Thursday, October 30, 2008
OWASP Hartford November 2008
We will have Matthew Barach, ESQ of the Boston Privacy Group discussing legal aspects of web application security and Terence Spies, CTO of Voltage discussing identity-based encryption.
All OWASP meetings are 100% free to attend. This will be the last meeting for 2008. We will also be making the meeting available via audio conference call, so that others can also listen in. To learn of upcoming events, subscribe to our mailing list here.
Do your part to help make application security visible by forwarding this information to others...
Wednesday, October 29, 2008
More Links for 2008-10-29
The marketplace has declared Smalltalk a dead language! Someone better tell James Robertson...
I suspect that employees of Wipro, Infosys and Cognizant who are bloggers will exercise their right to remain silent on this topic.
While we need to acknowledge the hoops that some poor slob within IBM had to go through to get this mental shift to happen, we also have to acknowledge that staying on notes is generally a bad idea. The marketplace has chosen Exchange and IBM is late to the game...
Consider the benefits to IT in being eco-friendly. Global warming is reality in the same way that perception is reality.
Links for 2008-10-29
I have yet to come across a "security professional" I can't send packing after speaking 3, simple words: "Show me code."
Pakistan has no money, no energy, no government but has neighbors that are more prosperous than them. The character of a nation is demonstrated by the urgency of action to help their brothers.
Increase in the labor salary in offshore places which was decreasing the difference with U.S. salaries says that folks in other parts of the planet are benefiting from short term games but otherwise committing long-term slow suicide.
Being sensitive and kind doesn't move us forward, but it makes the journey more pleasant.
A good event ran by a great person. I how well received it would be if I did a presentation entitled: Ruby Derailed: Security Worst Practices.
I never really liked the game but find it fascinating to watch others play it. In many ways, it is more gentlemanly than Golf
Tuesday, October 28, 2008
Enterprise Architecture and Cloud Computing
James Governor published research through the eyes of a vendor, while Jeff looks at things through the eyes of customers. In order for industry analysts to not have daggers thrown at them, they have to understand the distinction between who pays them to create research vs those who consume research.
Cloud computing has several characteristics that industry analysts continue to ignore. Consider that if an enterprise wants to move compute power to the cloud that they may also need access to data which goes above and beyond simply poking a hole in the firewall and/or applying encryption. How about talking about what industry standards that should exist prior to deployment to prove that data is not only encrypted while in the cloud but is certified as destroyed when no longer required?
Do clouds need to participate in federated identity? What about the authorization model used to secure services within the cloud? Is XACML the right specification? Instead of worrying about what operating system the cloud runs, how about talking about the methods in which enterprises can build applications that are operating system agnostic?
40 page requirements are still needed because the industry hasn't figured out a complete yet concise way of describing the notion of a service-level agreement. I wonder if James and Jeff believe that instead of throwing daggers at each other, whether they have some duty to actually help get this type of industry standard off the ground to enable proper cloud computing ecosystems...
Monday, October 27, 2008
How many enterprises train their developers on how to write secure code?
On Friday, I had a conversation with Derek Slater, Editor in Chief of CSO Magazine. One of the things that I would have loved to suggest for him to explore is that one of the reasons the blackhats are beating out the whitehats is because enterprises aren't actually training their developers to write secure code. What would happen if their sister publication, CIO magazine asked Esther Schindler to write an article on why CIOs are missing out on important opportunities to actually secure the enterprise by simply encouraging their staff to attend local OWASP chapter meetings.
There is a huge disconnect between software development and security in most shops. I bet it wouldn't be difficult to find a CSO who can use the word holistic in a sentence but otherwise hasn't yet figured out the security includes software development. Wouldn't it be fascinating if CSO did a simple survey to see how many enterprises are teaching secure coding practices to their development staff?
Anyway, security awareness efforts prepare employees for more detailed assurance training. Awareness, a general understanding about the importance of information security, makes them more receptive to the targeted training that helps remove vulnerabilities associated with employee behavior. Chad Perrin of TechRepublic talks about the process but doesn't ever talk about the depth required in order to be truly sustainable or secure. For example, it is noble to talk about concepts around encryption, but there are lots of ways that it can be developed insecurely and cause bigger problems....
Sunday, October 26, 2008
Links for 2008-10-26
Todd Biske comments on what is required for successful Governance and keys in on the word behavior. I think it missed an opportunity to explain that governance is not about financial controls.
As I understand Nick Gall of Gartner will be encouraging his analyst peers to dive deeper into Windows alternatives as part of upcoming research. I also understand that Gartner will be publishing some of its 2009 research under Creative Commons. This is a positive step forward by Gartner and I congratudate them for their forward, innovative thinking.
I haven't heard back from Mark Wilcox of Oracle. I wonder if my latest response to his questions where a little too painful.
Forrester has agreed to do the right thing and put open source projects in the same wave as commercial offerings. They have acknowledged that customers don't delineate across vendors as much as they care about solutions to the business challenge that can be implemented in a cost effective manner. Now only if Gartner were to take the same stance.
Alan Pelz-Sharpe provides insight into which ECM platforms scale but I wish he went a little deeper. He didn't talk about scalability of management though. For example, can an ECM system be considered scalable if you have to provision individual users to it vs it being able to dynamically bind and consume identity elsewhere. Another missing attribute to scalability is how it behaves in a transactional context. Maybe, he will provide deeper insight in a future update.
I don't care where he is, but I do care that he is doing well. I recently saw him kick off and publish ECM patterns on the Documentum site. I really hope that Craig Randall and others will step up and also contribute.
If you work in a large enterprise, this list will be very familiar to you...
Saturday, October 25, 2008
Does James McGovern have something to hide?
To set the record straight, I am happily married to a female and plan on keeping it that way for a long time...
Friday, October 24, 2008
I am the recipient of the Blogs that Rock Award...
Enterprise Architecture Confusion regarding Buy vs Build...
Much of the waste within IT is attributable to worst practices and indoctrination coming from process weenies who love CMMi and outsourcing yet avoid discussing when is it stupid for us to buy things.
Let's start by acknowledging that an enterprise should only buy a product only when it decreases risk. If you don't understand how the product works, or if you don't believe claims about its capabilities, then don't buy it until those issues are settled.
Likewise, buy the simplest, cheapest product that meets your needs. Don't buy expensive products with lots of features you don't need, even if you think those features might be useful someday. We sometimes get excited by Gartner Magic Quadrants and spend more money than we should. In fact, an enterprise may want to consider avoiding Gartner top quadrant products as they have a higher TCO than ones that aren't leaders.
More importantly, you need to remix your thinking and acknowledge that open source belongs in the buy side mentality. While you can avoid the arduous mind numbing negotiations around seat-based licensing, you can focus on getting something deployed in production that meets the business need a lot faster. Of course, you should consider buying support not just from the vendor itself but also in terms of contributing back to the community...
Thursday, October 23, 2008
It's 2008, are you still using Smalltalk?
While there are still some holdouts, I wonder if anyone in IT has starting writing a new Smalltalk application from scratch within the last two years? Of course, there are folks who have used it to write quick utility applications, but I haven't ran across any that would be enterprise in nature.
Smalltalk seems to be second class when it comes to modern approaches to security. Notice that Smalltalk doesn't support many of the WS* specifications for web services? From what I can tell, Smalltalk also doesn't support CardSpace, OpenID, XACML or even some of the latest approaches to cryptography such as identity-based encryption.
So, if you still develop in this language, I would love for you to trackback and share why you have migrated elsewhere?
Wednesday, October 22, 2008
Do the majority of folks in India realize they are the reference implementation for worst practices?
If you acknowledge that India has lots of programmers but few developers and that in a couple of years the masses of programming will occur in India, then you could also conclude that they have more than their fair share of average folks who pound out average delivery. There are approximately 2,000,000 working software managers and developers in America. Currently, there are 200,000 additional job openings. These figures indicate a negative 10 percent unemployment rate.
When you apply the same thinking to the American economy, we could jumpstart it by simply acknowledging that half of these programmers could be terminated without any software projects missing any deadlines. Skilled programmers are essential to the success of a software project. So-called "heroic programmers" are exceptionally productive. As few as one out of twenty programmers have this talent. They produce an order of magnitude more working software than an average programmer.
Studies have shown that the size of a project team is optimized when there are no more than four developers. Imagine what would happen if American companies insisted that there be a reduction in headcount from their offshore team until this target was reached. Would quality improve if India eliminated the average? Is there enough integrity to do the right thing for clients?
Tuesday, October 21, 2008
What is your definition of marriage?
Today's blog isn't going to touch the issue of whether a man forming a union with another man is morally right or wrong. We will however look at some questions that deserve answers.
If the traditional commonly accepted definition of marriage is between a man and a woman and now others want to hijack this definition, who is busy working on a word replacement? Can we agree that the dictionary should have different words to describe the distinction between a man and a man vs a man and a woman?
What I find really confusing is how others are stupid enough to belief that the argument is all about bigotry. As a minority, I want to kidnap and hand out beatdowns for folks who equate their struggle with those of other minorities. I am a big believer in one's freedom of speech. Likewise, I also believe that many need to exercise their right to remain silent. I can't simply wakeup tomorrow and declare that I am Chinese and folks won't truly know my ethnic origin but others can simply shutup and others won't know.
Shouldn't the definition of bigotry include a financial measure of those who from a measurable perspective have had financial arm at the macro level done to them in the past and even current state? I am equally curious why folks are ignoring the biological aspects of the argument. The first commandment whether you are believer in Judaism, Islam or Christianity is to be fruitful and multiply. Besides, society as a whole is built on this principle. If you need proof, simply noodle the Ponzi scheme known as Social Security and note that reproduction is required for our country to sustain itself.
I guess as a society we have managed to allow others to hijack many terms. I was watching the news the other day and noticed how the word Semite has also gotten twisted. It used to describe a person from a region of Africa. Nowadays, I have no clue as to what it really means. On the news, there was a guy of European origin calling a dark-skinned Muslim from Africa anti-semetic.
Maybe, I need to get with the program and get my significant other to call me anti-James McGovern...
Monday, October 20, 2008
Enterprise Architecture and Why you are an idiot for voting for John McCain
Kennedy, if I recall correctly. Anyway, the first presidential race with television as a factor. One candidate had good hair (and to an extent, makeup). The other claimed that looks were irrelevant to doing a good job as president. You can guess which one won. Presidential elections in general show a strong tendency to elect the taller candidate as well. nearly all of them since 1900. One exception was George W. Bush - and he lost the popular vote.
Sunday, October 19, 2008
IT Security Professionals, PMP and the Process Olympics
Of course, we would seize the opportunity and ask him the following:
- Please hire me as a member of the US Olympic Cycling team... I have a certification in bicycling... ...see here? It's all embossed and everything...
Sadly, what works in Indian outsourcing is starting to work in America (process as a substitute for competence)....
Enterprise Architecture and Another Disturbing India Outsourcing Trend...
Americans send their work to India. Indian companies hire Indian developers. The Indian developer is given a job and then jumps onto an American forum and asks them to help him write his code.
Frequently the questions are not 'I've tried doing "x" and I'm having a problem with this, how do I make this work?'
Instead they are ' I need code that does "x" who can give me the code?'
My fellow Americans are a lot more cordial than I when it comes to responding to these types of requests. The typical answer from many in the open source community is that we are there to support people, not write their code for them. But it is an indicator of the lack of knowledge and experience that exists in India and how stupid American corporations are thinking that they are getting a "deal"...
Saturday, October 18, 2008
How Oracle can help you write more secure code...
Let's analyze his response to see if additional insights will emerge...
- First - make sure to read and check-back with Oracle Secure Technology Center.This is basically one-stop place for all of our security information. Oracle covers everything from OS to applications. And this location covers that breadth with links to deeper-dives.
- Second - our Chief Security Officer Mary Ann Davidson has been trying to get developer education ecosystem (e.g. CS programs and their cousins) to do a better job of teaching secure coding. I believe she articulated the problem very well in her post - "The Supply Chain Problem".
- Fourth - if you do anything with the database- David Knox's Effective Oracle Database 10g Security by Design is still the go-to resource. It's book #2 on my tech shelf- after my own (me being first is mostly a vanity thing :)).
- As an addendum - if you are writing code in ADF you should check out the new tutorial based on the new demo application - "Fusion Order Demo" . Besides learning all of the cool things ADF/JDev bring to the table
Friday, October 17, 2008
Celebrating India's currency decline
Several years ago, I decided to use my blog to counter the conspiracy of Indian outsourcing while focusing on something that employees of Indian outsourcing firms themselves have outsourced which is the global support for making poverty history. In India, you can feed 100 school children for only $25.
Imagine what would happen if every person from India reading my blog figured out a way to personally donate to a charity I endorse: Undavum Karangal which I was turned onto by several employees of Cognizant. Sadly, employees of Wipro and Infosys remain disturbly silent when it comes to encouraging individuals of their firms to help end hunger not only in India but other parts of the planet.
Anyway, I already sent my check to sponsor both Eid celebrations for 2009 in India...
Links for 2008-10-17
I have been having a dialog with Mark Wilcox. It would be great for others to join this dialog.
Gunnar Peterson posts the link to his OWASP presentation. I got to see it in person and encourage others to check it out as well.
Good to see Microsoft sponsoring conferences not just for IT executives but also software developers where the cost to attend is zero. I wonder whom I would need to work with from Sun, IBM and EMC to create a similar event on my side of town? I have been noodling holding the Hartford TechFest 2009 on our own campus. All I need is a few vendors to reach out to me to assist in making this happen.
Ashish Jain provides insight into how Ping supports federation with salesforce.com. I wonder if he would be willing to point out which of his competitors also provide the same functionality and more importantly which ones haven't yet stepped up? I wonder if Pat Patterson has made sure Sun has included this type of functionality in their offering?
If there is any truth to this assertion, this could be the most boneheaded braindead thing that IBM could do (other than of course outsourcing to India).
Thursday, October 16, 2008
Project Management in India
Wednesday, October 15, 2008
Blog Action Day 2008
If you don't have a clue as to how you can help, may I suggest you visit Kiva and participate in the concept of microlending. I have been participating for about one year and encourage others to do so as well.
If you want to see my profile on Kiva, click here...
India is second-class when it comes to IT Security...
According to ACIS Professional Centre president Prinya Hom-anek, the eight economies in Asia Pacific that have at least 200 CISSP members are South Korea with 1,991 members, 1,315 in Hong Kong, 935 in Singapore, 923 in India, 898 in Australia, 883 in Japan, 400 in China, and 244 members in Taiwan. Thailand has 98.
When it comes to pursuit of other IT certifications related to security, India is even further behind. When you consider the fact that the CISSP exam is a mile wide and an inch deep, folks in India should be able to pass it with ease, but the numbers reflect otherwise. Did you know that out of these otherwise abysmal numbers that the majority are held by Cognizant and that Infosys and Wipro are a distant second and third? TCS, HCL and Satyam numbers aren't even worth mentioning...
One could read into the numbers as assume that there are lots of junior folks practicing security in India who don't even understand the basics and that large enterprises may do better looking to another outsourcing destination...
Tuesday, October 14, 2008
A hedging strategy for a turbulent market
Kiva, a site that focuses on microfinance may be the ultimate hedging strategy. By diversifying one's risk to third world countries, you can not only help others make poverty history but could also help preserve your own capital if there is ever a run on US based banks.
Here is a link to my Kiva portfolio...
Monday, October 13, 2008
Enterprise Architecture: Does CMMi encourage worst practices?
It is important that Architects stop embracing hybrid thinking as this is a mental disorder. While the primary purpose of the quest for process quality is product quality, the theory that the quality of a product is dependent on the quality of the process used to produce it is flawed. Of course, if you look hard enough, you can find relationships between any two observations. For example, did you know that the price of tea in China correlates well with the quality (or lack of) of code written by Indian outsourcing firms?
There is a distinction between product quality and process quality. Process quality focuses on the ability of an organization to meet budget and schedule commitments. Having documented, repeatable, measurable processes helps with estimation. Software quality is not really the focus, except that an organization must be able to predict when the product will have a sufficiently high level of quality to be considered "finished" and an organization that makes good estimates won't find itself in a position where it has to change plans and trade quality for time or money.
Ever been to McDonalds? Bet you didn't know that they are CMM Level five? Does anyone think that McDonalds product quality is high? I wonder what the relationship is between flipping burgers at McDonalds and the quality of code produced in India?
Sunday, October 12, 2008
More James McGovern Q and A
Let's look at one of mark's quotes: Let's take a step back here. Sun did not open-source LDAP :). They have an open-source project that wrote from scratch an open-source ,storage-based LDAP server in Java. which says that Sun appreciates that open source is not just about dumping dead products on the market, but understands that participating in a larger community has immense value. Sun showed leadership in allowing the community to make the choice of how the product will evolve without the overhead of sales folks filtering out ideas before they reach product managers. Now, let's compare this line of thinking to Mark's comment: At the moment we are still able to grow the adoption of OVD (and OID), are able to improve upon the core product via customer feedback and have a plug-in API that allows for customers (whether themselves, partners or Oracle consulting) to extend the product to meet their needs - so I don't sense a valid reason to open-source OVD.. Does anyone see a difference in openness?
Here is another quote from Mark: Microsoft has produced open specifications, a few examples and started the Information Card Foundation (which we are a member of) to help drive adoption of Information Cards. I would argue we are on the same path on IGF via Open Liberty. Of course, he conveniently misses talking about the fact that Microsoft also funded implementations of information cards for platforms such as PHP and Java, languages obviously non-Microsoft. So, can we expect Oracle to fund IGF libraries for non-Oracle languages such as Smalltalk, Ruby on Rails and .NET?
Mark also previously blogged on How Oracle can help you write more secure code. I wonder if he is familar with the Open Web Application Security Project? Notice that Microsoft and IBM are sponsors? Notice that Oracle is not...
OWASP Hartford 2009
I am busy shaping the 2009 agenda and hope to have the first few meetings planned shortly. If you are or someone else you know is interested in speaking/sponsoring upcoming meetings, please do not hesitate to leave a comment.
Presentations on the following topics are of special interest:
- Incorporating identity 2.0 into BPM and ECM applications
- IT Security Worst Practices
- Security Metrics
- Hacking Cardspace and OpenID
- How to become an entry-level IT security professional
- Hacking mainframes
- Clickjacking for fun and profit
- Outsourcing secure software development
Enterprise Architecture and Coding Standards
Ask yourself, is it a best practice or worst practice to impose coding standards from one language on another, e.g. requiring variables to be declared at the beginning of a method in Java, because that's how you do it in C.
Every method should have a header comment describing all parameters, callers, and callees which of course causes code bloat and massive header expansion. Over time, the more code that needs to be parsed results in longer cycles for compilation which results in more resource usage which results in increased server and desktop costs and slower release cycles to deliver valuable working software.
Worrying more about the placement of braces than about the clarity of the code. How many code reviews focus on esthetics vs structure? Does the hacker who wants to steal data from your web application really care about curlies? I bet they do care about the lack of developers paying attention to security such that they can exploit SQL injection, cross-site scripting, etc.
Saturday, October 11, 2008
Are Project Managers at the Root of Bad Software?
Outside parties promise to take a portion of the work, work on it in absolute privacy, and emerge with complete code. Outsiders want money (as usual), control over the project, or to be credited with saving it. Hire an Indian outsourcing firm to complete a specified (or worse, unspecified) portion of the work. On delivery from India, dictate that the work is complete and only needs to be integrated by the main team.
Lack of communication, lack of skill, lack of disciplines such as testing and reviews, and other problems cause Indian outsourcing firms to create best practices repeatable masses of useless code. The code is unchecked and assumed finished, out of optimism, as soon as it is delivered; or, even worse, as soon as it is promised. The useless code causes bizarre and unnerving schedule slips, since it was already marked as "done".
Have you observed this phenomena within your enterprise?
Friday, October 10, 2008
Indian Outsourcing: The antipattern of developers turned managers...
A good start is to realize that Managers are not likely to be good Developers and Developers are not likely to be be good Managers. For the most part our brains are wired differently. The problem is that HR departments think that people are plug compatible and that "weaknesses" can be "fixed" by training courses and a certain amount of browbeating. It is time to accept that human beings are irritatingly, annoyingly unique and you cannot force a human being into a particular slot. Instead you have to get the right person in the first place and allow them to do what they are good at. Yes, its difficult, but those companies that crack it will be the most successful.
Here are some of the ways in which management is different from development:
- Focus upon the future, rather than upon current activities.
- Paying attention to what everyone is doing, rather than what you are doing.
- Breadth of knowledge is far more important than depth of knowledge in any one subject.
- Constant interruptions and gear-shifting are part of the job, not just an unwanted distraction. Managers generally can't lock their doors and unplug their phones.
- "People skills" are much more important.
- Interaction with lots of people with lots of different jobs and opposing viewpoints, rather than interaction with other developers.
- Acceptance of responsibility for others' mistakes and shortcomings (OK, I acknowledge that most managers nowadays don't truly accept responsibility and prefer to throw their reports under the bus).
- Need to make others succeed, even when the others don't care themselves (At least to the point where we can relabel mediocrity success).
- Often have to find the least objectionable solution (based on other people's evaluations) rather than the "best" solution (based on personal evaluation or even something like architecture/conceptual integrity).