Email	Print Reprint
	add to:
	Del.icio.us Digg Google Furl	Slashdot Y! MyWeb Blink

Software Development

We don't cover much outright fiction in New and Noteworthy (even if some of those press releases do get a little fervent from time to time). But I'm making an exception for Stealing the Network: How to Own a Continent (Syngress, 2004). It's a work of fiction, true, but with a "ripped from tomorrow's headlines twist: The authors—real-life crackers, terrorism experts and security consultants—have spun a fictional story of how bad guys (and gals) could take down a continent's infrastructure—but the technology and techniques are purportedly the real thing. With Kevin Mitnick as a technical reviewer, I'm inclined to believe them. The idea is to inform while entertaining—if the book succeeds, you'll put it down and rush to your digital ramparts, knowing how the bad guys plan to breach them.

In another interesting twist, the nine authors set up a Yahoo mailing list to facilitate its creation, and excerpts from the discussions are included as a "The Making Of ... appendix.

Stealing the Network: How to Own a Continent will set you back $49.95, which has got to be the cheapest deal for a continent since Ug and Moog picked up North America for two hand axes and a saber-tooth skin. —Rick Wayne

Speaking of Security

[click for larger image] SmartRisk Analyzer performs a static analysis on your C, C++ and Java applications.

There's a lot to be said for tradition. When it comes to application security, however, I'm fed up with the tried-and-true method of waiting for crackers to break in and wreck the place; for some reason, clients seem to get all soggy and hard to light when their accounting department's PCs transmogrify into an army of zombies and their website gets a porn-o-mat makeover.

Fighting bad voodoo with good voodoo, @stake's SmartRisk Analyzer performs a static analysis on your C, C++ and Java applications that goes way deeper than your source code—it works on the binaries (even into the libraries you link against), referencing your source where possible. (How? Beats me.) The software maps the flow of control and data in your application, and uses that model to run risk analyses for many different vulnerabilities, such as the classic buffer overflow depicted in the screen shot. (Repeat after me: "strcpy ... Bad! strncpy ... Good! Redoing in a modern language ... Very, very good!)

The software provides a full set of reports to help developers and managers get a handle on what's going on under the hood, and, of course, it's extensible with new rules as needed. SmartRisk Analyzer runs on Windows; pricing starts at $40,000, supporting a development group of 20 people.

@stake, 196 Broadway, Cambridge, MA 02139, Tel: (617) 621-3500, Fax: (617) 621-1738, www.atstake.com —RW

Agile Development Road Rally

[click for larger image] Rally lets participants instantly assess how the project is facing its risks and schedules.

NASCAR racing places a premium on sheer speed, aggressive tactics and hair-trigger reflexes. I've often thought that road rallies would be more fun: Carefully considered timing, in-the-saddle navigation, constantly adapting in a tight evaluate/ decide loop as you pit your wits against an unknown course. You see where I'm going: The analogy to agile software development couldn't be clearer, and the folks at Rally Software Development make the most of it in presenting their new process-support tool.

The Web-based Rally application is a hosted service. Translation: Rally spends the time on infrastructure, installation and updates—you just use the product. Said product offers dashboards, an idea drawn from portfolio management packages, to let participants instantly assess how the project is facing its risks and schedules. Each person can also have his own home page to narrow the focus to his own issues. Other pages address release and product management, project requirements, defect tracking and testing. It's aimed at process-light, low-overhead teams facing the intersecting pressures of schedules, costs and changing requirements. The price is pretty agile, too: Rally costs $65 per user per month.

Rally Software Development, 1655 Walnut St., Ste. 200, Boulder, CO 80302, Tel: (303) 226-1180, Fax: (303) 226-1179, www.rallydev.com —RW

Doff Those Bad Idea Jeans

One of Saturday Night Live's great fake commercials was for Bad Idea designer jeans, featuring folks wearing the eponymous slacks and facing the question "I can ... but should I?

Likewise, you can certainly run PHP on Windows, as an Apache or Internet Information Server (IIS) module or via CGI. But do you really want to? PHP's own documentation has some cautionary notes about these setups, and admins looking for rock-solid stability most often choose to run PHP on Linux.

Now Zend has come out with WinEnabler (no 12-step jokes, please), a product that continuously runs PHP in a process outside the Web server. Previously, the only way to run PHP outside the server process was CGI, whose inherent performance issues are too well known to belabor here. Zend's documentation points out that under the multiprocess Web server architecture common on Unix-like systems, problems in a module like PHP never smack back at the Web server itself. But Windows-based Web servers are multithreaded, demanding thread-safe design of their modules, as well as the possibility of taking down the server itself if something breaks.

Zend WinEnabler starts at $195 and runs on Windows 2000 or later; it's happiest with Apache 1.3, Apache 2.0 or IIS 5.0 or better.

Zend Technologies Inc., 19200 Stevens Creek Blvd. Ste. 100, Cupertino, CA 95014, Tel: (888) 747-9363, Fax: (408) 253-8801, www.zend.com —RW

RELATED ARTICLES Secure Software Needs Careful Testing -- And Lots Of It Securing the Java Core Nozzle: Counteracting Memory Exploits Welcome To the World of Cryptographic Voting Klocwork Targets Productivity With Dev Tool Suite		TOP 5 ARTICLES No Top Articles.