Issue No. 01 - January/February (2006 vol. 23)
ISSN: 0740-7459
pp: 116-118
Software Theory Complete
Todd Schultz
Software Paradigms by Stephen H. Kaisler, John Wiley & Sons, 2005, ISBN 0-471-48347-8, 440 pp., US$89.50. In the essay Nature, Ralph Waldo Emerson said, "Whenever a true theory appears, it will be its own evidence. Its test is that it will explain all phenomena." As I read Software Paradigms, this quote kept coming to mind. The book arose from a graduate computer science course that tied together all the concepts of software development models that students had learned about in other courses. By Emerson's yardstick, Software Paradigms is a true theory; there's hardly a software development element that's not described somewhere in Stephen Kaisler's collection of design patterns, components, software architectures, and frameworks. Use design patterns or software architectures as keywords in a search, and you'll be overwhelmed with hits. Although they're broad and somewhat vague, these terms resonate strongly in the software engineering and information technology industries. With only two generations (or so) as an object of study, software and its development still seem to be seeking core principles. Kaisler tries to abstract the software development objects themselves as distinct from the problems being solved or the code being generated. It's not easy to describe precisely what this means, so I'll give an example (chosen randomly and, of necessity, a little out of context): "A component model defines the basic architecture of a component and specifies the structure of its interfaces and the mechanisms by which it interacts with its environment and with other components." As part of a prelude to discussing the CORBA component model, it makes great theory, but be warned—much of the book deals with getting to the meaning of statements like this quote. Software Paradigms isn't about modeling user processes or data requirements as part of a software design, and it doesn't outline or illuminate a software development method (although these topics do appear). The book is redolent with object-oriented programming ideas, but teaching OO approaches isn't the goal. Instead, Kaisler arranged a large, varied set of software development elements in a hierarchy from design patterns to components to software architectures to frameworks, providing a single reference for software development's interdisciplinary activities. A primary goal of the text is to explicate a context from which students can dive deeper into particular topics. The book is good theory in the sense that theory follows practice and provides consolidation and perspective, and the book's bibliography, figures, and tables survey state-of-practice technologies and processes. Very little about software development escapes description, and Kaisler's hierarchy includes hooks for everything from graph traversal as a generic problem type to domain scoping in developing frameworks. However, descriptive breadth doesn't equate with prescriptive illumination (which isn't the book's goal). For example, readers will learn that programming-language selection significantly affects development, but they won't find guidance on choosing the right language for a given problem. Software Paradigms is an excellent course reference for someone with significant but varied (and perhaps shallow) software development ideas that need structuring into a more complete understanding. It makes a handy reference for identifying the similarities between, for example, Microsoft's Component Object Model and JavaBeans (as software development elements, not technologies). It would also be useful reading for academically minded high-level executives who are responsible for setting enterprise software architecture goals. Folks in the trenches—developers, team leaders, and designers—won't find much they can directly apply to their work, and without a good course instructor or experience reading academic prose, many will find the text challenging. Todd Schultz is a professor of management information systems at Augusta State University. Contact him at tschultz@aug.edu. Database Security Essentials Radu State The Database Hacker's Handbook, by David Litchfield, Chris Anley, John Heasman, and Bill Grindlay, John Wiley & Sons, 2005, ISBN 0-7645-7801-4, 500 pp., US$50.00.
Database systems are the main building block for our modern e-commerce and Internet-driven society. Although they're hidden behind Web applications, services, and portals, database systems store the essential data items of customer and business logic-related data. As such, database systems security is highly important to online businesses and systems using sensitive data. The software industry needs and should welcome a book dedicated to database system security.
Written from an attacker's point of view, The Database Hacker's Handbook is the first database-related book that I could read from cover to cover without losing my initial curiosity. I was thrilled by the 500-page book and wondered whether there would be enough content to fill a book entirely dedicated to securing databases without repetition.
Contents
The authors are well-known security experts David Litchfield, Chris Anley, John Heasman, and Bill Grindlay. The book covers the seven major database servers: Oracle, DB2, Informix, Sybase, MySQL, SQL Server, and PostgreSQL. For each server, the authors follow a three-phase approach: briefly introduce server specifics, discuss server discovery and attack techniques, and describe best-practice solutions for defending the server's architecture.
The writing style is highly technical and precise, and the authors present the attacks in a clear, pedagogical manner. They describe the general vulnerability that makes the attack possible, illustrating their points with operational code.
The vulnerabilities have different causes:

• implementation-specific problems, allowing classical buffer overflow attacks;

• weak security authentication protocols;

• Structured Query Language injections causing code execution on the compromised system via stored procedures; and

• missing or misconfigured access control mechanisms.

The result can be devastating and can go beyond simple data disclosure to cause system-level compromise, which lets hackers penetrate the internal network more deeply.
Although The Database Hacker's Handbook has an excellent logical flow and presentation, I wish the authors had included more graphical illustrations. I also would have liked a generic chapter on the database security blueprint; this could have presented the most common vulnerabilities in a server-independent manner, letting the authors cover their server-specific exploitation in individual chapters. However, as it is, you can read sections independently depending on your priorities and administrated database server.
Audience
Database developers and programmers will appreciate the sections on injecting and triggering executable code in different operating systems. Readers with a general interest in network security will grasp database security essentials and learn that running even a simple unsecured database server on a system can be the last thing they do before being compromised. Penetration testers and network assessment professionals will benefit from the in-depth and comprehensive treatment of database security. I warmly recommend The Database Hacker's Handbook to such readers.
Two years ago, Litchfield cowrote The Shellcoder's Handbook (John Wiley & Sons, 2004), the de facto reference book on advanced software vulnerability detection. The Database Hacker's Handbook is an excellent text and will probably become the reference book on database security for the next few years.
Radu State is a senior researcher at Inria. He also teaches a graduate-level computer security class at the Henri Poincaré University. Contact him at radu.state@loria.fr.
An Indispensable Guide to Knowledge Management Systems
Art Sedighi
Enterprise Knowledge Infrastructures, by Ronald Maier, Thomas Hädrich, and René Peinlet, Springer, 2005, ISBN 3-540-23915-4, 385 pp., US\$99.00.
How do you determine the value of intellectual capital floating around your enterprise? Managing information can be the difference between a successful organization and a failed one. A secondary challenge these days is the ability to find proper knowledge (that is, relevant information).
In Enterprise Knowledge Infrastructures, Ronald Maier, Thomas Hädrich, and René Peinlet take a bottom-up approach to knowledge infrastructures, covering the reasoning behind knowledge management systems and their role in enterprise. Over the past two decades, enterprises have become more data-driven (and, essentially, knowledge-driven)—a concept that the authors call intellectual capital. What sets organizations apart today is their intellectual capital, which comprises numerous attributes (such as being scarce, multipurposeful, not substitutional, or not imitable). The authors argue that for an enterprise to be successful and long-lasting, it needs to join knowledge with these attributes. Furthermore, the authors reason that managing this knowledge becomes the organization's key strategy—that is, one of knowledge management.
The authors demonstrate various methods and technologies that you can use to develop and maintain a knowledge management system. Unlike other methodologies introduced, Enterprise Knowledge Infrastructures claims that knowledge management systems are the end-to-end, top-to-bottom infrastructures at the heart of every organization. From the physical network layer to business process management and workflow, knowledge management systems must integrate all of an organization's parts with its intellectual capital. This raises the notion of services, which are deployed across an organization to give users proper knowledge.
The authors further explore the concept of proper knowledge throughout the book. Various services, including discovery, search, learning, publication, and real-time determination of user needs—a concept that has emerged in recent years with the Semantic Web and ontology engineering to determine the "properness" of knowledge.
Before you can access knowledge, you need to integrate the data and use it to build knowledge bases. You might be familiar with integration practices such as data, process, and functional integration; however, in the book, semantic integration takes center stage because it's the basis of knowledge management systems. In each section, the authors explore the latest protocol and research effort, making the book a useful all-in-one text for software architects and business planners. The book covers protocols and standards such as OWL (Web Ontology Language), RDF (Resource Description Framework), and RDF Schema in detail, including numerous examples and case studies. Using semantic protocols lets you build and use knowledge services. A service's users require a method to discover that service semantically. Furthermore, services must collaborate with each other and fulfill each other's requests.
The authors build the data infrastructure stack and add layer upon layer to demonstrate the end-to-end architecture. The next step is for the users to access the services. The authors depict client-server, distributed, and mobile methods as the means of enterprise knowledge enablement.
Enterprise Knowledge Infrastructures is filled to the brim with information about building knowledge management systems for enterprise. As the authors mention repeatedly, knowledge management systems will prove to be the most integral part of an enterprise. Protecting intellectual capital while at the same time dispersing it to appropriate users on demand will challenge knowledge management systems, and Enterprise Knowledge Infrastructures aims to solve this problem.
Art Sedighi is a senior consulting engineer at DataSynapse and a freelance writer. Contact him at sediga@alum. rpi.edu; www.artsedighi.com.