Tuesday, September 30, 2008
Enterprise Architecture and Stupid Thinking...
pencils miss spel words.
cars make people drive drunk.
Spoons made Rosie O'Donnell fat.
Process makes developers in India competent...
Monday, September 29, 2008
Comparison of Federated Identity Products
For example, where I can I find a list of features that Ping Identity supports that say RSA Federated Identity Manager, Microsoft ADFS or Oracle doesn't? I wonder if Nishant Kaushik, Pat Patterson, Mark Dixon, Ashish Jain or others have any information in this regard that they are willing to make public? I really hate private pings...
Question for LDAP Experts
Sunday, September 28, 2008
The secret relationship between enterprise architecture and the United Nations
So why do both enterprise architecture teams and the United Nations fail to come to any Resolution? If you were to take a survey and ask: Would you please give your honest opinion about solutions to the food shortage in the rest of the world? you would be guaranteed a failure...
In Africa they didn't know what "food" meant.
In Eastern Europe they didn't know what "honest" meant.
In Western Europe they didn't know what "shortage" meant.
In China and India they didn't know what "opinion" meant.
In the Middle East they didn't know what "solution" meant.
In South America they didn't know what "please" meant.
And in the USA they didn't know what "the rest of the world" meant
Saturday, September 27, 2008
700 Billion Dollar Information Security Bailout
1). Failed regulatory oversight (SOXs, HIPAA, GLBA)
2). Failed self regulation (PCI, ISO)
3). Failure for consumers to manage risk (education, awareness)
4). Failure for companies to manage risk (risk analysis, awareness)
5). Failure for the current bailout to protect the consumer (no need to explain)
6). Reaction only when a threat is upon us (building security in vs slap on)
In both situations, the consumer is talked about...held up as the main focus, but the actions do not seem to support protecting them. Look closely at our privacy laws, security laws and identity theft laws and you can see the lack of any real consumer based legal causes of actions that are available.
Do you see any opportunity to leverage the current crisis to finally focus on the consumer privacy and security rights? At a time when the government is calling upon greater oversight and regulatory authority, should the security industry be lobbying to get the consumer protections front and center?
The unfortunate thing is the agents of change are the ones most guilty of violating consumer privacy and security. Much of the meltdown has been the savage exploitation of consumer behavior. Have we also considered that much of corporate behaviors in information security are trending in the wrong direction? Have we also considered that bureaucrats and politicians are too easily swayed by corporate leaders?
Risk management shouldn't be a cliche phrase thrown about by the likes of process weenies such as Robert Mcilree. In the same way and the folks over at Gartner and CMMi advocate that process can be a substitute for competence, information security in many large enterprises are equally guilty of using it as a substitute for true risk management.
Identity management is one thing that is way overhyped where every enterprise was forced into a one size fits all approach instead of focusing on optimizing cost/benefit for any given situation. Would Pat Patterson, Nishant Kaushik and others acknowledge guilt? I think not as their employers are technology legislators that have generated a hype cyclce that is a boon to consultants and have helped generate a lot of paperwork and control process but otherwise has become a distraction from core risk management practices and ends up being an architecture that is driven by the whims of an external auditing group rather than targeting a prioritized list of business specific risks.
So, let's acknowledge that what will save the day is architecture and that maybe we do need a new kind of leadership, one that understands the need for an agile enterprise architecture, strong technical leadership and an understanding of the human aspects of technology. The key is whether the masses will stand up for what is right or simply devolve back into perception management.
The government needs OWASP style governance. For the current power structure, don't worry, your jobs are safe as no one is listening...
Friday, September 26, 2008
Are you an IT Security Idiot?
Instead of focusing on what not to do, perhaps you should figure out how to focus on doing something securely and interaction with developers may be a great place to start. At the very least, you should learn enough SQL so a properly parameterized query can be illustrated on a whiteboard.
Maybe IT security professionals could also consider being an example by encouraging software developers to attend security-oriented user groups targeted at them such as OWASP. Bill Barr nailed it when he said: I have yet to come across a "security professional" I can't send packing after speaking 3, simple words: Show me code...
Today, I have reached my 2,000th blog entry...
Enterprise Architecture and Martial Arts
By now, if you have read my blogs, you would know that I am savage when it comes to charity focused on improving the lifes of children. Several of my coworkers will be forming a program to work with the local Boys and Girls club to teach martial arts to inner-city children.
We will be starting off with an introduction to several different styles including Tai Chi, Shotokan Karate, Traditional Japanese Jujutsu and Taekwondo. We are targeting kids ages seven to twelve. The kids will receive martial arts lessons twice a week.
We will start with the basics of punching and kicking with lots of focus on mastery of horse stance since this is universal to all styles. I will be teaching the first four forms of Tai Chi. I am working on convincing my significant other that she should teach all the girls, Eagles Claw (the style made famous by Master Pai Mei of the White Lotus Cult) with a finale of my son leading others in Japanese Jujutsu.
Since I am the king of mashups, I figured I could combine this with my love of IT and figure out whether there are any software vendors in the blogosphere that would be interested in making a small contribution of $50 which will go to the purchase of martial arts uniforms for the kids (Japanese Gi's). We are targeting the purchase of twenty of them Of course, vendors are also encouraged to throw in an additional $100 so that we can receive patches of the vendor's logo to be applied to the uniform in which kids will learn to sew on themselves.
When large corporations get involved in community activities, lots of media is sure to follow. If you want to donate, please leave a comment and I will contact you. This is one of the cheapest branding investments a software vendor could make. Besides, the human aspects of technology are just as important...
OWASP Hartford September 2008
We also had Paul Roberts of the 451 Group, which is an industry analyst firm unlike Gartner. They aren't historians who measure what has happened, but focus on innovation and help customers understand what will happen in the future. In other words, some analysts help you make tactical purchasing decisions while others help architects with strategic goals such as using innovation to enable long-term business drivers.
For the October meeting, we will be having Rohit Sethi of Security Compass and the Agile Elephant speaking on elite IT talent. The agenda will be posted over the weekend here...
Thursday, September 25, 2008
Why McCain will win the election...
Ohio and other places in Middle America will be too stupid to see that their vote doesn't truly matter and will simply let their votes not be counted...
OWASP Web Services Top Ten
I believe there are three action items for me upon hearing this most wonderful presentation.
1. On the long train ride back home, I need to compose all my thoughts on worst practices that I have came across within my travels and include even the ones that I have personally made. Hopefully, this will help provide additional guidance for others to develop secure web services.
2. We need to figure out that once this list is finalized, how vendors who produce web services as part of their product offering could immediately fix deficiencies in their products. For example, it would be wonderful if Craig Randall, Laurence Hart, Bex Huff and others within the ECM community were to be the first to embrace.
3. I also need to fail miserably and repeatedly in attempting to encourage industry analysts to dedicate a research report to aspects of developing secure web services. I will be pinging Gartner, Burton Group and Zapthink with others to follow..
CMMi and IT Security
Pravir Chandra presented at the OWASP conference, the notion of a maturity model that is being led by Brian Chess and the folks over at Fortify and will be in the near future published under OWASP which was well received. If you would like to learn more about this activity, please join the OWASP mailing list here...
OWASP NYC and Embarrassing moments...
Links for 2008-09-25
Not that Ping shouldn't attempt to expand its marketshare or make money, but one should ask whether the right solution is have folks over at Microsoft figure out how to turn Active Directory into a provisioning mechanism. Why couldn't you have ADFS take care of SaaS provisioning activities? While I know that Mike Jones, Kim Cameron, Jackson Shaw and others would probably not think about provisioning in this manner, there are many enterprise customers that would think it was a sane approach.
I like when bloggers provide insight into topics but really hate when they assume we don't care about the detail. I would love to see the exact documents that he refers to (in a sanitized way) and not just summaries of what they contain. If anyone else has copies of federation agreements they have used, I would love to see real copies.
Sure, the answer is always quantity over quality. Does it make sense to bring on even more folks to build SOA's incorrectly? There are very few high quality sources of information in the form of books in the marketplace and the analysts are providing horrific guidance. This feels like a scenario of more people to a late project makes it later. Joe McKendrick and others should lead with enumerating the competencies required and not just the count.
I couldn't have said it better myself...
Cell Phones are Evil and tamper with work/life balance...
In high school, I worked for Cigna where I noticed that there were a lot of IT professionals who didn't have a college degree in IT and concluded that what you have your degree in doesn't matter as much as simply having a degree. I rationalized that the degree was something one achieved simply to satisfy arbitrarily specified HR criteria and served little other purpose.
Applying this same set of thinking, I knew early on in life that I needed to have the same thing in terms of communications when it comes to phones. Whenever you apply for a credit card, visit a business in which you are a consumer and so on, it is mandatory that you provide them with a phone number. The challenge is in convincing them that they can call you for purpose X but not for purpose Y. In fact, once you give up your phone number, it may be passed along to other parties in the due course of business.
My solution to this problem is simple. I have a phone number which I list as primary in the phone book that I give to anyone simply to satisfy the fact that they require one. The phone number though is never answered and the only thing connected to it is my DSL line. If you want my phone number, I will give it to you, only though I don't have to suffer with the Pavlovian effect of checking to see who is calling. I don't even have a voicemail connected to it and therefore won't even waste time reviewing it later.
For those who will get it twisted, I do have another number such that friends, family and other folks such as my kids' various teachers can reach us. Only twenty or so folks outside of family have it and even if it is leaked, I have a second protection mechanism to avoid the potential of Pavlov.
Many phone companies allow you to have the ability to program the number of other phones such that it results in a different ring. So, if my parents call me, I don't even have to look at caller ID and can simply pick up the phone while if it rings for others I may look and respond accordingly...
Wednesday, September 24, 2008
Enterprise Architecture and Confrontation Management
Perception is reality yet many enterprise architects suck at managing it. The one question that we haven't asked ourselves is whether management of perception has gone overboard. Would Wall Street be very different if folks stopped worrying about the perception of stockholders and instead payed attention to the reality of finance.
Good enterprise architects do some perception management but it doesn't consume them. While perception management is important, confrontation management is more important. The best enterprise architects I know are great at exerting pressure, saying no at the right times to the right things and start and win fights when necessary.
The need to be collaborative is important, but the need to be assertive is more important. To get the right price from software vendors, to build great high quality working secure software, to reject bad work, critizize a strategy and to defend those who are correct but not popular requires being assertive.
Way too many folks (especially those who call themselves leaders) will do almost anything to avoid confrontation. They may fear that expressing any displeasure as being dangerous or shameful. Nothing could be further from the truth.
What would happen if enterprise architects started to quantify to cost paid for fleeing the good fight? This would include everything from hours of correcting underling's work (rather than sending it back) to being perceived as a weak leader who tolerates mediocrity...
Holistic IT Security Thinking is non-existent in most enterprises...
It is vital to acknowledge that holistic thinking requires strong technical leadership, something that is lacking in most enterprises. Let's be honest, how many IT executives are technical? If Gunnar Peterson, Mark Curphey, Robert McIlree and others were to be honest, they would acknowledge that while building security upfront within enterprise architecture is cheaper, in all reality it would take true IT leadership (distinct from management) to recognize when it actually occured.
Consider the fact that many enterprise architects aren't even technical with many never having written a single line of code in their entire life. Do you think they combined with the plethora of non-technical process weenies (aka project managers) would recognize a high quality secure architecture from a less optimal one? Many within the enterprise make the mistake of simply thinking it is a matter of bringing on expertise at the right time and rationalize their thinking by pontificating that no one can know everything! Reality says that this approach is doomed from the start in that a project manager is rewarding by delivering anything of quality that will be accepted by business customers. Since security isn't visible to most business customers, security architects will never be permitted to do anything that Gunnar and Mark suggests.
Another viewpoint says security professionals are best positioned when security becomes visible. Usually this happens at the expense of the enterprise and the loss of their customers personally identifiable information. The HR reward systems are still based on heroics and not integrity or prevention. If I do a good architecture or bad architecture within my own job, how many of the folks that have the ability to express their two cents on my annual review could possibly recognize the quality or lack of, yet if something bad happens and I fly in to save the day, it is visible by all.
In terms of my own day job, I have a healthy balance of proactive and reactive, but I bet you can predict which one will make me more money...
Tuesday, September 23, 2008
How many fingers are required to count the number of clueless IT Security Professionals?
Mr. Barr stated:
The problem I have had in the past communicating with "full-time security professionals (i.e., CISSP, SSCP, CISM, CISA, and numerous GIAC certifications)" is that none of them could give me examples of what they were talking about in code. Therefore, as resources, they were of limited use.
- I think if more of the "full-time security professionals (i.e., CISSP, SSCP, CISM, CISA, and numerous GIAC certifications)" had real-world experience actually implementing what they mandate, and provided demonstrable examples, that would go a long ways towards closing the gap.
- I had to teach the "full-time security professionals (i.e., CISSP, SSCP, CISM, CISA, and numerous GIAC certifications)" how apache worked, how the web services stack worked, how tomcat worked, how Spring worked, what AOP was and how it worked, etc. ... in hindsight, it probably would have been easier for me to become a "full-time security professionals (i.e., CISSP, SSCP, CISM, CISA, and numerous GIAC certifications)" and approved the framework myself.
Monday, September 22, 2008
OWASP Hartford: September 2008
Haven't yet figured out why the headcount is low from employees from IBM and Sun though...
Predictions on how Indian Outsourcing will be affected by recent market gyrations...
When American companies lose money, they start to tighten their belts and find ways to accelerate expense reduction where outsourcing to India is one potential solution. The challenge in India though is that as the currency of the US dollar declines, it becomes more difficult to support the salaries of higher-end IT workers in India and they too will also have to practice expense reduction.
If you are in India and have crossed the five year mark and more importantly have transitioned out of being technical to become a form of middle-management, then you can expect your job to be in jeopardy. Indian outsourcing firms will have to leverage the same playbooks as American companies in the 90s by cutting out folks in the middle.
My prediction also states that India will need to eliminate many of those who are really talented and were compensated for their abilities and will need to replace them with freshers who are cheaper and available for half of their salary.
Unlike America which used to have a culture of the employer caring for their employees, India never really adopted this way of thinking and will think of their talent as more expendable. Executives in India will figure out ways to make folks work more, get paid less and ruin any opportunity for work/life balance.
The key is whether folks in India will not repeat the mistakes of American IT workers and seriously consider unionizing...
Sunday, September 21, 2008
People don't kill people, Cell Phones Kill People...
Maybe the best way to get something straight is to also twist titles to fit a purpose and align with their thinking. Let's start with an analysis of the responses:
- I’m reachable 24×7 on my cell phone, but that doesn’t mean 1) I’ll answer it, 2) that work has any right to call me outside about 7:30-18:00.
- Actually, this is a misnomer. Yes, a lot of open source software is written without ever meeting, and I’d be the last person to want to be in the same room as RMS, but I can attest that the really big, successfully run projects all have in-person meetings on a regular basis.
- Time management is an active task and something that is especially difficult for people in the United States. For example when a project manager told me that he was working “100 hours a week”, my instant response was not “wow, you are busy”, it was “wow, you must suck as a project manager”.
The one aspect though that is backtestable is that 25 lives in California would still be here if some stupid conductor weren't focused on his freakin phone. Good to see that one employer has started the trend in banning them...
Saturday, September 20, 2008
Making a difference in a sustainable way...
Friday, September 19, 2008
When was the last time you ran across a holistic IT security professional...
This week, I had the opportunity to speak at IT Security World on SOA and Security. My opening question was to ask attendees how many of them believe that security needs to be looked at holistically and lots of hands were raised. I then asked, if they thought that holistic included software development and all the hands stayed up. I then asked, how many of them actually had a software development background and pretty much every single hand in the room dropped.
Mark Curphey and Gunnar Peterson have blogged on the fact that security is 90% focused on breaking and 10% on building is just plain bad. A quick analysis of why this occurs is really simple in that to be a builder, you must understand how to write software while to break software you can get away with a simple operations/infrastructure background.
Gunnar and Mark, do you really think that the masses of security professionals will be willing to throw themselves under the bus by acknowledging that they may not be qualified to defend their own enterprise against future threats? Do you understand how long it takes not to learn a language if it is your first but to actually become competent? Do you think it is wise for an enterprise to wait around for security people to learn no matter how motivated a handful of them may be?
To refine one of Gunnar's comments: When was the last time you saw an attack drawn out as a UML sequence diagram? . Let me be on the record and say that I am guilty of not doing this either, but I have a valid reason. First, I absolutely despise sequence diagrams and prefer activity/swimlane diagrams instead as they show who clearly along with the boundaries. I have encouraged folks that especially draw process flows to choose this notation over more simplistic sequence diagrams.
For folks who want to truly be a holistic security professional, I personally endorse taking Gunnar's course at the upcoming OWASP conference. The challenge though is figuring out how to convince IT executives that the folks who currently consider themselves security professionals aren't really practicing anything more than network hygiene and that their is nothing holistic about their approach regardless of what they tell you...
Thursday, September 18, 2008
The Youngest Victim of IT Outsourcing
One of the responses received:
- You see, when you think outsourcing, you're thinking about a phenomena that is a conclusion of the way world economy works, and that mechanism was not invented by India or any 3rd world country in any way. Put people in front of a mirror, have them think of every time they voted a right wing, capitalism puritanist conservative candidate in the US for president, and you'll start finding true answers and responsibilities...
Another response received was:
- Metrics and numbers and results are all part of the new world model we have to follow in order to keep any respectful company in the market.
Interestingly enough, I expected folks from India who are part of the outsourcing ecosystem to be more passionate than any American regarding the loss of a child, until I received this response:
- I see it can be tied to the choice of taking long haul flights, travelling with children still at the age of breastfeeding for over 10 hours in cramped spaces; lack of medical training for air crews; lack of full medical kits on board; lack of airside doctors being available; lack of emergency procedures for illness, especially for the small or infirm; lack of compassion and tact from the airlines and airport; lack of attention from the parents who know none of the names of anyone - cabin crew, doctors etc - who were involved in their child's issue; the parents' placing the blame on "we should have had an ambulance take us from the airport for resus at the hospital"...even though the child had been declared dead before it had even left the aircraft.
I have never worked for nor with Infosys, have never met Mohan Babu K. nor any members of his family, but as a human I still grief for his loss. I guess I am a dinosaur for responding with my heart instead of my sterile indoctrinated repeat after me best practice answer...
Wednesday, September 17, 2008
Does this make me a liberal or conservative?
One of my cousin's is a recent graduate of a nursing program and has started to learn first hand how people suffer and die because of HMO's, big insurance (Aetna, Cigna, United Healthcare, etc) and Pharmaceuticals (Pfizer, Merck, Bristol Myers Squibb, etc) and their decision making process. They are, by law, beholden to their stockholders and the bottom line, and therefore have an ethical conundrum in that at times they have an incentive to deny needed care in the name of profit.
I am not for government healthcare because it suffers from much of the same problem as the current system. The government also is beholden to many of the same financial burdens. Imagine if the principles of open source were applied to healthcare where HMO's had to make their business rules publicly available in a well-formed XML format that could be inspected by others? Imagine the ability for a consumer to use an open source rules engine such as JBoss Drools and could proactively tell whether a claim is going to be approved or denied. The current model requires consumers to expose themselves to financial risks as they don't have a clue upfront as to their own liability.
Good governance is also required in that disputes should have an SLA attached to them. Consider the scenario of James Robertson being admitted to the local hospital for a mental disorder and is healthcare provider decided it didn't want to pay claims. While James Robertson couldn't figure out how to leverage a business rules engine since he uses an antiquated language known as Smalltalk, he could at least demand that a response come back within say four hours vs the current unknown/unbounded timeframes that exist today.
What if society at large were able to define the actual rules instead of actuaries in each of the HMO's? Folks could define four choices that HMO's would simply implement and determine the price associated with each set of rules. Consumers would know exactly what they would get upfront when paying premiums and be able to make better informed healthcare decisions. Likewise, the decision making process would also be normalized such that all HMOs would provide the same answers in the same situation...
How you can create your own foreign policy and increase IT security...
Check out the OWASP lending team, and learn more about lending teams on Kiva in general, by clicking here...
Thoughts on Basel II
Within many enterprises, the notion of a common message format is all the rage within enterprise architecture. The thought that an enterprise can have a global taxonomy such that all of its systems can talk to each other while avoiding semantic integration headaches is the goal. So, how come Basel II folks didn't consider a taxonomy for describing risk reporting?
Do we think we can understand risk throughout the planet if there is no taxonomy that everyone uses? The word risk itself has many different meanings to different enterprises.For business people, Risk is an omnipresent feature of life, an attribute to calculate potential returns or losses in investments. Many business careers are made by taking risks. For an IT person, Risk is something to be avoided at all costs, the result of flaws in architecture that lead to vulnerabilities and loss. Many IT careers are lost by taking risks.
So, wouldn't it be cool if Oasis or even OWASP for that matter got together a few of their best and brightest and figured out how to describe the notion of risk within XML? Unwavering clarity around reporting of credit, market, operational incident, loss events and IT architecture all need one way to be described in order to be exchanged without semantic loss of fidelity.
Imagine if us within the insurance vertical could encourage all those actuarial types we work with to noodle creating such a specification along with us in an open source way. The insurance vertical is best positioned to nail this challenge as they best understand risk and the elements of it such as incidents, events, losses, claims, exposures, forecast and reserves since this is what they do all day, every day...
Tuesday, September 16, 2008
Will you be attending OWASP NYC AppSec Conference?
If your budget allows for you to attend one last conference this year, I highly recommend that you spend it on OWASP NYC AppSec 2008 Conference. If you have already registered, I would love to meet up with other bloggers in attendance. Finding me won't be too difficult as I can stand out in any crowd...
Monday, September 15, 2008
How should I celebrate?
Sunday, September 14, 2008
Will you be attending IT Security World in San Francisco?
If you will be attending, I will be staying at the conference hotel and would love to hook up with other bloggers...
Saturday, September 13, 2008
Enterprise Architecture: Is this a good idea?
So, if you have questions regarding enterprise architecture, application security, SOA, open source, OWASP, outsourcing or any other topic that I have blogged about in the past, I will redouble my efforts to provide more commentary.
I do ask that bloggers use trackback/links instead of leaving a comment in order to aid in transparency as others will be able to also see not only the question but the answers provided in a seamless manner.
Even James Robertson, Robert McIlree or others are welcome to ask any question they desire...
Friday, September 12, 2008
Enterprise Architecture: The lost art of informal communication...
The more informally a team works, the less the strain on management to keep track of things and micro-manage activities which is usually the first sign of a project death spiral. To encourage informal communication, team building and team dynamics is absolutely vital.
Maybe enterprise architects need to stop worrying about perception management and instead adopt the practices of a gadfly. A gadfly is someone who goes about asking questions that stir thinking and discussion. Some folk are just natural gadflies and are prone to think outside the box, throw out unconventional ideas from time to time which ultimately leads to the innovation that the business desires of IT.
When was the last time you had a conversation with the business that you deeply enjoyed? How about when was the last time you had a conversation with your bosses boss that you truly enjoyed? Maybe enterprise architects need to refactoring thinking and not just processes and code...
Thursday, September 11, 2008
Are vendors distorting the value of identity management?
Identity management is here, but it doesn't solve most of our problems. It is expensive and forces processes on large enterprises that honestly don't belong there. Identity management and the processes around it shouldn't be the responsibility of enterprises but of vendors.
Imagine what would happen if Kim Cameron, Nishant Kaushik, Pat Patterson, Jackson Shaw and others started to outline and conclude that identity management is a process for identity providers and not enterprises. Why can't an enterprise outsource the identity problem to some specialized provider while focusing more on how it can be made reliable. Wouldn't it benefit enterprises more if there were not only standards but actual implementations within existing products that supports notions of verification/vetting and indemnification?
What would happen if there were an industry standard way of measuring the amount of customization required to make identity products work? What if Gartner didn't hype vendors but instead figured out how heavily customized, extensively configured and sometimes even hacked this products are in order to adapt them to most enterprises?
What is more amusing is that most identity management software is vulnerable to common attacks. It is very sad to see security folks actually purchase insecure software. Does anyone have any evidence as to whether the product managers of these firms are familiar with OWASP? What if OWASP were to make public the vulnerabilities of the respective products or at least enable others such as Gerry Gebel, Dan Blum and Bob Blakely to see basic vulnerabilities during the interoperability challenges at the next Catalyst conference?
Anyway, enterprises should solely focus on being really good relying parties where the industry at large figures out how to create reliable identity providers. Until this happen, enterprises are forced to manage identities and are participants in the hype cycle...