Mule in Action, 2nd Edition – Want to be an integration developer? Here’s a good start – #bookreview

 

Mule in Action, Second Edition

David Dossot, John D’Emic, Victor Romero

(Manning – paperback)

 

An enterprise service bus (ESB) can help you link together many different types of platforms and applications–old and new–and keep them communicating and passing data between each other.

“Mule,” this book’s authors note, “is a lightweight, event-driven enterprise service bus and an integration platform and broker.  As such, it resembles more a rich and diverse toolbox than a shrink-wrapped application.”

Mule in Action, Second Edition, is a comprehensive and generally well-written overview of Mule 3 and how to put its open-source building blocks together to create integration solutions and develop them with Mule. The book provides very good focus on sending, receiving, routing, and transforming data, key aspects of an ESB.

More attention, however, could have been paid to clarity and detail in Chapter 1, the all-important chapter that helps Mule newcomers get started and enthused.

This second edition is a recent update of the 2009 first edition. Unfortunately, the Mule screens have changed a bit since the book’s screen shots were created for the new edition. Therefore, some of the how-to instructions and screen images do not match what the user now sees. This gets particularly confusing while trying to learn how to configure a JMS outbound endpoint for the first time, using Mule Studio’s graphical editor. The instructions seem insufficient, and the mismatch of screens can leave a beginner unsure how to proceed.

The same goes for configuring the message setting in the Logger element. The text instructs: “You’ll set the message attribute to print a String followed by the payload of the message, using the Mule Expression Language.” But no example is given. Fortunately, a reviewer on Amazon has posted a correct procedure. In his view, the message attribute should be: We received a message: #[message.payload]  –without any quote marks around it. (It works.)

Of course, this book is not really aimed at beginners–it’s for developers, architects, and managers (even though there will be Mule “beginners” in those ranks). Fortunately, it soon moves away from relying solely on Mule Studio’s graphical editor. The book’s examples, as the authors note, “mostly focus on the XML configurations of flows.” Thus, there are many XML code examples to work with, plus occasional screen shots of the flows as they appear in Mule Studio. And you can use other IDEs to work with the XML, if you prefer.

Indeed, the authors note, “no functionality in the CE version of Mule is dependent on Mule Studio.”

Overall, this is a very good book, and it definitely covers a lot of ground, from “discovering” Mule to becoming a Mule developer of integration applications, and using certain tools (such as business process management systems) to augment the applications you develop. I just wish a little more how-to clarity had been delivered in Chapter 1.

Si Dunn

Making Sense of NoSQL – A balanced, well-written overview – #bigdata #bookreview

Making Sense of NoSQL

A Guide for Managers and the Rest of Us
Dan McCreary and Ann Kelly
(Manning, paperback)

This is NOT a how-to guide for learning to use NoSQL software and build NoSQL databases. It is a meaty, well-structured overview aimed primarily at “technical managers, [software] architects, and developers.” However, it also is written to appeal to other, not-so-technical readers who are curious about NoSQL databases and where NoSQL could fit into the Big Data picture for their business, institution, or organization.

Making Sense of NoSQL definitely lives up to its subtitle: “A guide for managers and the rest of us.”

Many executives, managers, consultants and others today are dealing with expensive questions related to Big Data, primarily how it affects their current databases, database management systems, and the employees and contractors who maintain them. A variety of  problems can fall upon those who operate and update big relational (SQL) databases and their huge arrays of servers pieced together over years or decades.

The authors, Dan McCreary and Ann Kelly, are strong proponents, obviously, of the NoSQL approach. It offers, they note, “many ways to allow you to grow your database without ever having to shut down your servers.” However, they also realize that NoSQL may not a good, nor affordable, choice in many situations. Indeed, a blending of SQL and NoSQL systems may be a better choice. Or, making changes from SQL to NoSQL may not be financially feasible at all. So they have structured their book into four parts that attempt to help readers “objectively evaluate SQL and NoSQL database systems to see which business problems they solve.”

Part 1 provides an overview of NoSQL, its history, and its potential business benefits. Part 2 focuses on “database patterns,” including “legacy database patterns (which most solution architects are familiar with), NoSQL patterns, and native XML databases.” Part 3 examines “how NoSQL solutions solve the real-world business problems of big data, search, high availability, and agility.” And Part 4 looks at “two advanced topics associated with NoSQL: functional programming and system security.”

McCreary and Kelly observe that “[t]he transition to functional programming requires a paradigm shift away from software designed to control state and toward software that has a focus on independent data transformation.” (Erlang, Scala, and F# are some of the functional languages that they highlight.) And, they contend: “It’s no longer sufficient to design a system that will scale to 2, 4, or 8 core processors. You need to ask if your architecture will scale to 100, 1,000, or even 10,000 processors.”

Meanwhile, various security challenges can arise as a NoSQL database “becomes popular and is used by multiple projects” across “department trust boundaries.”

Computer science students, software developers, and others who are trying to stay knowledgeable about Big Data technology and issues should also consider reading this well-written book.

Si Dunn

Testing Cloud Services – How to Test SaaS, PaaS and IaaS – #cloud #bookreview

Testing Cloud Services

How to Test SaaS, PaaS & IaaS
Kees Blokland, Jeroen Mengerink and Martin Pol
(Rocky Nook – paperback, Kindle)

Cloud computing now affects almost all of us, at least indirectly. But some of us have to deal directly with one or more “clouds” on a regular basis. We select or implement particular cloud services for our employers or for our own businesses. Or, we have to maintain those services and fix any problems encountered by co-workers or employees.

Testing Cloud Services, written by three well-experienced test specialists, emphasizes that the time to begin testing SaaS (Software as a Service), PaaS (Platform as a Service), or IaaS (Infrastructure as a Service) is not after you have made your selections. You should begin testing them during the selection and installation processes and keep testing them regularly once they are live.

“Cloud computing not only poses challenges for testing, it also provides interesting new testing options,” the authors note. “For example, cloud computing can be used for test environments or test tools. It can also mean that all test activities and the test organization as a whole are brought to the cloud. This will be called Testing as a Service.”

Their well-written, six-chapter book deals with numerous topics related to using and testing cloud services, including the role of the test manager, identifying the risks of cloud computing and testing those risks, and picking the right test measures for the chosen services.

In Chapter 5, a significant portion of the book is devoted both to test measures and test management. “Testing SaaS is very different from testing PaaS or IaaS,” the writers state. Much of the lengthy chapter focuses on SaaS, but it also addresses PaaS and IaaS, and the authors describe the following test measures:

  • Testing during selection of cloud services
  • Testing performance
  • Testing security
  • Testing for manageability
  • Testing availability/continuity
  • Testing functionality
  • Testing migrations
  • Testing due to legislation and regulations
  • Testing in production

Particularly if you are a newcomer to choosing, testing, and maintaining cloud services, this book can be an informative and helpful how-to guide.

Si Dunn

The Practice of Network Security Monitoring – You’re compromised, so deal with it. #security #bookreview

The Practice of Network Security Monitoring

Understanding Incident Detection and Response
Richard Bejtlich
(No Starch Press – paperback, Kindle)

Security expert Richard Bejtlich’s focus in his new book is not on “the planning and defense phases of the security cycle.” Instead, he emphasizes how to handle “systems that are already compromised or that are on the verge of being compromised.”

His well-organized, well-written, 341-page book aims to help you “start detecting and responding to digital intrusions using network-centric operations, tools, and techniques.”

Bejtlich has long emphasized a “detection-centered philosophy” built around a straightforward central tenet: “Prevention eventually fails.” No matter how many digital walls and moats you build around your network, someone will find a way to tunnel in, parachute in, or sneak in via an unsuspecting employee’s $9.95 thumb drive.

“It’s becoming smarter,” he writes, “to operate as though your enterprise is always compromised. Incident response is no longer an infrequent, ad-hoc affair. Rather, incident response should be a continuous business process with defined metrics and objectives.”

You may recognize some of Bejtlich’s previous books on network security monitoring (NSM): The Tao of Network Security Monitoring; Extrusion Detection; and Real Digital Forensics.

The Practice of Network Security Monitoring is tailored toward two key audiences: (1) security professionals who have little or no experience with NSM; and (2) “more senior incident handlers, architects, and engineers who need to teach NSM to managers, junior analysts, or others who may be technically less adept.”

Readers, he add, should understand “the basic use of the Linux and Windows operating systems, TCP/IP networking, and the essentials of network attack and defense.”

The examples in Bejtlich’s book rely on open source and vendor-neutral tools, primarily from Doug Burks’ Security Onion (SO) distribution.

The 13-chapter book is organized into four parts:

  • Part I: Getting Started – Introduces NSM and sensor placement issues.
  • Part II: Security Onion Deployment – Shows how to install and configure SO.
  • Part III: Tools – Examines the “key software shipped with SO and how to use these applications.”
  • Part IV: NSM in Action – Looks at “how to use NSM processes and data to detect and respond to intrusions.”

Following the technical chapters, Bejtlich offers some concluding thoughts on network security management, cloud computing, and establishing an effective workflow for NSM. “NSM isn’t just about tools,” he writes. “NSM is an operation, and that concept implies workflow, metrics, and collaboration. A workflow establishes  a series of steps that an analyst follows to perform the detection and response mission. Metrics, like the classification and count of incidents and time elapsed from incident detection to containment, measure the effectiveness of the workflow. Collaboration enables analysts to work smarter and faster.”

He also observes: “It is possible to defeat adversaries if we stop them before they accomplish their mission. As it has been since the early 1990s, NSM will continue to be a powerful, cost-effective way to counter intruders.”

Si Dunn

CompTIA Security+ Exam SY0-301 Rapid Review – For Security+ certification – #bookreview

CompTIA Security+ Exam SY0-301 Rapid Review
Michael Gregg
(Microsoft Press – paperback, Kindle)

IT security professionals know the importance of certifications to their careers and their continuing credibility with employers or potential clients.

The CompTIA Security+ Exam SY0-301 Rapid Review is a handy and helpful guide for IT security specialists who are preparing for Exam SY0-301, to earn a CompTIA vendor-neutral Security+ certification

Important note: This book is for certification candidates who are already well-versed in their field. It is specifically “designed to assess your readiness for the SY-301 exam,” the author notes. “It is not designed as a comprehensive exam preparation guide.”

If you want to begin studying for Exam SY0-301, you are urged to start with the CompTIA Security+ Training Kit, which is scheduled for release in 2013.

The Rapid Review and the SY0-301 exam are aimed at IT professionals who have “a minimum of two years of experience in IT administration with a focus on security.”

Also, exam candidates should have “[d]ay-to-day technical information security experience” and “[b]road knowledge of security concerns and implementation.”

Like the exam, the Rapid Review focuses on six areas: (1) network security; (2) compliance and operational security; (3) threats and vulnerabilities; (4) application, data and host security; (5) access control and identity management; and (6) cryptography.

Along with definitions and explanations, the Rapid Review challenges the reader with numerous true-false questions and “Can you answer these questions?” queries. The true-false answers and their explanations are presented immediately after the true-false questions. Meanwhile, the answers to the “Can you answer these questions?” queries are presented at the end of each chapter—and you have to do a bit more work and reviewing to sort them out.

Si Dunn

Juniper MX Series – A comprehensive guide for network engineers – #bookreview #juniper #networking

Juniper MX Series
Douglas Richard Hanks Jr., and Harry Reynolds
(O’Reilly, paperbackKindle)

This comprehensive, well-written handbook is aimed directly at network engineers who want to know more about the feature-rich Juniper MX Series of routers.

Actually, “handbook” is a bit of a misnomer. It takes two hands to comfortably handle this hefty, comprehensive, 864-page guide.

The two authors, both network engineers themselves, note that the Juniper MX Series is “[o]ne of the most popular routers in the enterprise and service provider market….”

They add: “The Juniper MX was designed to be a network virtualization beast. You can virtualize the physical interfaces, logical interfaces, data plane, network services, and even have virtualized services span several Juniper MX routers. What traditionally was done with an entire army of routers can now be consolidated and virtualized into a single Juniper MX router.”

The book’s chapters are:

  • 1.      Juniper MX Architecture
  • 2.      Bridging, VLAN Mapping, IRB, and Virtual Switches
  • 3.      Stateless Filters, Hierarchical Policing, and Tri-Color Marking
  • 4.      Routing Engine Protection and DDOS Prevention
  • 5.      Trio Class of Service
  • 6.      MX Virtual Chassis
  • 7.      Trio Inline Services
  • 8.      Multi-Chassis Link Aggregation
  • 9.      Junos High Availability on MX Routers

The chapters, organized by feature sets, include review questions (with answers conveniently located nearby), so you can track your learning progress.

The authors have extensive experience with the Juniper MX router series. Douglas Richard Hanks Jr., is a data center architect with Juniper Networks. Harry Reynolds has more than 30 years’ experience in networking, with a focus on LANs and LAN interconnection.

Si Dunn

For more information: (paperbackKindle)

Understanding IPv6, 3rd Edition – Welcome to the new, improved & BIGGER Internet – #bookreview #microsoft #windows

Understanding IPv6, 3rd Edition
Joseph Davies
(Microsoft Press, paperback, list price $49.99; Kindle edition, list price $39.99)

The Internet can now expand into a much bigger realm than was possible before the worldwide launch of IPv6 (Internet Protocol version 6) on June 6, 2012.

The web most of us use has long relied on IPv4, the circa-1981 Internet Protocol built around 32-bit addresses. This scheme can accommodate approximately 4.3 billion unique addresses worldwide. On a planet where (1) the population now has surpassed 7 billion and (2) many of us now have multiple devices connected to the Web, Internet Protocol version 4 recently has been in dire danger of running out of unique addresses.

IPv6 will fix that problem and offer several important new enhancements, as long as we don’t find ways to expand the Internet to parallel universes or to the people on a few trillion distant planets. IPv6 uses a 128-bit addressing scheme that can accommodate more than 340 trillion trillion trillion unique addresses. So go ahead. Get online with that second iPad, third smart phone or fourth laptop.

IPv4 and IPv6 are now running in a dual stack that supports both addressing schemes. The transition from IPv4 to IPv6 is not seamless, however. A lot of work remains to be done by major Internet service providers (ISPs), web companies, hardware manufacturers, network equipment providers and many others to enable IPv6 on their products and services.

Joseph Davies, author of Understanding IPv6, has been writing about IPv6 since 1999. His new 674-page third edition provides both a detailed overview of IPv6 and a detailed focus on how to implement it, within a limited range of Windows products.

“There are,” he notes, “different versions of the Microsoft IPv6 protocol for Windows….I have chosen to confine the discussion to the IPv6 implementation in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista.”

This well-written and well-organized book is not for beginners. Its intended audience includes:

  • Windows networking consultants and planners
  • Microsoft Windows network administrators
  • Microsoft Certified Systems Engineers (MCSEs) and Microsoft Certified Trainers (MCTs)
  • General technical staff
  • Information technology students

Davies and Microsoft offer downloadable companion content for this book: Microsoft Network Monitor 3.4 (a network sniffer for capturing and viewing frames); and PowerPoint 2007 training slides that can be used along with the book to teach IPv6.

If you need a guide to best practices for using IPv6 in a Windows network, definitely consider getting Understanding IPv6, 3rd Edition.

Si Dunn

Take Control of Your 802.11n AirPort Network, 3rd. Ed. – Has info for new AirPort Utility 6 – #Apple #bookreview

Take Control of Your 802.11n AirPort Network, Third Edition
Glenn Fleishman
(TidBITS Publishing, Inc., ebook [ePub, Mobi, PDF], $20.00)

Attention users of Apple’s 802.11n gear in Wi-Fi networking. TidBITS Publishing recently has released a new edition of Take Control of your 802.11n Airport Network.

Its author points out: “If you’re setting up, extending, or retooling a Wi-Fi network with one or more 802.11n base stations from Apple— including the AirPort Extreme, AirPort Express, or Time Capsule— using AirPort Utility 6 on the Mac or AirPort Utility in iOS, this book will help you get the fastest network with the least equipment and fewest roadblocks. This book also has advice on connecting to a Wi-Fi network from older versions of Mac OS X and Windows 7.”

If you are still using AirPort Utility 5, pay attention.

“This third edition,” TidBITS notes, “has a significant change: it replaces its former coverage of AirPort Utility 5 in favor of focusing on AirPort Utility 6, which was released in February 2012. AirPort Utility 6 runs on 10.7 Lion or later. AirPort Utility 6 has many of the features that are documented in previous editions of this book, but it omits several options designed for mixed 802.11g and 80211.n networks and it can’t configure 802.11b and 802.11g AirPort base station models (any base station released from 1999 to 2006). Also, it supports only iCloud, not MobileMe, for remote connections.”

If you are caught in the middle and need to support both AirPort Utility 5 and AirPort Utility 6, purchasers of this ebook are given a link where they can refer to the previous edition, at no extra charge.

Says Fleishman, “The big new feature in AirPort Utility 6 is a graphical depiction of the layout of an AirPort network. This is terrific for visualizing how parts are connected and seeing where errors lie. This third edition also discusses AirPort Utility for iOS, which has a similar approach to AirPort Utility 6, and makes it possible to configure and manage an Apple base station without a desktop computer. That’s a first for Apple.”

The book is well-written, with text presented in short paragraphs for easier viewing on portable devices.

Take Control of Your 802.11n AirPort Network, Third Edition also offers a good number of uncomplicated illustrations, screenshots, tips, warnings, and lists of steps.

— Si Dunn

Inside Cyber Warfare, 2nd Edition – You’re at the front line & you can’t retreat – #bookreview

Inside Cyber Warfare (2nd Edition)
By Jeffery Carr
(O’Reilly, paperback, list price $39.99; Kindle edition, list price $31.99)

A global war for survival is in full battle, and you — or at least one or more of your computers — may now be right at the front line, already in the fight.

Actually, in cyber warfare, there is no “front line.”  As this important book makes unnervingly clear, attacks on business and military data, on financial systems, and on personal information now can — and do — come at any time from anywhere on the planet.

The attackers can be governments, military units, criminal groups, terrorist organizations, hacker gangs, lone-wolf thieves and even mischief makers with little or no agenda except chaos. And what seems to be a damaging infiltration from one nation actually may be controlled by, and coming from, computers in several other nations.

Indeed, some recently successful and damaging attacks against supposedly well-secured systems have been launched from sites very difficult to identify, using networks of infected computers scattered across several continents, including the United States. And the owners of the infected computers had no idea their machines were involved.

Jeffrey Carr’s updated book is aimed at political and military leaders, policy makers,  and corporate executives responsible for securing data systems and sensitive information. Yet everyday computer users need to read it, too, to have a clearer sense of what we are all up against now. We must understand the risks well enough to help pressure lawmakers, corporate leaders and others to make good choices regarding data security and protecting intellectual property.

The author is a cyber intelligence expert and consultant whose specialty is investigating “cyber attacks against governments and infrastructures by state and non-state hackers.”

Carr’s well-written second edition covers such topics as: the cyber-warfare capabilities of a wide range of nation-states, from Australia and Nigeria to China, the Russian Federation and the United States; how organized crime operates and profits in cyberspace; the difficulty of responding to international cyber attacks as acts of war; and national and international legal issues that affect cyber warfare.

Some foreign governments, Carr points out, are believed to condone and even sponsor cyber attacks. Others are well aware of the digital lawbreakers operating within their borders, yet prosecute only a selected few cases. For example, Carr notes, “in the Russian Federation, the police are interested only in arresting hackers for financial crimes against Russian companies. Hacking attacks cloaked in nationalism are not only not prosecuted by Russian authorities, but they are encouraged…” through a variety of proxies.

Against technically savvy, well-funded and government-coddled hackers, your outdated virus protection software and your dogs’-names passwords are very thin, very porus shields, indeed. 

Carr offers a number of recommendations to American policymakers who must wrestle with Internet and data security issues, plus protection of intellectual property. One of his strongest recommendations is a call for the Department of Defense to throw Windows out the Pentagon’s windows and replace it with Red Hat Linux.

“Red Hat Linux,” he writes, “is a proven secure OS with less than 90% of the bugs found per 1,000 lines of code than in Windows. Many decision makers don’t know that it is the most certified operating system in the world, and it’s already in use by some of the US government’s most secretive agencies.” He adds: “Linux certainly has its vulnerabilities, but the math speaks for itself. Shoot Windows and eliminate the majority of the malware threat with one stroke.”

He also wants sharp crackdowns on “US companies that provide Internet services to individuals and companies who engage in illegal activities, provide false WHOIS information, and other indicators that they are potential platforms for cyber attacks.”

But anyone who connects a computer to the Internet and is active on social media needs to be aware of the risks and high stakes involved in the cyber warfare now being fought between and among governments, criminal groups, terrorist organizations, hacker gangs and lone-wolf troublemakers.

Even as you read this, your personal computer or your company’s servers may be secretly helping North Korea, Iran, China, a drug cartel or a lone, bored hacker launch a cyber attack somewhere else in the world.

You may not be a high-value data target. Yet, even with just one laptop computer, you can become an unwilling and unknowing foot soldier for the wrong side.

These are scary thoughts, and you can’t wish them away. Read this important book to get the big, unnerving picture.

Then start thinking–fast–of ways to better protect your computers, data, intellectual property and personal information.

Si Dunn‘s latest book is a detective novel, Erwin’s Law. His other published works include Jump, a novella, and a book of poetry, plus several short stories, including The 7th Mars Cavalry, all available on Kindle. He is a screenwriter, a freelance book reviewer, and a former technical writer and software/hardware QA test specialist.

The Tangled Web: A Guide to Securing Modern Web Applications – #programming #bookreview

The Tangled Web: A Guide to Securing Modern Web Applications
By Michal Zalewski
(No Starch Press, paperback, list price $49.95 ; Kindle edition, list price $31.95)

When Michal Zalewski writes, people listen. And many software programmers pay — or should pay — very close attention to what he recommends.

Zalewski is an internationally respected information security expert who has uncovered hundreds of major Internet security vulnerabilities

“The dream of inventing a brand-new browser security model,” he states in The Tangled Web, “is strong within the community, but it is always followed by the realization that it would require rebuilding the entire Web. Therefore, much of the practical work focuses on more humble extensions to the existing approach, necessarily increasing the complexity of the security-critical sections of the browser codebase.”

Today’s Web indeed is a mess, a complex morass of “design flaws and implementation shortcomings” within a technology “that never aspired to its current status and never had a chance to pause and look back at previous mistakes,” he says. And: “The resulting issues have emerged as some of the most significant and prevalent threats to data security today….”

In his well-written new “Guide to Securing Modern Web Applications,” Zalewski states that “a substantial dose of patience, creativity, and real technical expertise is required from all the information security staff.”

Anyone who works with the Web application stack needs to clearly understand its built-in security vulnerabilities and the consequences that can occur when unwanted penetrations occur.

Zalewski’s 299-page book is structured into three parts – Anatomy of the Web, Browser Security Features, and A Glimpse of Things to Come — and 18 chapters:

  1. Security in the World of Web Applications
  2. It Starts with a URL
  3. Hypertext Transfer Protocol
  4. Hypertext Markup Language
  5. Cascading Style Sheets
  6. Browser-Side Scripts
  7. Non-HTML Document Types
  8. Content Rendering with Browser Plug-ins
  9. Content Isolation Logic
  10. Origin Inheritance
  11. Life Outside Same-Origin Rules
  12. Other Security Boundaries
  13. Content Recognition Mechanisms
  14. Dealing with Rogue Scripts
  15. Extrinsic Site Privileges
  16. New and Upcoming Security Features
  17. Other Browser Mechanisms of Note
  18. Common Web Vulnerabilities

Zalewski’s other published works include Silence on the Wire and Google’s Browser Security Handbook.

Despite the software industry’s many efforts to find security “silver bullets,” Zalewski contends that “[a]ll signs point to security being largely a nonalgorithmic problem for now.” What still works best, he says are three “rudimentary, empirical recipes”:

  1. Learning from (preferably other people’s) mistakes
  2. Developing tools to detect and correct problems
  3. Planning to have everything compromised.

“These recipes are deeply incompatible with many business management models,” he warns, “but they are all that have really worked for us so far.”

Zalewski’s book puts a bright, uncomfortable spotlight on the fundamental insecurities of Web browsers, but it also shows you how to improve the security of Web applications.

Whether you program Web apps, or manage Web app programmers, or are studying to become a Web app programmer, you likely need this book.

Si Dunn‘s latest book is a detective novel, Erwin’s Law. His other published works include Jump, a novella, and a book of poetry, plus several short stories, all available on Kindle. He is a freelance book reviewer for the Dallas Morning News and a former technical writer and software/hardware QA tester.