Benioff trumpets Force.com platform's success

Salesforce.com CEO Marc Benioff on Thursday attempted to cement an image of the vendor as a full-blown application development platform provider, not merely a purveyor of SaaS (software-as-a-service) applications. More than 135,000 custom applications have been built with Force.com and more than 200,000 programmers now belong to the company's developer network, the company said. The colorful CEO pulled a familiar arrow from his rhetorical quiver during a keynote address at the Dreamforce conference in San Francisco, decrying the annual software maintenance fees vendors like Oracle charge, and imploring customers of those companies to align themselves with Salesforce.com and its Force.com development platform. "They think it's their purpose in life to collect those taxes on software development [technologies] that were developed a decade ago," he bellowed. "When are you going to ask for innovation instead of paying maintenance?" But according to Salesforce.com, many already have. Salesforce.com claims its system, available by subscription starting at US$25 per user per month, allows companies to develop applications much more quickly and less expensively than with traditional development stacks.

Also, since companies are using Salesforce.com's own cloud infrastructure, there is no need to invest in hardware. Part of the reason for this is that developers do not need to test their applications against multiple combinations of databases, application servers and other components. But Force.com development also presents a trade-off, since it could difficult to port an application built there elsewhere. CA on Thursday announced plans to release CA Agile Planner, a Force.com-built system for managing agile software development projects. Still, Salesforce.com is beginning to attract ample interest from some of the industry's largest software vendors.

Agile development lets teams create many incremental iterations of an application, allowing for continual feedback from end-users and managers along the way. Both companies described how they built ERP (enterprise resource planning) applications on Force.com. BMC executives also took the stage to showcase the company's own Force.com project, a service-desk application that will be released in 2010. The keynote also showcased how Force.com is being used by businesses as well as ISVs. Benioff introduced officials from a variety of companies, including countertop maker Vetrazzo and the Japanese convenience-store chain Lawson. Force.com may indeed be a more convenient method of developing applications, especially if a company isn't dealing with a wealth of legacy systems, said Michael Coté, an analyst with Redmonk. "Just having a Web site to log into, that's a better way of getting IT in general," he said. IT shops will have plenty of cloud development platforms to choose from in the months and years ahead, including Microsoft's Azure, Coté said.

However, "not everyone is lucky enough that they can start from a clean slate," he added. Therefore, the best approach may be to initially experiment with small projects, especially because doing so will help companies determine "how this new way of delivering software affects the business," he said.

FCC identifies roadblocks to broadband adoption

Several factors, including a lack of a broadband subsidy program at the U.S. Federal Communications Commission, have contributed to gaps in broadband adoption in the U.S., a new report from an FCC task force said. The task force suggested that broadband deployment and adoption programs should be included in the FCC's Universal Service Fund (USF) program, which now subsidizes primarily telephone service for rural areas and low-income U.S. residents. Several "critical gaps" in the nation's broadband efforts must be filled before all U.S. residents can get broadband, said the task force, working on a national broadband plan for the FCC. The task force report identified several often-mentioned factors for a lack of broadband adoption, including the cost of the service and a lack of deployment in some areas, but it also focused on some less obvious issues.

Part of the fund, with an annual budget of about US$7 billion, should be shifted to broadband, the task force said. Freeing up new spectrum can take several years, and a handful of studies have predicted a spectrum shortage by the mid-2010s due to growth in subscribers and use of bandwidth-heavy applications, said Ruth Milkman, chief of the FCC's Wireless Telecommunications Bureau. "We know there's a spectrum gap, and we know we need to act in the near term," she said. In addition, the task force recommended that the FCC begin looking for additional wireless spectrum for mobile broadband. The task force report also suggested that video and a convergence between television sets and computers will drive the demand for broadband. There may be ways for the FCC to encourage a retail set-top box market, the task force said. But the TV set-top-box market has seen relatively few innovations in recent years, with most cable subscribers leasing their set-top boxes from their providers, commission staff said.

Another roadblock to broadband adoption is a lack of information about broadband services, the task force said. There is "no shortage of issues" that the FCC should address in its national broadband plan, due Feb. 17, said Eric Carr, general manager of the FCC's Omnibus Broadband Initiative. It can be difficult for consumers to compare the performance of their broadband service to advertised speeds or compare the performance of different broadband providers, the report said. FCC members generally praised the task force's report, but Commissioner Michael Copps said he wanted to see a greater emphasis on civic engagement as a driver for broadband adoption. I want to see a little more heightened emphasis on the point of civic engagement ... and on the point of how this encourages interactivity among the citizens of this great country of ours." Task force members talked about the need for a "fact-based" look at broadband needs, but there are bigger issues as well, Copps said. "This is an exercise that goes beyond metrics and beyond tangibles," Copps said. "I would urge you to look at the intangibles that are involved here.

India schedules 3G license auction for December

India's auction of 3G and WiMax licenses is now scheduled to be held in December, according to a notice on the Web site of the country's Department of Telecommunications. Bidding for 3G licenses will start Dec 7, with the WiMax auction scheduled to start two days after the 3G auction is complete, according to the notice. The auction was originally scheduled for January of this year, but was postponed after disagreement within the government on the minimum cost of the licenses.

Both Indian and foreign companies are allowed to bid for the licenses, but foreign companies will have to set up joint ventures with Indian investors to run services in the country. The Ministry of Communications will license four slots for 3G in each of India's 22 service areas, with a fifth slot reserved for two government-run telecommunications companies. A group of ministers, set up to resolve the dispute over pricing the licenses, has named Indian rupees 250 billion (US$5 billion) as the minimum revenue from the auction of the 3G and WiMax licenses in the country, India's Minister of Communications, A. Raja said last month. A telecommunications company bidding for 3G licenses in all 22 circles will have to pay at least Indian rupees 35 billion, according to the new minimum pricing proposed by the Indian government. Two companies, Bharat Sanchar Nigam Ltd. and Mahanagar Telephone Nigam Ltd., were allotted 3G spectrum ahead of the auction, and have started offering services. By the pricing announced last year, they would have to pay about rupees 20 billion.

The government said last year that these companies would have to pay license fees equal to the highest bid in each service area. The final date for applications from bidders is Nov 13.

Mozilla unblocks one sneaky Microsoft add-in

Mozilla has unblocked one of the two Microsoft-made add-ons that put Firefox users at risk from attack and will probably unblock the second in the next 48 hours, the company's head of engineering said today. "We've unblocked the .NET Framework Assistant," said Mike Shaver, Mozilla's vice president of engineering, on Monday morning. Late on Friday, Mozilla added .Net Framework Assistant and the accompanying Windows Presentation Foundation plug-in to its rarely-used blocking list , which then threw up a warning to users notifying them that the pair was being barred from Firefox. Shaver was referring to one of the two Microsoft components that Mozilla automatically disabled late Friday after deciding it needed to protect Firefox users from a critical vulnerability Microsoft disclosed, and patched, last week. "We got confirmation from Microsoft over the weekend that the add-on wasn't a[n attack] vector for the vulnerability in question," said Shaver.

Mozilla has also pushed out a change that will let users running Firefox 3.5 override the block, added Shaver. The block of Windows Presentation Foundation will likely be lifted in the next two days. "Microsoft is watching the patch deployment numbers, and sharing them with us," said Shaver. "At some point, we'll take the [Windows Presentation Foundation] plug-in off the blocker. That change came out of discussions with enterprise Firefox users who said that they needed the two components to run their .NET-based software within the browser. I expect that to happen in the next 48 hours." Last week, Microsoft's security team acknowledged that its software - which had been silently installed in Firefox as far back as February 2009 - contained a critical vulnerability that could be used by hackers to hijack Windows PCs through Firefox . The vulnerability also affected all versions of Internet Explorer (IE), including IE8. However, the MS09-054 bulletin, which provided details on the vulnerability, said nothing about Firefox. Friday, Shaver cited the severity of the vulnerability and the difficulty some users have had in removing Microsoft's software as Mozilla's reasons for engaging the blocking list.

Later last Tuesday, Microsoft expanded on MS09-054 in a blog post, and confirmed that Firefox users were in danger . Microsoft maintained that Firefox users who applied the patches would be safe from attack, but Mozilla felt that was not enough. Removing the Microsoft add-on and plug-in have been a contentious issue since Microsoft first slipped them into Firefox without users' permission last February as part of the .NET Framework 3.5 Service Pack 1 (SP1) update, which was delivered via Windows Update. Later, Microsoft issued a follow-on update that made it possible to uninstall the components without a registry edit. Users were also furious that the software was impossible to uninstall without editing the Windows registry. Shaver denied that there was miscommunication between Microsoft and Mozilla, and instead characterized it as a "lack of clarity." "We're going to be in better communication," he promised, "especially about things like the version number of the [affected] plug-in." One of the problems Mozilla had last week was determining what - .NET Framework Assistant or Windows Presentation Foundation, or both - was vulnerable, and specifically what versions were at risk to attack. "This was an unusual case of using the blocker," Shaver said. "Version information was not available to us at first, and since [the software] was installed by many users, many of them were unaware they even had it, and the add-on and plug-in were difficult to uninstall, we thought it best to block them, at least for a time.

We do that with add-ons in Firefox now, which checks for those added since the last time you ran the browser. Microsoft agreed." Mozilla has used its add-on/plug-in blocking tool only nine times, including last week's incident, since it first deployed it in 2007. In the future, Firefox will include built-in tools that check whether components have been added by third-party software, then disable the add-on or plug-in by default and notify the user and allow him or her to enable the component(s). That kind of check, if it had existed earlier this year, would have kept the Microsoft software from being installed without Firefox users noticing. "We're big believers in informed user choice," said Shaver. "So we're going to improve notifications to users when plug-ins are installed. We will do the same thing for plug-ins, likely in Firefox 3.7." That version of Firefox, the second of two minor upgrades scheduled for the next six months, is currently slated to ship in March 2010. Since Version 3.0, Firefox has notified users when any new add-ons, called "extensions" by Mozilla, have been installed since the last time the browser was launched. The plan now is to make those notifications clearer, and also to warn about system-installed items before they're running, Shaver said. "We're also building our plug-in check into the product for Firefox 3.6," added Shaver, referring to the outdated plug-in campaign that Mozilla kicked off last month, and bolstered last week when it launched a plug-in checking service . Firefox 3.6 will warn users of outdated third-party plug-ins, like Adobe's Flash or Apple 's QuickTime, when the browser reaches a site that calls upon such software. "We've learned a lot from this," concluded Shaver. "We're not trying to get into an adversarial model, but this was more visible than most [blocks in the past] because of the size of the company involved and the history of the plug-in. "I would call the communication between us and Microsoft 'greatly clarified' as of now," Shaver said. That notification, however, is "poor," acknowledged Shaver, since it simply highlights the new add-ons in a window and most importantly, does so after the add-on has already been installed.

Making Sense of Rapid7's Metasploit Acquisition

News of Rapid7's Metasploit acquisition hit some in the information security community like a clap of thunder. But in the hours after Wednesday morning's announcement, cautious optimism began to take hold. The Metasploit Project has a deep, loyal user base, and it's always unsettling to those who rely on open-source tools when those tools are snatched up by a commercial vendor. Some IT security practitioners started to see the potential benefits of a Rapid7-Metasploit union - providing the vendor handles its new property and user base with great care. "They certainly have acquired an exceptional back-end research capability," said Pete Hillier, CISO at CMA Holdings in Ottawa. "The question is if they can ensure the continuity once the acquisition is complete?" Some are skeptical of that, including Richmond, Va.-based IT security practitioner Rick Lawhorn, who quipped in an e-mail: "The road to hell is paved with good intentions.

It also promised to "sponsor dedicated resources and contributions to the standalone, community-driven Metasploit Project to further its growth and success." "Metasploit and Rapid7 NeXpose are uniquely positioned to improve upon the industry-leading capabilities of both products and to raise the bar on the industry at large," Mike Tuchen, president and CEO of Rapid7, said in a press release. "With our broader solution portfolio, we are the first security provider to meet the demand of enterprises and government agencies in enabling them to identify and mitigate exploitable threats in their IT environment based on their security risk profile." The vendor said Metasploit Project founder HD Moore will become Rapid7's chief security officer and will remain Metasploit`s chief architect. Unfortunately, the ones who will be happy are the bad guys; with a potentially-reduced focus on making things secure and greater focus on profitability." Rapid7, a vendor of unified vulnerability management, compliance and penetration testing tools, said it will use Metasploit to enhance its NeXpose product. For his part, Moore predicts big dividends for his user base. "This acquisition provides dedicated resources to the project, accelerating our growth and allowing us to provide even better solutions to the community," he said in the Rapid7 press release. "Rapid7 recognizes the value of the community and is passionate about the success of the project." Nick Selby, a faculty member of the Institute for Applied Network Security (IANS) and managing director of Trident Risk Management, is among those expressing optimism. "The best thing about the acquisition is that enterprise customers now have three legitimate, sue-able and responsible organizations proffering tools for penetration testing," he wrote Wednesday in the IANS blog. "Quality will likely rise, average price will likely fall, and functionality will likely increase. The Rapid7-Metasploit union will likely shake up that dynamic, to the benefit of buyers and end users, he added. This is a good time to be in the market for pen-test software." See also: Why Pen Testing is Central to Pennsylvania's App Security Selby wrote that the dynamics of the pen-testing market have been that Core Security sat atop the marketplace in terms of price, scale and enterprise usability while Immunity Security "cleaned up at the lower end of the enterprise market" and dominated for vendors and professional services types who also used Metasploit as a free tool.

Boston-based IT security practitioner Zach Lanier said the acquisition is "phenomenal" news for Moore, Egypt (a Metasploit developer, now joining the project/Rapid7 full time), and Rapid7 as a whole. "Naturally, this acquisition will give Metasploit access to more resources, including more full-time team members; Rapid7's knowledge base; and technology and tools," he said. "This will also bring more visibility to Rapid7's vulnerability scanner, NeXpose, given the complementary nature of the Metasploit Framework." Though he's reluctant to simply accept that there will be little-to-no change in the Metasploit Framework's licensing and open source nature, Lanier said he's "pretty confident" Moore and others "will adamantly defend such important principles." Gadi Evron, a security strategist based in Israel, said the acquisition at least goes to show that not-for-profit work can exist in today's market and be competitive enough to draw commercial interest. Asked if he believes Rapid 7 will handle its new acquisition in a way that will benefit users or, at the least, do no harm, Evron said, "One would hope they would, just as one would hope HD made sure they would."