Thursday, July 31, 2008
OWASP Maturity Model Project
If you would like to contribute your thoughts, please join the mailing list...
Wednesday, July 30, 2008
OWASP Certification Survey Results
Tuesday, July 29, 2008
IT Hiring Practices
Why does IT have to continue the HR facade of interviewing when the pendulum has swung too far towards emphasis on soft skills? Imagine if business customers were smart enough to figure out that the person running IT didn't actually know anything about IT or that their coveted very expensive enterprise application will fall apart in actually implementing it as the folks who sold it have never actually built anything.
Business/IT alignment cannot occur without having credible members on the team. This goes above and beyond their ability to present and there needs to be a common set of core skills that all within the enterprise has. If you are an employee of a large enterprise, have you considered asking each and every member of the enterprise architecture team what skills they 100% have in common?
The obvious answer of course is usage of Microsoft Office tools as we can draw pretty cartoons in Visio, our IDE is PowerPoint and we are more than capable of ranting via email and scheduling meetings of nebulous value via Outlook, what other skills do we all have?
If we all have nothing in common but soft skills, how can we concretely implement our strategy? How can we expect business customers to trust IT? Do we really think business customers are that dumb?
To make matters worse, we attempt to hire even more folks just like us. Have we ever realized that diversity should be embraced? The enterprise needs folks with soft skills. Likewise, we also need folks with technical skills and those who can hang technically with the best of them.
Nowadays, with the emergence of work from home strategies where face-time as a construct will become extinct, if we focus on soft skills, aren't we hiring to the past and not for the future?
Links for 2008-07-29
Jay Fields provides a scenario of who should receive an offer after a job interview. The funny thing is he is describing exactly how outsourcing to India works
The OMG is attempting to bring together a group of practitioners with expertise on SOA & Security for a roundtable conversation. Why practitioners? They want to explore actual requirements and issues prior to hearing from vendors and consultants on answers.
One aspect of the conversation around CardSpace that seems to never be discussed is the secure coding aspects. Many members of OWASP believe that parsers are the weakest part of XML security, yet Cardspace makes this a vital component and puts it right up front. This begs the question of whether the parser used by Cardspace can be considered as secure as say the one used by DataPower. I know that Rich Salz won't comment, but someone out there must have an opinion.
I have been curious if Nishant Kaushik, Mark Wilcox and others from Oracle have a different definition of what constitutes an enterprise than say Microsoft?
It has been a long time since anyone from Nuxeo, Documentum, Stellent, Alfresco or others actually talked about creating valuable standards as the conversation to date has only been about the challenges.
Paul Madsen posts a listing of Liberty Alliance award winners. I wonder if he knows where the general public can get their hands on an actual federation agreement. No, not a framework or guidelines but one that has actually been executed (in a legal sense) between two parties.
The concept of promoting open standards, whilst allowing people to own their personal data, to enable interoperability. The identity crowd should be following this...
A humorous comparison between Microsoft Active Directory and Virtual Directories.
Monday, July 28, 2008
Scrum Certification is a big fat joke!
For certification be truly meaningful, a certification must have some sort of experiential component to it (typically involving internship or apprenticeship) and the applications must be verified by other certified professionals.
The Scrum Alliance continues to embarrass itself, and to a lesser extent the agile community as a whole, with its continued operation of the Certified Scrum Master (CSM) program. To "earn" this designation you need to take a two-day course, at the end of which, the instructor decides whether to award you with it. There is no test and there appears to be a 99 percent plus pass rate.
It is clearly deceptive to claim that you're a "certified master" of something after taking a two-day course. Maybe those who are believers in the Agile Manifesto can learn something from the OWASP Certification Project...
Sunday, July 27, 2008
Grandmaster Frank Corbo: Shorinryu Karate
Grand Master Corbo began his training 1960 at the age of five. His first instructor at that time was his father who introduced him to boxing, grappling and knife defenses. Returning home from the Marine Corps in 1976 he sought out instructors who could help him expand his martial arts knowledge and develop his skills into an integrated system of martial arts training. Grand Master has had the pleasure of training under the guidance of some of the greatest martial artists to date. Grand Master William Chen, Grand Master Hu Jianqiang, Grand Master Pan, Grand Master Duan, and Master Jiang Jian-ye all have made impressions and improvements to his Integrated Martial Arts system.
My son who is six years old, got the opportunity to do Jiu-Jitsu demonstration with his sensei (ninth degree in Komushinryu) where he demonstrated his routine. My son wasn't wearing his Gi at the time and was upset with his dad for leaving it in the car. Anyway, the video will be up shortly on Youtube and I will be posting a link here.
I also had the opportunity to meet a wonderful master from New York who demonstrated close quarters combat along with a monk from the Northern Shaolin temple. Afterwards, we all pigged out at It's only natural which I highly recommend.
Grandmaster Corbo is a judge on the 69th circuit probate court and a Marine. Duty, honor and country are no better represented than through the life of this master...
Military Quote of the Day
Saturday, July 26, 2008
Quote of the Day
OWASP Maturity Model Project
If you are interested in contributing, please visit the OWASP web site and subscribe to the listserv. In the meantime, I will be spending cycles on figuring out how to get Gartner, Forrester and other industry analyst firms to pay more attention to security (other than Microsoft Patch Tuesdays). After all, if they aren't paying attention to it, then software vendors aren't going to either and the industry will remain insecure...
Friday, July 25, 2008
What has been done in Smalltalk?
1. What commercially packaged enterprise applications were developed using Cincom Smalltalk?
2. Where is the java.net equivalent for finding open source Smalltalk projects?
3. What is the largest e-commerce site exclusively written in Smalltalk?
4. Has anyone written a relational database engine in Smalltalk?
5. Should developers be able to write Cincom Smalltalk using Eclipse?
Is there an IT Talent Shortage?
There is a shortage of perfectly healthy unmarried childless folk who need no benefits, aged between 22 and 26, who need no visas, who have done a previous job within the last two months so much like the one you need that they require absolutely no ramp-up time and who are willing to live anywhere and work cheaply in noisy cubicles on inferior computers without sunlight.
IT executives need to stop being silly by imposing unrealistic requirements on talent. Fundamentally, I believe even if you ignore the above that we actually need less people in IT than today. Consider how much energy is put into time wasting activities such as governance which allows for increased financial transparency at the expense of productivity.
I suspect that if you were to align all of the IT initiatives into two columns where one column is productivity and the other were transparency and you weren't allowed to practice hybridism as a mental disorder then the transparency column would outweigh the productivity column by ten to one.
As far as recruiting talent, if you accept people over 27, give them time to learn what you need, keep them long enough to pay back the cost of training them in value to you, give good benefits, locate the jobs where there is already a supply of unemployed or contract IT folks, be willing to pay them a little higher than local market wages, give them state-of-the-art computers, and put them in one-person offices with windows to the outdoors, you will have a stampede of candidates battering down your door. No problem.
If a young person asked me, I would advise them not to go into IT. Learn to use a computer much as one used to learn a foreign language or typing, but train to be the one that owns the business. That way you cannot be outsourced.
However, there are more than enough older folks around to do everything you need...
Thursday, July 24, 2008
Last Day to Participate in the OWASP Certification Survey
The survey closes on Friday July 25th (tomorrow)...
Wednesday, July 23, 2008
An untold perspective on software licensing and GPL...
My significant other is working on a project which she hopes will allow her to work 100% from home while making more than I. A conversation between us emerged where we each debated our own philosophies on open source. She believes that BSD and its variants are the best for fairness and will serve to increase market competition which is important to her since she needs to get her software in a Gartner magic quadrant which right now doesn't exist. We concluded that GPL is useful for undermining competition and not encouraging it.
More importantly her solution is avoiding all forms of GPL as she believes it is scary for business. She points to the GPL Violations site as evidence. 100 cases completed at 100% success rate! Is this a good story for open source? History will tell the true story. What is factual though is that regardless of who wins, everybody loses when it comes to litigation costs and the wasted marketing dollars that goes behind this activity.
The one opinion that grows even stronger in my own mind is the evilness of dual licensing. On the surface, it appears to be the easiest arrangement to explain to consumers. However, the real problem of maintaining this strategy will be seen in software developer. The constraints of developing, testing, and packaging two separate but related software packages, each time a released version of the software, you have to go through the steps twice.
Dual licensing also creates a usability obstacle for users simply because it requires users to run several interfaces at the same time. Isn't it better to have one license and one way to do things rather than complicate things for end users...
Tuesday, July 22, 2008
Quote of the Day
OWASP Preliminary Certification Results
Anyway, below are preliminary results to a few select questions. The full report will be made available at the end of the week...
|1. Please indicate your gender.|
|2. Please select the category that includes your age.|
|17 or younger||0.0%||0|
|18 to 24||12.8%||51|
|25 to 34||44.8%||179|
|35 to 44||25.0%||100|
|45 to 54||12.5%||50|
|55 to 64||4.0%||16|
|65 or older||1.0%||4|
|6. Has not having a particular certification or credential ever hindered your career?|
|7. In your opinion, what should be the target failure rate for first-time exam takers?|
|8. Do you believe that exams with higher failure rates are more credible?|
|14. In your opinion, do you feel single-brand certifications and/or credentials such as Cisco, Microsoft, Novell, etc. help or hurt the industry?|
|15. In your opinion, do you feel that training providers who teach courses geared towards obtaining OWASP certification should mandate that their instructors are certified?|
|22. VUE (http://www.vue.com) and Prometric (http://www.prometric.com) both provide computer based testing at existing testing centers throughout the world. While the actual payment to VUE or Prometric to provide an exam varies with volume, at least $75 of an exam's price would go to VUE or Prometric. What do you perceive as the|
advantages of having the exam available at a VUE or Thomson testing center? (choose all that apply)
|It would make the exam available in my geographic area||73.0%||216|
|the exam would be inexpensive||24.0%||71|
|the exam delivery would be secure||35.8%||106|
|It would be easy to register and pay for an exam||60.1%||178|
|I would prefer not to take the exam using VUE or Prometric testing center||12.8%||38|
|Other (please specify)||23|
|30. Please rate which industry analyst firms best understand the challenge of implementing Web Application Security.|
|First Place||Second Place||Third Place||Fourth Place||Fifth Place||Sixth Place||Last Place||Response|
|Gartner||51.2% (44)||7.0% (6)||10.5% (9)||10.5% (9)||2.3% (2)||2.3% (2)||16.3% (14)||86|
|Forrester||19.4% (13)||44.8% (30)||9.0% (6)||11.9% (8)||4.5% (3)||10.4% (7)||0.0% (0)||67|
|Burton Group||25.9% (15)||12.1% (7)||27.6% (16)||13.8% (8)||10.3% (6)||3.4% (2)||6.9% (4)||58|
|Yankee Group||2.4% (1)||16.7% (7)||19.0% (8)||35.7% (15)||7.1% (3)||11.9% (5)||7.1% (3)||42|
|Redmonk||13.3% (4)||6.7% (2)||10.0% (3)||10.0% (3)||50.0% (15)||6.7% (2)||3.3% (1)||30|
|The 451 Group||6.1% (2)||15.2% (5)||9.1% (3)||6.1% (2)||18.2% (6)||36.4% (12)||9.1% (3)||33|
|Elemental Links||0.0% (0)||0.0% (0)||4.8% (1)||9.5% (2)||9.5% (2)||19.0% (4)||57.1% (12)||21|
|ZapThink||4.3% (1)||21.7% (5)||26.1% (6)||17.4% (4)||4.3% (1)||8.7% (2)||17.4% (4)||23|
|Nemertes||6.7% (1)||13.3% (2)||13.3% (2)||6.7% (1)||33.3% (5)||6.7% (1)||20.0% (3)||15|
|IDC||0.0% (0)||25.0% (7)||21.4% (6)||21.4% (6)||14.3% (4)||14.3% (4)||3.6% (1)||28|
|AMR||0.0% (0)||7.7% (1)||23.1% (3)||23.1% (3)||30.8% (4)||7.7% (1)||7.7% (1)||13|
|Ovum||10.0% (1)||10.0% (1)||30.0% (3)||20.0% (2)||10.0% (1)||0.0% (0)||20.0% (2)||10|
|Enterprise Strategy Group||12.5% (3)||12.5% (3)||16.7% (4)||12.5% (3)||4.2% (1)||25.0% (6)||16.7% (4)||24|
|Macehiter Ward-Dutton||10.0% (1)||20.0% (2)||10.0% (1)||0.0% (0)||10.0% (1)||10.0% (1)||40.0% (4)||10|
|Other (please specify)||20|