Wednesday, March 19, 2008
Why CardSpace isn't Enterprise Ready!
Consider for a moment of how software should be developed. If you are a fan of extreme programming, then you understand the importance of building test cases first. Many folks in this scenario would use JUnit, HTTPUnit or similar tools and therefore all of the libraries for Java and .NET such as WSO2, Google and others should have test cases around them. In looking at the various libraries, it also becomes apparent that Microsoft funded security functionality but didn't ensure that these libraries adhered to good secure coding practices?
Have you ever considered what would happen within an enterprise that used CardSpace to protect your medical information or even auto insurance where you insured a vehicle that your wife doesn't know about? At some level, a discussion of how Microsoft helps others write secure code is in order and should start with a discussion of usage of tools in the static analysis space such as OunceLabs, Coverity and others. I wonder if the identity selector went through any of these tools?
Once your code is developed, it is typical practice to automate the notion of regression testing and to use tools such as Grinder, WebArt or HP/Mercury Interactive LoadRunner. If LoadRunner can't even log onto a website that is protected by CardSpace then your regression testing won't get too far. Ever hear of any HP bloggers talking about how they will be extending their own products to support?
Consider that unlike all the consumerish discussions to date, many enterprises have more thoughtful architectures and leverage web access management products such as Tivoli Access Manager, Netegrity Siteminder, Oracle Oblix CoreID and others. So, in order for many enterprises to implement CardSpace, it requires these products to become minimally really good relying parties.
If you were to dig deeper, the odds are that only 50% of the enterprise applications that are exposed to the outside world, probably use a directory service. My thinking says that much of this stuff is in relational databases where we need a way to STS enable them. The odds are even better that the directory service used isn't based on Active Directory. Let's say for a minute that you have been reading Marc Wilcox blog over at Oracle and the discussion around virtual directory products. Do you think that one may need for this product to become an STS?
Microsoft is on the right track with their own products, but needs to re-double their efforts (CEO sounding, huh) in encouraging others to get on the identity bandwagon. I know that Kim Cameron, Mike Jones and others will reserve judgment on how enterprise applications such as Siebel, Documentum, Pega, Mercury ITG and others work sub optimally today when viewed through an identity lens, but creation of a roadmap for these vendors to embrace would be appreciated by your enterprisey customers as many of them may not be capable of creating for themselves...
Links to this post: