Monday, June 11, 2007
links for 2007-06-11
Security policies are the foundation of your secure infrastructure. Your security policies serve as a guide and a reference point to numerous security tasks in your organization yet most enterprises still don't have them around important security topics such as secure coding practices, centralization and externalization of authorization from enterprise applications and the ability to de-identify data in testing environments. Anyway, here is an overview that vendors should be proactive in helping enterprises create. After all, if you can help with compliance by seeding your own problems then you have a better chance of success
I wonder if Dick Hardt, Kim Cameron and Pat Patterson have noodled that identity/privacy needs to take into consideration where you are? Imagine injecting location awareness into OpenID and/or Cardspace.
I wonder if we should treat folks from border countries not as enemies but as friends and give them preference over folks from India? Bet you don't know which demographic has more soldiers in Iraq fighting and dying for freedom...
I am a firm believer in that folks should learn to Read Code before they write. It seems as if folks generally write decent authentication routines but that authorization tends to be spread throughout the code base. In studying the code base of many open source projects such as Alfresco, Intalio and others they seem to suffer from this problem. In fact, the only open source project that in my humble opinion that got authorization right is Liferay Enterprise Portal. Anyway, before you design your applications authorization model, you should read this article
There have been lots of articles indicating how six sigma can be used in enterprises who do agile software development yet none that have specifically focused on areas where they are diametrically opposed. I am thinking about writing such an article.
