Thursday, February 14, 2008
Absence of evidence is not evidence of absence!
I was thinking about one aspect of a posting by Laurence Hart regarding me providing proof of weaknesses of all ECM products when it comes to security...
If you look for "X" and don't find it, does that prove that there is no "X"? No. But the more you look in places where X "ought to be" in ways and at times that X "should be likely to be there," the more confidence you can have that there is no "X".
If security were important to ECM vendors, then Bex Huff, Craig Randall, John Newton and others would gladly talk more about it.
If security were top of mind, all of these guys would talk about how they would seamlessly integrate into security models provided by Active Directory, how ECM authorization models could be made consistent with other enterprise applications and how they even ensure that there own products are resistant to the OWASP top ten vulnerabilities by leveraging static analysis tools from vendors such as Ounce Labs, Fortify, Coverity or others.
I would think that the best evidence would not be for me to prove anything but to hear it from the horses mouth as to how they realize the above considerations. If they aren't doing anything in this space, then the odds are that they probably won't say anything as being transparent is probably frowned upon by their employers. However, if they are doing something in this regard, you can surely count on them telling the world...
| | View blog reactionsIf you look for "X" and don't find it, does that prove that there is no "X"? No. But the more you look in places where X "ought to be" in ways and at times that X "should be likely to be there," the more confidence you can have that there is no "X".
If security were important to ECM vendors, then Bex Huff, Craig Randall, John Newton and others would gladly talk more about it.
If security were top of mind, all of these guys would talk about how they would seamlessly integrate into security models provided by Active Directory, how ECM authorization models could be made consistent with other enterprise applications and how they even ensure that there own products are resistant to the OWASP top ten vulnerabilities by leveraging static analysis tools from vendors such as Ounce Labs, Fortify, Coverity or others.
I would think that the best evidence would not be for me to prove anything but to hear it from the horses mouth as to how they realize the above considerations. If they aren't doing anything in this space, then the odds are that they probably won't say anything as being transparent is probably frowned upon by their employers. However, if they are doing something in this regard, you can surely count on them telling the world...
