Saturday, August 04, 2007
Why do Software Vendors Create Insecure Products?
Yesterday, I had an interesting discussion with an Enterprise Architect in the Pharmaceutical domain who is an avid reader of my blog. He said several intriguing things to me...
He mentioned that he also has asked his enterprise vendors in the ECM and BPM worlds to consider many of the same security considerations that I frequently discuss with little evidence of forward progress. One common theme that I often here is that the sales guy will be cordial and acknowledge that the customer always has great ideas but that is the first time they have heard someone articulate the problem and that none of their other customers are demanding it.
So, this does beg the question of how should enterprise architects who want better security in the products they buy to get their collective voices heard. One thought that I had was to propose to speak on issues at upcoming conferences but usually for vendor-specific conferences they control the agenda.
Likewise, industry analysts are primarily determining their research agenda from what vendors ask them to cover. Expecting industry analysts to acknowledge gaps within products simply ain't going to happen because the analyst model is fundamentally busted in this regard.
The funniest of statements though was that he was of the belief that there are more pygmies teaching eskimos how to breakdance than there are folks at Documentum, Alfresco and other ECM companies actively thinking about gaps from a security perspective within their products.
Doc Searls always mentions the notion of vendor relationship management but I wonder if he has any unique thoughts on how to get vendors beyond the land of cordial responses and actively fixing and closing gaps?
| | View blog reactionsHe mentioned that he also has asked his enterprise vendors in the ECM and BPM worlds to consider many of the same security considerations that I frequently discuss with little evidence of forward progress. One common theme that I often here is that the sales guy will be cordial and acknowledge that the customer always has great ideas but that is the first time they have heard someone articulate the problem and that none of their other customers are demanding it.
So, this does beg the question of how should enterprise architects who want better security in the products they buy to get their collective voices heard. One thought that I had was to propose to speak on issues at upcoming conferences but usually for vendor-specific conferences they control the agenda.
Likewise, industry analysts are primarily determining their research agenda from what vendors ask them to cover. Expecting industry analysts to acknowledge gaps within products simply ain't going to happen because the analyst model is fundamentally busted in this regard.
The funniest of statements though was that he was of the belief that there are more pygmies teaching eskimos how to breakdance than there are folks at Documentum, Alfresco and other ECM companies actively thinking about gaps from a security perspective within their products.
Doc Searls always mentions the notion of vendor relationship management but I wonder if he has any unique thoughts on how to get vendors beyond the land of cordial responses and actively fixing and closing gaps?
