Application Security Testing: An Integral Part of DevOps
Mobile computing devices abound. Most of us have them in our pockets and purses—the joy of the omnipresent cell phone. The newer the model, the more likely it is to be "computing capable." A new cell phone has computing power equivalent to that of a 1998 desktop computer; next year's will be better yet. Yet, for the time being, the computing power of mobile devices has gone largely unutilized. This is about to change, however, and the exciting part is that this change will encompass just about everything—you included.
Mobile computing is not a new concept. In fact, Microsoft acknowledged its importance in the software industry some time ago when it changed its vision statement from "a computer on every desk and in every home" to "empower people through great software any time, any place, and on any device." This vision shifts the location of the software. Whereas it used to reside on "every desk and in every home," software will now reside everywhere and on every device. That device includes your phone. Mobile computing is one of the new starting players in the technology lineup. It may be a rookie, but it has MVP prospects.
The Transformation of "Everything We Do"
Bill Gates (BG) announced recently, "We're entering an era when software will fundamentally transform almost everything we do." One might add that specifically mobile computing will contribute significantly in the transformation of "everything we do." But, this raises deeper questions: Why mobile computing now? What is the catalyst that will propel mobile computing into our quotidian routines?
The answer is simple once you consider that creating mobile software applications has traditionally been very difficult, painful even. This difficulty has led to the dearth of mobile applications, which subsequently relegated the PDA to little more than a glorified address book. The "software is the constraint" [BG, PDC 03], and for mobile computing this has certainly is true—until next year, that is. Next year, the release of Visual Studio.NET 2005 (VS.NET '05) will provide software developers with a viable software development environment for creating sophisticated mobile applications for the Pocket PC operating system. VS.NET '03 was pretty good, but VS.NET '05 is better because it makes key technologies more accessible: SMS, PC telephony, Bluetooth, and message queues (admittedly, Bluetooth might yet be simplified, and where's my G3—precursor to handheld porn?"). For example, VS.NET '05 eases the difficulty in building applications that can place phone calls (which may lead to a renewed interest in PC telephony) and makes it significantly easier to build applications characterized by intermittent connectivity. Developers should soon be able to focus on function rather than feature and, as author Chris Date writes, on "what to do, rather than how to do it."
The software story is only half the picture, however. Until a few months ago, the hardware also left something to be desired. Personally, I reluctantly became Inspector Gadget, "strapped" with a Pocket PC on each hip (a Hewlett-Packard 5550 and a T-Mobile Pocket PC Phone Edition), ready to pull out my "gat" and point and click. The T-Mobile Pocket PC Phone Edition was useful, but certainly not enterprise ready—no wireless LAN and no Bluetooth (thereby useless for enterprise applications). The HP 5550 had impressive features such as wireless LAN, Bluetooth, and fingerprint security, but it lacked a phone. I ended up having to take both with me, the HP providing the Bluetooth needed to communicate with a Bluetooth navigation system (maps and directions), while the phone functioned to "integrate my life."
Having two Pocket PCs was certainly awkward. Finding an adapter for my car to support both of them would have been difficult without Arkon Resources, Inc. (www.arkon.com), that helped me from a purely practical point of view. Arkon is an example of a company propelling forward the convenience of mobile computing. A picture might best illustrate the need for convergence:
Arkon's resourcefulness led me to ask them to enact my own episode of "Pimp Out My Bike." Another picture might serve to give new meaning to the term mobility:
The hardware to support consumer and business mobile computing finally seems to have arrived. For example, HP's latest offering, the HP 6315 combines phone, Bluetooth, and wireless LAN for the first time (but it still needs more hard drive space!). The Treo 630 is another example of a valuable addition to the computing lineup. Still, the most demanding music connoisseurs will find current Pocket PC memory insufficient for song storage.
Software and hardware still don't paint the full picture, though. The story would just be incomplete if I didn't mention the plethora of other developments that are exerting an inexorable force on mobile computing. "Wireless everywhere" initiatives are increasing the availability of hot spots. Quite frankly, I thought the concept had arrived almost two years ago when, while walking in downtown San Francisco, I used my Pocket PC to instant message my brother in South Africa. Alas, I was deceived. It was a false positive! I could not use the phone on the Pocket PC and be connected online at the same time—terribly disappointing.
Voice over IP is now in our homes. I make most of my phone calls over my Internet-based phone (www.vonage.com). Skype also has created a voice communications application for the Pocket PC. I was able to use my HP Pocket PC (no phone) to make a phone call to another HP Pocket PC (no phone) over a wireless network. MPEG-4 does a much better job of compressing video and audio than its predecessors. As such, it enables quality video and audio to be piped at a lower bandwidth to mobile devices!
All this and I haven't even mentioned Tablet PCs!
And lest you think I did not give Java equal time, I'll throw respect across the shrinking divide: J2ME and BREW provide a solid Java-based mobile development platform. The standards, such as MIDP 2.0 (releasing for J2ME), are now at a point where they allow developers to go beyond simple applications and actually take advantage of devices. Java3D is giving non-Microsoft developers the ability to create cool applications, such as 3D games. These technologies are also working to push Microsoft and mobile computing.
With both the hardware and software ready to roll, all that is missing is you, the software developer who knows how to build the software that can take advantage of this nascent technology.
Software Today vs. Software Tomorrow
If you could look into the future, you might well understand why BG believes that "just as software has driven the past 25 years of innovation, it will be the key to enabling another quarter-century of breakthroughs—and in the process, transforming how people live, work, learn, and are entertained."
The societal impact of software already has been significant. Online dating is a common example of how technology can impact human relationships, and this trend is still in its infancy.
Today, users use the desktop computer to interact with computer programs. Tomorrow, a new breed of software application, "sense and respond" applications, will detect critical conditions where user intervention is required and contact the user through his or her mobile device. Today, developers build software applications that must run on the desktop or on the Web, but tomorrow they will build software that runs on multiple devices. My brother Michael (technological neophyte with all of two weeks' experience), in contrast to my loquacious verbosity, explained it somewhat more concisely: "Today's 'request and respond' software applications do what you tell them to do and answer what you ask, but with sense and respond, the applications speak to you. They ask you what you want based on what they have sensed."
The reason this ultimately will happen is the delivery of timely and relevant information is a powerful value proposition. Dr. Mani Chandy, Simon Ramo Professor of Computer Science at the California Institute of Technology and an early researcher in distributed computing, says that mobile devices are much better suited for receiving personalized information dealing with important situations than for searching the Web. The key is personalization: You must provide information about situations that are critical to the user—and only those situations.
The killer app for mobile devices is the mobile application that will serve as the user's window to the world of software. This human interface application is remarkably simple; initial prototypes might well resemble an instant messenger application that blinks at you when an incoming event needs your attention. Later versions will be tied more closely to the human senses. The application would simply await incoming events that would contain all the information needed to interact with the user. The interaction would present information and garnish information. This interaction must be rare: You don't want your mobile devices to be beeping at you frequently, and the information must indeed be critical. You do want to know immediately when something critical happens and don't want to be interrupted with non-critical events. From a technical perspective, the technologies to do this are available now: Message-queuing technology can be used to transport messages carrying XML payloads. The XML payload could be structured according to an XML schema that defines which information to present, and which information to garnish. The human interface application should simply enable the interaction to occur. It is important to note that various forms of this human interface application will emerge. Voice-based communications will be one of them.
In short, the killer mobile device app is the end-point at which a human interacts with a software system that continuously monitors the world, correlating multiple streams of events and alerting the user only when necessary. Of course, mobile devices can be used to browse the Web and play games, even enjoy a good cantata. These apps are also important. Both types—proactive and reactive apps—will make billions of people carry mobile devices.
When mobile devices reach that level of ubiquity, the problems associated with spam must not be allowed to propagate to mobile computing. Dr. Chandy is on the money when he says "you will turn off systems that send you too many false alerts" (false positives). This is perhaps best illustrated by his biological metaphor for Sense & Respond.