Issue No. 07 - July (2013 vol. 46)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MC.2013.244
Vendors Push Secure Software Development
Major software vendors have expressed support for two efforts designed to make it easier for smaller companies to adopt secure software-development practices.
Microsoft said these efforts emphasize the growing realization that software vendors must design security into their products from the start of the development process and not try to address problems via patches and other approaches after they release applications.
Microsoft recently announced support for International Organi-zation for Standardization (ISO) 27034, which delineates processes and practices that secure development programs should include.
In addition, the Software Assurance Forum for Excellence in Code (SAFECode), an industry association, has released the first modules in a free Web-based secure-coding training program for developers.
ISO 27034 provides guidance to developers about specifying, designing, selecting, and implementing security controls via processes integrated throughout an organization's systems-development life cycle. This is typically more complicated for smaller companies, which have fewer resources.
The standard doesn't say that developers should use specific methods or approaches but instead is written to work with any of them. This is designed to help developers provide security without taking away their flexibility
Skeptics have said software-development process standards are fine but are not enough to provide adequate application security. They contend that vendors should also extensively test applications—using processes that send feedback to developers—before releasing them.
Recently, SAFECode released the first six modules for its new training website ( https://training.safecode.org). The modules address topics such as cross-site request forgery, password security, and Windows access controls.
The organization says the current courses are introductory but that future classes will be more advanced. Adobe Systems sponsors the program.
White House Turns up the Heat on Patent Trolls
US President Barack Obama has announced a set of executive actions and recommendations designed to stop abuses by patent trolls.
Patent trolls are companies that buy patent portfolios not to use the technologies they address but solely to make money by suing firms they accuse of infringement. Frequently, sued companies agree to settlements out of fear that a jury trial could result in huge damages, even if they believe they didn't infringe on any patents.
A Boston University study last year found that patent trolls cost businesses, including many small companies, $29 billion in 2011, up from $7 billion in 2005.
Critics say the practice is unfair and ties up resources that companies could use to design useful new products. They also say that trolls utilizing the patents they own only to file lawsuits keep companies from making good use of the technologies involved.
Boston University law professor Michael J. Meurer, who worked on the school's recent patent-troll study, said, "Parties that are supposed to benefit from the patent system actually suffer because it creates a headache for them. In many cases, it has turned into a system that imposes a tax on innovators instead of stimulating innovation."
The White House has directed the US Patent and Trademark Office to take five new actions that would help reduce the number of patent-related lawsuits.
For example, the USPTO will now require patent-holding companies to say who really stands to gain from a lawsuit and identify the party that actually holds the patents in question. Sometimes, patent holders create shell companies to file lawsuits, thereby hiding their identities and the nature of their activities.
Obama also called for more training for patent examiners and the creation of educational materials to help businesses that patent trolls target.
The Obama administration has prioritized patent reform and, in 2011, passed the first major system overhaul since 1952.
Easier Wi-Fi Access Is on the Way
Wireless carriers are preparing to implement two technologies designed to make it easier for smartphone users to access Wi-Fi systems.
The Wi-Fi Alliance, a trade association, has begun certifying devices that comply with its Hotspot 2.0 technology, which is based on its Passpoint standard. And the Wireless Broadband Alliance, a group of mobile and Wi-Fi operators, recently conducted trials of its Next Generation Hotspot (NGH) standard with major wireless service providers including AT&T, BT, China Mobile, NTT DoCoMo, and Orange.
These two approaches enable a smooth, automatic handoff between affiliated cellular and Wi-Fi networks. This would eliminate the process by which users must first find a hot spot, then sign in with a username and password if it's secured, and finally enter payment information if it's not a free service.
In addition to being cumbersome, this need for manual authentication makes service continuity—in which users could seamlessly roam from a wireless network to a Wi-Fi network in the middle of a conversation—impossible.
Hotspot 2.0 defines the way that a device and a Wi-Fi access point communicate with each other to establish a connection and is based on three technologies. Wi-Fi Protected Access II provides security by ensuring mutual authentication and encryption between a mobile device and a network. The Extensible Authentication Protocol defines how security credentials pass between a wireless device and a security server. IEEE 802.11u lets a mobile device gather information from a Wi-Fi network before association and authentication.
NGH enables devices to connect to a carrier's back-end systems, in essence turning a Wi-Fi access point into another cell on the operator's network. This makes roaming between the two types of networks much easier.
Carriers are expected to start integrating Hotspot 2.0 and NGH into their systems this year and begin large-scale implementation in 2014.
SAP Plans to Hire Hundreds of Autistic IT Workers
German software vendor SAP has announced plans to recruit hundreds of people with autism during the next few years.
SAP said it wants to train 650 people with autism to become IT workers—including programmers, software testers, and data-management specialists—by 2020. They would represent 1 percent of the software giant's multinational workforce, the same percentage of the world's population that has autism.
The company has already begun its project by hiring 11 people with autism in India and Ireland, and plans to implement the program in Canada, Germany, and the US later this year.
People with autism have developmental disorders that often lead to social deficits, communication difficulties, repetitive behaviors, and sometimes cognitive delays.
However, SAP says, the tendencies people with autism often have—such as being highly detail oriented and able to accurately analyze large datasets—are very useful for many IT jobs.
The software company created its new initiative with the Danish company Specialisterne, which helps people with autism gain technology-related work skills.
SAP says it will provide coaches to assist workers with autism by, for example, helping them cope with job stress and the need to communicate effectively with their bosses and colleagues.
About 20 percent of people with milder types of autism work. However, experts in the field estimate that percentage could triple with the right kind of training and different employer attitudes toward the condition.
Germany's largest organization for people with autism, Autismus Deutschland, praised SAP's hiring decision. It said this attitude could help many qualified people who otherwise have trouble finding jobs because their conditions make them appear unsuitable to some companies or hurt them in employment interviews.
The organization expressed hope that SAP's position will spread to other employers and help convince people to think differently about autism.
Cray Releases "Cheap" Supercomputer
Supercomputers typically cost tens of millions of dollars, which puts them out of reach of numerous companies that could benefit from their processing power.
Now, though, Cray is using its next generation of technology to create systems starting at just half a million dollars, thereby making supercomputers more affordable for many smaller businesses.
Cray's XC30-AC systems would offer performance of between 22 and 176 teraflops (a trillion flops) and would cost between $500,000 and $3 million.
These systems would not be nearly as powerful as the world's fastest supercomputers. For example, the world's fastest machine—Cray's $60 million Titan, which the US Oak Ridge National Laboratory uses—performs 17.59 petaflops (one petaflop is a thousand teraflops).
While the XC30-AC is smaller, Cray says, it uses more advanced processor and interconnect technology than Titan.
Titan contains 560,640 processing cores, including AMD Opteron CPUs and Nvidia GPUs, and Cray's proprietary Gemini interconnect.
The XC30-AC systems, on the other hand, ship with Intel Xeon E5-2600 Series processors and Aries, a faster interconnect than Gemini. This helps the machines offer high performance at lower prices.
The new supercomputers use smaller server cabinets and less expensive peripherals that make the system easier to fit into a wide range of datacenters. In addition, they are air cooled, rather than water cooled like Titan.
The XC30-AC products occupy from one to eight cabinets, with each holding 16 blades of eight sockets each. If an eight-core processor is placed in each socket, an eight-cabinet system would offer 8,192 cores.
The system's speed permits memory sharing across processors, which increases efficiency.
According to Cray, oil and gas companies or electronics firms performing complex simulations—as well as biotechnology, engineering, and manufacturing businesses—could benefit from the XC30-AC.
By releasing both high-end and low-end supercomputers, Cray could take advantage of the recent growth that industry-analysis firm IDC has reported in the high-performance computing market.