Thursday, June 12, 2008


OWASP and Identity

Yesterday was an interesting day in that I ranted to other OWASP chapter leads about licensing of open source, I had several conversations at work on the Enterprise Security API and we also had our OWASP Hartford meeting last night and several thoughts emerged...

Yesterday, we had two wonderful speakers. The first was Chris Winn of Microsoft who spoke on Cardspace. The second was Prateek Mishra who spoke on Identity Governance. While these two don't blog, I know there counterparts such as Kim Cameron of Microsoft and Mark Wilcox of Oracle do. The first question that came to mind is Kim Cameron and Mike Jones came up with the laws of identity, yet they haven't ever talked about the problem space that the Oracle IGF is attempting to address. Are the laws of identity deficient?

I also started to think about the OWASP Enterprise Security API which does a wonderful job of protecting against the OWASP Top Ten, but started to wonder if this set of APIs needed to become identity aware?

The value proposition from companies such as Mark ONeill of Vordel, the guys from IBM Datapower and so on is that security requires specialized parsers since this is the best way to attack XML, yet the whole Cardspace implementation ignores this truth. Has anyone from Microsoft taken deliberate actions to bring the XML parsers that are built into .NET up to the same level of strength as implemented by security vendors?

Taking this one step further. Wouldn't it be wise for Microsoft to put the OWASP Enterprise Security API into Cardspace and encourage this for all identity selectors? The CARML specification at some level is intriguing, but there is zero evidence that the Microsoft Active Directory team even has it on their radar.

I also walked away with another perspective that says that CARML will fail because there isn't the right level of evangelism around it. One thing that I have the utmost respect for Microsoft is in their ability to reach out to developer communities, something which Oracle almost never does as they have a preference for reaching out solely to IT executives. CARML can be wildly successful but only if Oracle concludes it needs to do a better job on the bottom up IT learning.

Oracle is working with Project Liberty where the focus is on identity while no one at Liberty has acknowledged that there may be value in Project Liberty and OWASP working together on making identity secure.

Just some random thoughts and I hope I have offended anyone. Anyway, I would love to know how my thinking is flawed and what I am missing...

Links to this post:

Create a Link

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?