Community Update 2014-04-01 – April Fool’s special, getting ready for #durandaljs and some #elasticsearch
Deep Dive: Improving Performance in Your ASP.NET App (channel9.msdn.com) – Available April 4th-5th..NET
Nest - Quick Start (nest.azurewebsites.net) – .NET Connector for ElasticSearch
In case of a connection loss, this type of slaves has been designed to automatically attempt to reconnect to the master. This makes sense because you want these slaves to remain online all the time, even if your janitor trips over the ethernet cable. Unfortunately, it also means that over the time, these slaves accumulate gunk, such as mutated static states, any left-over threads or memory leaks, or native libraries that are loaded into JVM.
To prevent that, a better approach is to restart the slave JVM (JENKINS-19055) and have the new JVM reconnect, instead of having the same JVM reconnect. That would ensure that the slave always stays clean. I've planned to make this change for a while now, and I'm happy to report that this change is finally landing to the upcoming 1.559.
Restarting JVM is easy on Unix, where I could just exec(3) to itself. We've been doing this for ages on masters, for example when you update a plugin and tell Jenkins to restart.
The hard part is to do this for Windows, where the most of the time was spent. I had to improve windows service wrapper to support self-restarting services, which turned out to be trickier because Windows service control manager doesn't provide "restart" as an atomic operation. It also kills not just the service process itself but all the processes in the group. So I had to double-fork the service wrapper into a separate process group just to restart a service from within itself.
In any case, the end result is that if you have installed a service through GUI, be it on Windows, Unix, or OS X, slaves will restart themselves every time it gets disconnected from the master.
I've also taken the opportunity to make jenkins-slave.exe on the slave self-updating. Every time it connects to the master, it gets the latest version from the master.
If you have installed Web Start slaves as services, make sure to update the local copy of slave.jar on these slaves to 2.37 or later. This "restart on reconnect" feature only kicks in when you are running this very recent version of slave.jar. And yes, we realize it'd be nice for slave.jar to update itself, which is tracked as JENKINS-22454. But that's a work for another day.
Thanks to all of you who attended our last webinar, Selenium Bootcamp, with expert Dave Haeffner! Click here to listen to the recording, and check out the slide deck below from his presentation if you haven’t already done so.How to Use Selenium, Successfully from Sauce Labs Want to share your thoughts or expertise with our community? We want to hear it! Submit your blog post or webinar topic here.
A design flaw in popular photo messaging application Snapchat could allow a malicious user to send thousands of messages to an account simultaneously, effectively performing a denial-of-service attack, according to security researcher Jaime Sanchez. The flaw is the latest in a series of software security tussles that have arisen around the company in recent months.
Sanchez, a consultant for Spanish telecom company Telefonica, discovered the flaw along with another researcher on his own time, the Los Angeles Times reported. He found that Snapchat uses security tokens for authentication whenever a request is made to the service's servers. In other words, a request token is created any time users add a friend, update their contact list or send a message. The problem is that these tokens aren't set to expire, which means an attacker can reuse an old token to send new messages.
"The original idea of using request tokens is to force users to create one, and then discard it for next time," Sanchez wrote in a blog post. "So, if you're an authenticated user, you'll be able to create another time and then make another request. The problem is that tokens doesn't [sic] expire."
With a simple script run on a computer, an attacker could easily use the same token to spam thousands of accounts or send thousands of messages to a single account. Sanchez demonstrated the latter scenario to an LA Times reporter, flooding the reporter's iPhone with 1,000 messages in five seconds. This caused the phone to freeze and restart itself. According to Sanchez, this is likely because the attack also overloads iOS's Push Notification service. While a denial-of-service attack on an Android device would not cause the phone to crash, it would begin to run extremely slowly, and the app becomes unusable for the duration of the attack.
Sanchez told the LA Times that he did not report the issue to Snapchat because of the lack of respect the company has shown toward the software security community in other recent incidents. For instance, at the end of last year, researchers at Gibson Security published an exploit that would allow mass theft of Snapchat user info after reportedly receiving no response from the company. Hackers quickly used the exploit to pull account data for 4.6 million users.
Snapchat, which also has recently turned down acquisition offers worth billions, could suffer in the public eye if such software security incidents continue to occur. According to Sanchez, the company has still not addressed his flaw, although it did disable the accounts he used to generate his proof of concept attack.
As other companies look to emulate Snapchat's success in attracting industry attention and investment, using tools like source code analysis software during the development process can be a cheap, effective way to catch simple but potentially damaging flaws such as security tokens that are not set to expire. With a rigorous security mindset during development, companies can minimize their risk.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.
HP LoadRunner consists of a number of different components, including the Controller, Load Generators, MI Listeners, etc. Previous releases of LoadRunner have provided enough security to ensure that the data being transferred between components is secure, but were not able to prevent unauthorized computers from accessing the components. LoadRunner 12.00 introduces a new set of SSL-based security features that can protect your LoadRunner components from being used by an unauthorized computer.
Continue reading to learn how you can secure your LoadRunner 12.00 environment with the new SSL features.
(This post was written by Yan-Jun Yu (Tedy), from the LoadRunner R&D Team)
The agile community is full of stuff on generalists. Ideally, you should be able to juggle coffees for your developers while riding a one-wheeler, and playing the guitar to “Master of Puppets” from Metallica at the same time. Oh, and you really should have found that bug while doing all that.
That’s a task close to impossible. Let’s take a step back, and take a look into another field of work: cooking. How do you react to generalists there? Let’s see.
Caution: Before reading on, make sure, you had enough to eat. (Or didn’t, depending on how fast you can get weak.) This blog post includes references to lots of yummy meals, and contains itself 2000 kcal.Cooking specialists?
Before we can define generalization successfully in the cooking field, we need to be able to identify possible directions of specialism. Generalizing is a relationship that cannot exist without specialization. In order to generalize, you have to define the opposite specialities first. Generalization then becomes the movement away from one particular speciality towards at first two, then maybe three, and on the other extreme all the specialities that you can identify in the according field of work.
For cooking, there are several ways you can think about specialization. You may specialize in green, or veggie foods. You may specialize as meat-only cook, or even become a beef master. You can specialize in cooking just with the oven, or focus on grilling activities (may favorite). Consider a cook that is proficient with the barbecue grill to properly prepare a cake with it besides serving you the steak first. Awesome! A meaty cake. I would love that one.
But let’s consider some alternatives. There are cooks in the high pricing segment, like five-star cooks. There are fast food chains that provide you meals with fewer turn-over costs (and other different qualities).
But there’s more. There are cooks that focus on local specialities. There are cooks for the German kitchen, serving bratwurst, haxen, and sauerkraut. Then there are Italian cooks that can serve pizza, pasta, and other specialities from the South-European country. Oh, and don’t forget about the Japanese food. If you’ve ever been to a Japanese steakhouse, you know what I mean. (I should certainly find one in Germany.)
Oh, and then there are cooks that specialize on a particular piece of the whole course. For example there are specialists at creating dessert, like an ice-cake (yummy!). And there are specialists for soup, for salad, and main dishes.
As you can see, there is a whole bunch of stuff that you may focus on. Now, let’s take the counter-position, and see where generalization would lead us to.Generalizing cooks
How could a cook generalize? When considering the five-star cook, she is probably already generalizing. She knows a couple of dish well enough to receive the five-star certification. For the certifier it does not matter where these dish come from. They only need to be yummy, well prepared, well served.
Or should a cook generalize in the sense of dish he serves? A cook that’s only good at meat probably won’t win many prices in the long run. To prepare a proper meal, he also needs to serve the openers, and he also should have a clue about the composition of the whole course, like which wine to serve with the deer, and what kind of dessert fits better: ice cream or fruits?
Then what about the fast food cook versus the noble restaurant cook? The fast food cook knows a bunch of recipes, and he has streamlined his whole business according to his margins – and what people are willing to pay for it. In a noble restaurant people eat because they want to taste something special. Only the best ingredients get into each individual meal, and that also has an end result on the price. And of course, the overall experience in a five-star restaurant is totally different than the one in the next local Wendy’s.
Oh, and if you can’t get a dessert at the local shop, then you are probably going to the next ice-cream shop, and spend your money there. That might be ok in certain regions of the city. But if the next ice-cream bar is 20 miles away, your customers are more likely to complain about it.
And, finally, you may generalize across country specialities. Besides burgers you may serve sushi, paella, and Irish Stew. You are so proficient in your cooking skills that you can serve all meals from all over the world. 120 meals in your whole menu.One cook to rule them all
The other day, when I stood in a fast food shop in our home town, waiting for our lunch, I started wondering. That shop sold Döner, Pizza, and a couple of German and Austrian dishes. That shop appeared to be a generalizing shop.
As a customer, did I like it? I started to wonder whether they followed the demand from the market, or tried to fill a particular niche in the local market by offering everything. I certainly wasn’t convinced that many of the offered dish were good while waiting in that shop.
Now, after writing about this experience, I think there is a tremendous difference between a five-star generalist cook, and a generalizing fast food cook. I trust the five-star cook on another level than I trust the tiny small “Fetthalle” around that corner that serves lots of different international foods. I prefer to be more like a five-star software developer rather than a generalizing “fast code” hacker.
That made me wonder what the outside impression from us software generalists would be? Should we be more like generalizing fast food cooks or like five-star cooks in the end? Well, in the end, software development has only to do with stuff you can’t see – if you won’t take a look. Food is different.
For most companies, April 1st is a less-than-ideal date in which to launch an app or a major update, as consumers, media and other interested parties might take it to be a prank. Google is not most companies.
The tech giant just released a mini-game in the update of its “Maps” application. Unlike most updates, this one incorporates a healthy dose of Pokémon. For those unfamiliar, Pokémon is a Nintendo-owned media franchise involving card games, video games, cartoons and movies that feature trainers capturing wild “Pokémon” creatures with special abilities. Once captured, they are trained to fight and pitted in battles against one another. At least that’s what I’m told.
Of course, Google is known for being quite a prankster, with a long list of similar April Fool’s Day pranks (seriously, a LONG list), however they have also peppered in a number of real releases on April 1, including Gmail. In fact, Gmail was thought to be a hoax, because at the time a free email service with a gigabyte of storage was an entirely new concept. Safe to say that one worked out pretty well.
So is this recent Pokémon update to Google’s Map application a hoax or the real deal? It seems a bit of both – at least we hope! The video promo they put together shows Poke-enthusiasts travelling the world, and “finding” Pokémon using an incredible looking augmented reality app within Google maps to capture their very own Pokémon. The video also promises any person that can capture all 150 Pokémon will have a chance to work at Google, with the title of “Pokémon Master”. Unfortunately, it’s a pretty good bet that these aspects are the hoax portion of their prank.
If you’re willing to take that chance in order to become a Pokémon Master, here’s how to get started:
To start becoming a Pokémon Master, go to your updated Google Maps app, tap the Search Bar, and then tap the Pokeball icon that says Start. You’ll be transported to Isla Santa Cruz, which is a remote cluster of islands, that are apparently teeming with Pokémon wildlife. You can then catch Pokémon by tapping them. There is a Pokedex you can fill with 150 different types of Pokémon, though I’m unsure what happens when you succeed.
Regardless of whether the feature will get pulled after April Fools (it’s hard to imagine running into Pokémon while searching for a hotel on vacation) it’s given users a new reason to check out Google Maps and all of its new features. For Google, I would suspect that it has led to a sizeable increase in usage over the last 24 hours. Everyone wins!
There is a lot of speculation as to whether or not Google is up to something bigger with this prank. Some have suggested a geo-caching project in the works, while others have mentioned some sort of augmented reality app. I guess we’ll have to wait and see.
Either way, it seems that Google has once again reminded the world that they remain the king of April Fool’s Day pranks.
Want to win a programmable LEGO robot? Share your voice in this year’s survey.
Let me share three statistics with you from the 2013 open source development survey:
- 76% of organizations lack meaningful controls over the use of open source software in development
- 86% of developers believe their typical applications include over 80% open source components
- 71% of applications have more than one critical or severe open source component vulnerability
These stats might surprise you or may not. Surprise is not their intent. The real intent of these survey results is to SPARK DISCUSSION. Remember, it’s not the stats that count…it’s the value of the discussions that follow that make this survey so important.
Today we kicked off the fourth annual open source development and application security survey. You can take the 5 minute survey here — it takes less that 5 minutes, we promise.
Looking at last year’s findings, I see so many great discussion topics for your next team meeting, a lunch-and-learn at your office, or at a community MeetUp event. Topics like:
- How do our practices compare? Are we ahead or behind?
- What policies do we have in place, do we need new ones, or does anyone follow our policy?
- Are our development, security, and compliance practices sufficiently aligned compared to other companies our size?
We’ll send everyone the final survey results to share, compare, and discuss with your team. You can also enter into a DAILY drawing for a $100 Amazon.com giftcard and a WEEKLY drawing for a super cool LEGO Mindstorms EV3 programmable robot. The survey is only open until April 30th. And the sooner you take the survey the more chances you have to win.
The Guardian: "In truth, many shared bathrooms are cleaner than, say, the telephone on your office desk, your computer keyboard, the dishcloth by your kitchen sink ... [but] it is perfectly natural, perfectly logical, that we expect [faecal bacteria] to be congregating in greatest numbers somewhere around the toilet bowl"Image: https://flic.kr/p/iE7jP
This workshop starts with theoretical issues such as the benefits and the return of investment in automated testing. The main focus will be the use of Ranorex in practice.
10:30AM - 05:30PM EST
Look at the schedules for additional workshops in the next few months.
We look forward to seeing you there!
Community Update 2014-03-31 – #Build2014, #dotnet, #css, #responsive tables, #aspnet, #owin, new #octokit .NET version
So like every Monday, as always, we have an avalanche of links.
The one I would really not miss is the Build 2014 session list. The Build will start April 2nd and go up to April 4th. I will list my recommended session once we reach those date since I’m still picking what I, and maybe you, should watch.
With this, good reading!
Build 2014 (channel9.msdn.com) – The event will be from April 2nd to April 4th.Web Development
CSS Diner - Where we feast on CSS Selectors! (flukeout.github.io) – Excellent learning tool to learn CSS selectors
Event sourcing in practice (ookami86.github.io) – Slides in HTML. Use the arrows/space on your keyboard to page through.Windows Azure
octokit.net/ReleaseNotes.md at master · octokit/octokit.net · GitHub (github.com) – New version of the .NET GitHub API.Search Engines (ElasticSearch, Solr, etc.)
Right. Google seems to have understood very deeply that the key to upping the competitive game with Amazon and Microsoft in the public cloud is through developers. More than live migration and race-to-the-bottom pricing, they know that they can use their savvy as developers to differentiate the platform for developers. They use the phrase “meeting developers where they are,” and have committed big time to using Jenkins - as Google's Chris Smith put it - as the “man behind the curtain” to orchestrate continuous delivery from code to production.
1411 People Stared in Awe at the Mighty Power of the Jenkins Update Center During Google Cloud Platform Live
That phrase “meeting developers where they are” is kind of interesting, too, almost un-Google like. They’re not inventing a new Google-icious CI or build tool. They’re giving developers what they’re used to and are productive with - IntelliJ (aka Android Studio), Git, Jenkins, Maven and Gradle. They’re glueing those powerful tools together in a simple flow that fits seamlessly across their properties and Google Cloud Services, all leading toward deployment on Google Compute Engine and App Engine and Android devices.
That’s a pretty expansive vision, a fundamental change to the way developers build, test and deliver applications in the cloud world. A real platform play. It’s something we at CloudBees have been delivering on for a while now and that our customers have been depending on 24x7 to run their businesses. Here are a few of the important things we've learned in our journey to delivering the most advanced developer-centric Platform as a Service in the market:
- Hybrid is reality, and will be for a long time. We love the cloud and run our business on it, but most businesses have existing investments (technical, capital and procedural) that are reality for them. Those businesses and the developers in them want to use the cloud, too. So, you need to live in both worlds and connect those worlds. For continuous delivery to be meaningful to the developers living in this hybrid world, you need to bridge them securely and painlessly, and that’s particularly true for people in the enterprise. That's why we've invested in things like RBAC, on-prem executors, VPN connectivity, and SAML support. Meeting developers where they are sometimes means you need to meet them in their own data center.
- Continuous integration - and continuous delivery even more so - requires connections to all kinds of surrounding systems. This is one of the reasons Jenkins is so incredibly popular, because if you can’t do that using one of the 900 or so plugins in Jenkins today, you can build one yourself. Heck, that’s why Google is using it, too! Part of the “trick” of providing Jenkins as a hosted service is to do it in a way that exposes the flexibility and community-powered plugin set. The Update Center is the window into those plugins, so it's nice to see it being visible in Google's demo. Ultimately, all this relates to "running at scale" - supporting teams and the larger scale business processes that developers live within. Those developers will demand direct access and tweaks to the plugins and the ecosystems they unlock. Developing and deploying a web or mobile app is often just a part of a bigger chain of automation, which often spans reusable common libraries into post-deployment testing. Giving teams of developers the tools to collaborate and thrive within this kind of larger flow, continuously - that’s running at scale.
- Community is key. The great thing about the Jenkins project is that Jenkins itself is built to encourage community, and it is operated to build community. Like any community, it has leaders and highly engaged participants. But, it also welcomes people who jump in and dabble, who do a quick project to solve a specific problem, or who extend the work of others. People participate because their investment pays back and often makes them feel good at the same time. So Google, my advice to you is to jump in. Don’t just keep the butler downstairs waiting for you to ring the bell for CI service. Come on down and have a beer with the rest of us. I guarantee you’ll be welcomed!
This last week was a big one for cloud. The message should be crystal clear for competitors to the Google Cloud Platform. If you want to leapfrog Amazon (or Amazon: if you want to avoid being leapfrogged), you need to connect with developers. Those developers have long ago gotten used to instant access to on-demand infrastructure. Yawn... has the price dropped again? They want to consume a service, not build it if it’s not core to the problem they’re solving for the business. What’s more interesting to these developers and the people who employ them - and whose businesses depend on them - is how to create, update and deliver better software faster, continuously. The man behind the curtain to make that happen, to put the power of community and connectivity to work, turns out to be Jenkins.
-- Steven G. Harriswww.cloudbees.com
Steven Harris is senior vice president of products at CloudBees. Follow Steve on Twitter.
So what can new app developers do to stand out?
Gil Dudkiewicz, of The Next Web, recently pulled together a list of 5 things app developers need to know. Here’s a look:
“1. Imitation is not always the sincerest form of flattery
If your product is good, people will copy you. The better it is, the likelihood of being ripped off increases exponentially. This is a multi-industry reality and it’s the first thing you should keep in mind as you develop your mobile app.If you know you have an excellent product in the works, a strong launch is critical. The initial loyal user base you attract as a result of high visibility will help you stay on top when the imitators eventually end up publishing similar products.
The more active users you have, the better your app holds its ground in the store. Additionally, those are the users who convert to paying customers.
#2. It is far too easy to get lost in the crowd
One of the biggest challenges mobile app developers face is discoverability. With more than a million mobile apps in each of the app stores (Apple and Android), it is becoming harder and harder to generate organic users.
To overcome this, you should plan on putting time and effort into app store optimization techniques. The app name, icon, description and screenshots – all of these need high attention and professional care to reach the best results.
Invest time and money to produce a unique presentation of your app before it is downloaded to grab the attention and pique the interest of users.
#3. You don’t have to play by the rules to go viral
When it comes to distribution, developers often think the only path to topping the charts is through organic results. This is usually not the case! Going viral is rare, so developers should not be shy about opening their pockets and buying some downloads.
Set a budget and contact a solid network, target your audience, and get those users. This is particularly crucial for your launch to ensure a strong start.
Another area in which to exercise a bit of creativity is monetization. Do not be fearful of trying new monetization solutions. Far too many mobile app developers “settle” for the generic solution of placing a flat, boring banner in their ad because they feel it’s the only solution. Wrong! Get your creative juices flowing to come up with an innovative solution.
For example, users are far more tolerant of in-app advertising than you may think, particularly if your app is well-made and solves a problem for them, or even provides a few moments of fun.
A well-integrated, well-timed full-page ad, app wall, or video can generate revenue in a way that compliments the app experience rather than damaging or distracting from the experience.
# 4. There is a best time to launch your mobile app
You’ve probably heard the expression, “Good things come to those who wait.” This is especially true when it comes to choosing the right moment to launch your mobile app.
If you are accustomed to publishing on the Web, toss everything you know out the window, because the best times to publish mobile apps are during the summer and the December holidays. People are on the road and glued to their devices. Use this to your advantage and plan to boost your app just before the holidays for a massive wave of fresh users.
#5. The new kids on the block are the most popular
Before you release your app, ask yourself the question, “What problem does this app solve?” Why will users be attracted to it? There are plenty of strange viral app sensations out there. They end up topping the charts but do not frequently last. The apps with staying power are the ones addressing a need in the lives of their users.
When people say, “I wish there was an app for that” and a search reveals your app, this generates excitement. Further, everyone loves being “the first” to know about a cool new product so they can tell their friends and colleagues about it. This can only help your user base grow.”
What do you think is the best way to make your app stand out in an app store sea of applications? Share your thoughts in the comments section.
People have been talking about mobile technology's rise in the enterprise for years, but phenomena like bring-your-own-device programs are finally moving beyond the realm of trends into widespread, rapid adoption. A recent study from Good Technology found that the number of people globally who use their own smartphones in the workplace is expected to grow by nearly a third in the year ahead, from 132 million people currently to 174 million by the end of the year. With that rise, the number of business app installations is skyrocketing as well. But mobile apps still face substantial software security hurdles, creating an opening for developers who are willing to take the extra steps to build secure apps.
According to the Good Technology study, the number of workers bringing their own smartphones to their jobs will reach 328 million by 2017. More telling for developers, though, is that growth rate for enterprise app activations is accelerating. Activations were up 54 percent in the final quarter of 2013, an increase from the 42 percent growth rate in the previous quarter. Document editing accounts for the most popular business function for enterprise apps, but cloud storage and business intelligence programs are also seeing an increase. Another trend is that companies are investing in internal app development.
"What we get most excited about are the kinds of applications enterprises are building themselves," Good Technology CEO Christy Wyatt told Re/code. "We saw even more aggressive growth in Q4."
Securing the enterprise app
With application adoption growing and companies investing more in internal development, some questions still remain, however. Notably, mobile software security is becoming an increasingly prominent concern. A 2013 Sophos report found that Android has surpassed Windows as hackers' most targeted platform, a recent eWEEK feature noted.
"If the hackers are moving to mobile, both Android and iOS users should be scared – very scared," eWEEK contributor Don Reisinger wrote.
More business users in the mobile space could accelerate that trend even more, but the targets are already out there in many cases. A recent survey from security firm MetaIntell found that 92 percent of the top 500 Android apps contain either a security or privacy risk, eWEEK noted. And iOS users aren't immune either.
At the same time, developers have tools at their disposal to improve software security for mobile apps. Using static analysis software and peer code review as part of a secure development lifecycle, programmers can build more secure features into their apps. With open source scanning, organizations can identify software being brought in that may contain potential risks. With enterprise mobile adoption increasing at such a rapid rate, there is clearly a growing market for solutions that corporate IT departments can feel safe whitelisting. If the accelerating growth in workplace app installation is any indication, app security will be a topic raised in a widening array of businesses. App developers would be wise to deploy the tools that can help them ensure they're on the right side of the security conversation.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.