Category Archives: Blog

photo 5

Uniface Details its Mobile Strategy and Roadmap during North American User Group Event

Other Conference Highlights Include Keynotes from Forrester Research and Uniface 10 Workshops

photo 5

Uniface is hosting its annual North American user conference in Las Vegas this week, which brings together its many users from across the United States.

During the conference, Uniface will detail its mobile strategy to create cross platform mobile applications; and how it can help address the current opportunities and challenges of developing mobile apps. Mike Gualtieri, Principal Analyst, Forrester Research will add to the discussion with two keynote presentations – ‘Mobile Is the Norm, Now Innovation Must Begin’ and ‘ The Future of Application Development’. It is an information packed agenda with sessions updating attendees on the ‘new’ Uniface, customer presentations, Uniface 10 workshops, a speed networking event and much more.  This event kicks off a Uniface world tour to help customers address the pressing challenge of mobile development with events in Germany, the Netherlands, Mexico and Japan scheduled this year and other locations in the planning.

James blog

A Recap of the First Uniface 10 Workshop

Last week I had the pleasure of running the very first Uniface 10 Workshop, the first time anyone outside Uniface has got their hands on the new IDE being introduced in Uniface 10.

James blog

Our aim for the session was to trial run the workshop that we’d be using at this year’s user events. Having a large group of customers in the room was also too good an opportunity to miss so we were keen to use the day to get as many first impressions, thoughts and ideas from people as possible.

In all we had 22 people from The Netherlands, Belgium, England and Germany representing 11 different companies. This included a number of unscheduled gate crashers making for a very busy classroom!

After some scene settings presentations from Adrian Gosbell, Henk van der Veer and Erik Mulder from Ergos (http://www.ergos.nl/) everyone dived into the workshop exercises, exploring the new IDE whilst building a small Uniface web application. We had plenty of Uniface lab staff on hand to answer questions (thanks guys!) and before long everyone was well on their way.

Since Uniface queries were being fielded by a crack team of our own developers I was free to wander around and discuss things with anyone that made eye contact. Of particular interest to me was discussing how the new project concepts in Uniface 10 can aid people’s development processes and release procedures. I love a good release procedure.

To wrap things up we split into groups to discuss specific areas of the IDE. Everyone was able to pick an area such as projects, navigation or script editors to go and have a focused discussion on with a chance to put questions and opinions to the Uniface 10 development team directly.

I’d like to thank everyone that made the trip to Amsterdam. The feedback around Uniface 10 has already been very positive and invaluable. We certainly have a lot of bed time reading to get through.

My main objective for the session was to ensure that the exercises and the workshop environment technically worked and were enjoyable to go through. On this front we’ve been able to make some tweaks here and there ahead of the user events. So many thanks again to all the willing guinea pigs.

training

This Week: Uniface Hosts Inaugural, Global Distributors and Resellers Conference 2014

Uniface’s Inaugural Global Distributors and Resellers Conference Entitled – “ABC = Always Be Closing”

Uniface is looking forward to its inaugural conference, which brings together its leading distributors and resellers from across the globe in Amsterdam this week.

Uniface is pleased to offer the chance to its distributors and resellers to attend the Inaugural Conference, which gives attendees a range of commercial and technical topics, over three intense days of sessions. These are all aimed to give maximum knowledge to key players in our global distributors and resellers’ network along with the opportunity to increase awareness and understanding of our product and services, and develop enhanced partnerships within our partner ecosystem. The event aims to boost our understanding of distributors and resellers’ requirements by providing feedback opportunities on the range of benefits offered.

We would like to take this opportunity to welcome this year’s attendees: Acenet Oy, Finland; ACRUX, Mexico; COMPUAMERICA C.A., Venezuela; Freelance Consultant, Italy; Icignus Tecnologia, Brazil; IT IS, The Netherlands; Labinf Sistemi, Italy; ONE1, Israel; Shanghai Yungoal Info Tech Co., Ltd, China; Sogeti, The Netherlands; TaKT, Japan; Techshire, India; Wizrom Software, Romania; XEE Tech – Mobilne Aplikacije d.0.0., Croatia.

Job blog1

Automated Security Analysis for Uniface Web Applications

Guest contributor, Job Jonkergouw, Uniface Intern

Last February I started my internship at the Uniface. In need of a research project for my Master’s in Software Engineering, I tried my luck at the Uniface headquarters in Amsterdam which offered a subject that was both challenging and socially relevant: security of web applications.

Security is a hot issue in today’s IT landscape as news of stolen user databases and hacked websites regularly hit the headlines. Traditionally, developers react by implementing counter measures such as firewalls and SSL but according to experts this is not enough: “secure features do not equal security features” (see Howard & LeBlanc, Writing Secure Code). Software has to be written with security in the mind and hearts of the developers.

In an attempt at ensuring code security, models like Microsoft’s MS SDL and OWASP’s SAM recommend various steps in development. These include security requirement specification, architecture review, threat modeling and other practices. Another important guideline is security code review. However, done by humans this can be tedious and requires a high level of expertise, which is why many developers opt for something quicker.

Automated code review will be familiar to anyone who has used Word’s spell checker or a sophisticated IDE such as Eclipse. For the purpose of security analysis, automated tools can check each line of code for dangerous function calls, iffy comments or unchecked in and output. This is commonly known as static security analysis, contrasting with a technique called dynamic security analysis: emulating actual attacks on the web application. Also known as pen testing, it is commonly executed by sending HTTP requests containing dangerous payloads such as SQL injection or cross-site scripting.

The objective of my research project was to gauge the difference between using dynamic and static security analysis for Uniface web applications. To test this empirically, I designed an experimental website that contained several exploitable vulnerabilities. Several tools — both dynamic and static — were then tested by their ability to find each of these exploits.

The first objective was to identify the security analysis tools that were to be used. Some of the popular brands such as IBM’s AppScan and HP’s WebInspect require thousands of dollars of licensing fees, making them impractical for my studies, while others don’t support the technologies used by the Uniface framework. Another issue concerned how more and more commercial products are being offered as a Software-as-a-Service (SaaS) on the cloud. While this makes it easier for the vendor to manage their licenses, it can be detrimental for developers who would not like to upload their source code to a third party or to have a testable web application deployed live on the web.

Although the previously mentioned scrapped many of the popular solutions from my list, there were still enough tools left to experiment with, most of the open source. Making the final cut were five static analysis tools – FindBugs, LAPSE+, VCG, Veracode and Yasca ­– and five dynamic analysis tools – IronWASP, N-Stalker, Wapiti, w3af and ZAP.

The test environment was developed quickly using the Uniface Development Framework. During this step, I injected several vulnerabilities by removing a few important lines of proc code and twisting the properties of some of the widgets. These included accessing other user pages by modifying the user ID in the URL and unrestricted file uploading. As these were mainly behavioral issues, these types of exploits were only detectable with dynamic analysis as no static tools can read proc code.

Other modifications I made at the Java source code level on the web server. These included important sanitization checks that normally prevent dangerous attacks such SQL injection and cross-site scripting. Notably different is that Java code is well understood by many static analysis tools.

 

Job blog1

 

The resulting website containing the vulnerabilities is shown above. Each tool was tested on its rate of discovery and the number of false positives. This latter number was much higher for most static tools, but was expected due to prior research and for theoretical reasons. The number of vulnerabilities tool found what varied widely as can be seen in the graphs below. Some vulnerabilities itself were hard to found altogether (such as path traversal requiring guessing of the right file name). But this was perhaps due to the nature of Uniface of being hard to scan, which makes it harder for actual attackers. A more detailed discussion on the results can be found in my final thesis [link].

Job blog2

Despite the results containing few surprises, the internship offered me a great time at the Uniface development department, which proved to be both helpful and educational.

In just a few months’ time I was able to learn a new development language, build an application and carry out the work for my thesis thanks to the working environment and colleagues that helped me overcome any big hurdle. For this, my gratitude.

HTML Widget with a Java Applet: How to stop security warnings

Security warnings are hindering the end user when starting a Java applet in the Uniface HTML widget. This document provides a step-by-step guide on how to stop the security warning and even block them with a so called “rule set”.

Security warnings the old way

According to the documentation of Oracle, the end user will in almost all cases be presented with a warning when starting a Java applet in the browser for the first time. Even the lowest possible security setting in the Java console explains:

Medium – All applications are allowed to run with security prompts.

See http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/jcp/jcp.html

Also the list of exceptions shows in the java console that you can be prompted by a security warning:

Image 1

By switching the cache ON in the Java console the warning is only displayed once. After this the application runs without warnings and can even be re-started.

Image 2

Other options

Keep the security settings in the Java console on High which by default blocks the applet completely.

Image 3

Add the URL to the list of exceptions:

Image 4

In my case this was:

file:///D:\usys91\HTML_JavaApplet\mx04\dynamic\applet_ComponentArch_DynamicTreeDemo\build\classes\AppletPage_WithAppletTagUsingJNLP.html

Including the page name!

This means that the security is not compromised and the warning is only shown once when the cache is on.

Rule set and no warnings at all

As explained earlier, you can run a java applet without security warnings by using a rule set however the applet must be signed for this and a so called deployment rule set jar file must be added. In the following places you can find some documentation. In the next chapters I describe a step by step process to get the Java applet running in a UNIFACE html widget without warnings.

https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets

http://wraithhacker.com/java-deployment-rule-set/

How to stop the security warnings for a known applet

In the following chapters I will take a step by step approach to make it possible to run a known applet in the UNIFACE html widget without bothering the end user with security warnings. The applet JAR file, in this sample, is on the end user computer as well as the html file referring to this applet. Of course the file:/// can be replaced by a server site location like http://

This small manual on how to get the “rule set” working is based on the Dynamictree sample of Oracle. You can find this sample on the following address:

http://docs.oracle.com/javase/tutorial/deployment/applet/examplesIndex.html

Download the zip file with all the bits and pieces you need:

http://docs.oracle.com/javase/tutorial/deployment/applet/examples/zipfiles/applet_ComponentArch_DynamicTreeDemo.zip

Before you start, be sure that you have your path variable set to the java bin folder otherwise the command lines shown in the steps won’t work.

Used command line tools

Command Description
Jar Creates a Jar archive
Keytool To create a keystore, certificate
Jarsigner To sign a jar archive with a keystore file.

 

Download the step-by-step document