Thursday, August 16, 2007
D6 Web Services Challenge announced
Awhile back, I seemed to have torqued Craig Randall in that I noted he would respond to questions regarding the lack of security within the domain of ECM at large but would never provide insight as to ways to address them. My significant others says that I should have been more diplomatic and that if I were nicer, an answer with integrity would have emerged. I of course believe that avoidance is a sign not of lack of tempered blogging but one more of quiet acknowledge that my perspectives on the ECM domain when analyzed through the lens of security may be more accurate than folks will ever give me public credit for. It would make my day if I were not only proven wrong, but called out publicly. Doesn't someone want to throw daggers at me?
Anyway, we got into a debate that I figured I would share. She saw the notion of $50K laying on the table with the D6 Web Services challenges and felt that I should step up and attempt to win this contest by filling in the gaps mentioned here.
Since there is no guarantee that I would win, I decided to also not participate and practice my own right to remain silent. What I did decide to do though was to encourage her to jump back into software development and start filling in the gaps. The ability for the solution to be licensed under an open source model is a good thing and can benefit many.
She registered to participate and is awaiting access to DFS. If DFS does support WS-Security but not SAML, WS-Federation, Kerberos or any of the other security specifications, she felt it would be pretty easy for her to close this gap with the caveat the documentation is of high quality. If this functionality is already in the product, she figured she would take on figuring out how to inject XACML support into the product. She does acknowledge at some level that doing this via the DFS way is insecure but at least it is an incremental step forward and she will disclaim implementing security the secure way vs implementing security in a way that is thought of as a feature.
The funny thing is that she has no knowledge of ECM in general nor any of the products in this domain and is somewhat junior when it comes to understanding enterprise security concerns but is willing to give it a try. Hopefully, if she gets stuck, others will jump in and provide their perspective and propose workarounds for the better good of the community at large...
Links to this post: