C++ also sees use in a vast number of libraries because library code has to be fast. For example, check out the Python libraries at some point and you’ll find C++ staring back at you. In fact, part of the Python documentation discusses how to use C++ to create extensions.

I decided to look through some of my past notes to see if there was some succinct discussion of just why C++ is a useful language for the average developer to know. That’s when I ran across an InfoWorld article entitled, “Stroustrup: Why the 35-year-old C++ still dominates ‘real’ dev.” Given that the guy being interviewed is Bjarne Stroustrup, the inventor of C++, it’s a great source of information. The interview is revealing because it’s obvious that Bjarne is taking a measured view of C++ and not simply telling everyone to use it for every occasion (quite the contrary, in fact).

The bottom line in C++ development is speed. Along with speed, you also get flexibility and great access to the hardware. As with anything, you pay a price for getting these features. In the case of C++, you’ll experience increased development time, greater complexity, and more difficulty in locating bugs. Some people are taking a new route to C++ speed though and that’s to write their code in one language and move it to C++ from there. For example, some Python developers are now cross-compiling their code into C++ to gain a speed advantage. You can read about it in the InfoWorld article entitled, “Python-to-C++ compiler promises speedier execution.”

A lot of readers will close a message to me asking whether there is a single language they can learn to do everything well. Unfortunately, there isn’t any such language and given the nature of computer languages, I doubt there ever will be. Every language has a niche for which it’s indispensable. The smart developer has a toolbox full of languages suited for every job the developer intends to tackle.

Do you find that you really don’t understand how the languages in my books can help you? Let me know your book-specific language questions at John@JohnMuellerBooks.com. It’s always my goal that you understand how the material you’ve learned while reading one of my books will eventually help you in the long run. After all, what’s the point of reading a book that doesn’t help you in some material way? Thanks, as always, for your staunch support of my writing efforts!

 

Where is Python 3?

A number of readers have been sending me e-mail about Beginning Programming with Python For Dummies and why I chose to use Python 3.3 instead of one of the Python 2.x versions. In general, I believe in using the most up-to-date version of a language product available because that’s the future of programming for that language. So, it wasn’t too surprising to me that I noted in a recent InfoWorld article that Fedora 22 will have Python 3 installed by default. I’ve started noticing that Python 3 will be the default with other products and in other environments too. Choosing Python 3.3 for this particular book looks like a really good choice because anyone reading it will be equipped to work with the latest version as it becomes adopted in a wider range of environments.

I do talk about standard Python in Professional IronPython. Of course, this book is targeted toward IronPython users, not Python users, but talking about standard Python and how you can use both libraries and utilities from it seemed like a good idea when I wrote the book. You need to remember that a solid version of Python 3 wasn’t available at the time I wrote this book and that Python 2 was really popular at the time. If there are readers of this book who would like me to create a series of posts that discuss using Python 3 libraries and tools with IronPython (assuming it’s possible), you need to let me know at John@JohnMuellerBooks.com. I try to accommodate reader needs whenever I can, as long as there is an interest in my doing so. At this point, I haven’t had a single reader request for such support, which is why I’m making a direct request for your input.

This leaves my current book project, Python for Data Science for Dummies. It turns out that the Data Science community is heavily involved with Python 2. My coauthor, Luca, and I have discussed the issue in depth and have decided to use Python 2 for this particular book. The limitation is that the libraries used for Data Science haven’t been moved to Python 3 completely and the entire Data Science community still uses Python 2 exclusively. If it later turns out that things change, I can certainly post some updates for the book here so that it remains as current as possible.

Python is an exception to the rule when it comes to languages. There are currently two viable versions of the language, so I can understand that some readers are completely confused. I encourage you to contact me with your thoughts, ideas, and concerns regarding the use of specific Python versions in my books. I want you to feel comfortable with the decisions that I made in putting the books together. More importantly, your input helps me decide on content for future books, articles, and blog posts. Unless I know what you need, it’s really hard to write good content, so please keep those e-mails coming!

 

Are You Lying? Can I Tell?

I just read an interesting article, “What happens when your friend’s smartphone can tell that you’re lying?” The reason this article is so interesting is that it involves a kind of application development that I would never have thought possible at one time. That’s what is underneath the technology described in the article. The hardware provides sensors that provide input to application. The application uses the resulting data to determine whether the person in question is lying.

It’s an odd sort of thing to think of, but our society relies on lies to make things work. When someone asks how you feel, do you really think you can be brutally honest? Because lying has such negative connotations, most people would likely say that they’re honest all the time, but in fact, they aren’t. We habitually lie because it’s not only socially acceptable, but socially necessary to do so. Even if we feel terrible, most of us respond that we feel fine when asked how we feel. We know that the other person is simply trying to be nice and probably isn’t interested in how we feel. Asking how someone is doing or how they feel is an ice breaker—a means to start polite communication. The idea that smartphones can possibly detect these little lies will make people feel uncomfortable.

Our society is currently undergoing a massive change and most people aren’t even aware of just how significant the change really is. After all, the change lacks the protests, marching, and other indicators that previous changes have incurred. However, of all the changes I’ve read about, this change is possibly the most significant. We’re now monitoring every aspect of human behavior in ways that our ancestors couldn’t even conceive. Soon, we’ll have the capability of monitoring emotion. The idea that we can literally look into another person’s head and accurately see what they’re thinking and feeling is terrifying in the extreme. At some point we’ll have no privacy of any sort if things continue as they are now. We’ll become Borg-like creatures of the sort described in Star Trek: The Next Generation.

I’ve discussed privacy issues before. In An Unreasonable Expectation of Privacy, I pointed out that humans have never had complete privacy unless they became hermits (and even then, someone probably knew our whereabouts). I’ve also tried to help you counter some of today’s intrusions with posts such as Exercising Personal Privacy. Taking yourself off the grid, ensuring you maintain good privacy techniques online, and so on do help, but this latest article tells me that it may eventually become an issue of not being able to be private, even if you really want privacy. If someone can flash their smartphone at you and determine things like what you’re thinking and how you feel, the act of being private becomes impossible.

We’re on the cusp of a major change that we won’t be able to counteract. Humankind is plunging headlong into a new world where communication takes place more or less instantly and conveys more than just words. It’s going to be interesting to see what sorts of new social rules that we put into place to help with the loss of privacy. For now, users and developers alike need to consider how best to maintain privacy and allow for those times when privacy is no longer possible.

Where do you feel privacy is going? How do you think you’ll react as more and more applications are able to not only accept your input, but also sense your feelings and detect whether you’re engaging in behaviors such as lying? Do developers need to put safeguards in place to keep security issues under control? Let me know your thoughts about the future privacy implications of applications at John@JohnMuellerBooks.com.

 

API Security and the Developer

As our world becomes ever more interconnected, developers rely more and more on code and data sources outside of the environment in which the application runs. Using external code and data sources has a considerable number of advantages, not the least of which is keeping application development on schedule and within budget. However, working with APIs, whether local or on someone else’s system, means performing additional levels of testing. It isn’t enough to know that the application works as planned when used in the way you originally envisioned it being used. That’s why I wrote API Security Testing: Think Like a Bad Guy. This article helps you understand the sorts of attacks you might encounter when working with a third party API or allowing others to use your API.

Knowing the sources and types of potential threats can help you create better debugging processes for your organization. In reality, most security breaches today point to a lack of proper testing and an inability to debug applications because the inner workings of that application are poorly understood by those who maintain them. Blaming the user for interacting with an application incorrectly, hackers for exploiting API weaknesses, or third parties for improperly testing their APIs are simply excuses. Unfortunately, no one is interested in hearing excuses when an application opens a door to user data of various types.

It was serendipity that I was asked to review the recent Snapchat debacle and write an article about it. My editorial appears as Security Lessons Courtesy of Snapchat. The problems with Snapchat are significant and they could have been avoided with proper testing procedures, QA, and debugging techniques.This vendor is doing precisely all the wrong things—I truly couldn’t have asked for a better example to illustrate the issues that can occur when APIs aren’t tested correctly and fully. The results of the security breach are truly devastating from a certain perspective. As far as I know, no one had their identity stolen, but many people have lost their dignity and privacy as a result of the security breach. Certainly, someone will try to extort money from those who have been compromised. After all, you really don’t want your significant other, your boss, or your associates to see that inappropriate picture.

The need to test APIs carefully, fully, and without preconceived notions of how the user will interact with the API is essential. Until APIs become more secure and developers begin to take security seriously, you can expect a continuous stream of security breaches to appear in both the trade press and national media. The disturbing trend is that vendors now tend to blame users, but this really is a dead end. The best advice I can provide to software developers is to assume the user will always attempt to use your application incorrectly, no matter how much training the user receives.

Of course, it isn’t just APIs that require vigorous testing, but applications as a whole. However, errors in APIs tend to be worse because a single API can see use in a number of applications. So, a single error in the API is spread far wider than a similar error in an application. Let me know your thoughts on API security testing at John@JohnMuellerBooks.com.

WebM Replacing the Animated GIF?

There is always some new technology out there trying to replace the reigning king (or queen). The Graphic Interchange Format (GIF) has a colorful history, but is mainly used today for animated GIFs—those short sequences of animation that you see spread throughout the Internet (and many intranets as well). In fact, you can find animated GIF generators, free animated GIF libraries, and tools for working with animated GIFs by the score. It’s hard to believe that anyone has found uses for even a small portion of the resources out there.

Web Media (WebM) is a technology that is designed to work like an animated GIF, but provide significantly more functionality. It’s an open source project that will supposedly replace the aging animated GIF at some point. A recent articled entitled, “GIF is Dead; Long Live WebM” explains the technical details of why this file format is so superior and why developers desperately need to embrace it. (Read “What Is WebM, and Can It Dethrone the GIF?” if you want a simpler explanation.) After reviewing everything I can online, I have to agree that WebM does, in fact, have a lot to offer. Most importantly, it can support longer animation sequences. The additional colors it supports are nice to have, but it’s the long animation sequences that will ultimately sell this technology to those who need it.

Unfortunately, WebM also has a lot of hype surrounding it. Advocates would have you believe that wholesale replacement of animated GIFs is imminent. The animated GIF won’t be going anywhere anytime soon. In fact, here are some reasons that animated GIFs will stick around for at least next several years:

  • Not every browser supports WebM natively. Only newer versions of Mozilla Firefox, Opera, and Google Chrome support it. Even though Chrome is currently the most used browser out there, it doesn’t quite have enough market share to fully control the market (not that market share alone is a good reason to adopt any technology).
  • There is a huge base of site that already use animated GIFs to good effect and it’s doubtful that the developers of those sites will make a change without a really good reason for doing so.
  • Animated GIFs enjoy a huge support base in free predefined graphics, free tools, and free support. There isn’t a strong monetary need for a new technology.
  • WebM is viewed as more complicated to embed in a Web page.
  • The tools for working with WebM aren’t nearly as easy to use as those that developers can use with animated GIFs.

The question of whether WebM will eventually replace the animated GIF isn’t answerable at this point. The technology is too new, not enough browsers support it, and the tools required to work with it still need a lot of polishing. Until WebM builds enough of a presence online and a backlog of free graphics for developers to use, you can be sure that developers will stick with what they know.

Upgrades really are nice. New technology can provide developers with useful advantages over what has come before. However, without a compelling reason to use WebM, you can be sure adoption will be slow. Without major improvements in support and reduction in complexity, developers will be reticent to make the move and WebM could end up being just one more good idea that didn’t quite make it. Tell me your thoughts about WebM at John@JohnMuellerBooks.com.