Enterprise Architecture: From Incite comes Insight...

I have been spending lots of time lately on Facebook...

Facebook is a highly extensible platform which allows for outsiders to write applications easily to integrate. I wonder if anyone has ever thought about the design patterns used and more importantly how they can be applied within an enterprise context.

It is good to run across former classmates whom I haven't seen in twenty years. The fascinating aspect is it feels just like yesterday. No matter how much things change, many things still stay the same

Unlike the blogosphere, facebook allows folks to explore other topics without others complaining. I have found folks who talk about technology one minute and the price of tea in China on another.

Good to see so many folks from OWASP

Industry analysts are missing from the facebook conversation as well. Did we think they really had a clue?

I can't find a single member of my family that independently joined facebook. I would have thought that my nephews Nicholas James and his brother Ian would have joined.

I have ran across many faces which reconfirms that I made the right decision on December 3rd, 1997

In the military, there is an acroynm known as FUBAR. I have been curious to know if Grady Booch were to walk into a shop supposedly practicing the Rational Unified Process (RUP), would he actually recognize it...



One would have been much better off espousing the individual techniques that were used than claiming that the Scrum methodology was applied. Using only certain Scrum techniques and adopting only some of the Scrum characteristics may not preclude you from claiming you are agile. However, I would use this analogy to show why you cannot profess to be using true Scrum: Can you say you've made a batch of chocolate chip cookies if you leave out the chocolate chips?

Now, Let's focus on one Agile principle which is the notion of self-organizing teams. Now ask yourself, do you think this is even possible in the world of tainted governance? Consider that ducks when flying south for the Winter are self-organizing (Don't draw a mental picture of project management and all the quacking that occurs) or penguins. Did you know that male penguins stay in the middle of the antartic continent for months with an egg on their feet keeping each other warm? Self-organization requires leadership and sacrifice where very large enterprises are more centered around more selfish outlooks where it is rare that you are rewarded for sacrificing for the greater good.

Anyway, self-organizing works in that talent is not constrained to follow a pre-defined process. This is counter to the notion of governance and review cycles. I am an Agilist but also an Enterprise Architect who focuses on security, so the ability to live in an iterative world constrained by command and control is something I have come to grips with. Instead of sugar-coating my world, part of self-organizing is to acknowledge one's constraints and work around them accordingly.

Self-organization requires the ability to discover common passion kinda like pickup basketball games in the neighborhood. Two kids find they have the same passion and run with it. For me to be successful in the security space, I participate in OWASP which is the poster child for self-organizing teams. When my IT peers attend OWASP meetings, they tend to show their passion and we can all work towards a common goal.

Sadly, there is no passion in IT around other important domains. I haven't seen passion around approaches to BPM, business rules, ECM or even SOA. Sure, we can twist our false sense of worth in our day jobs with our grimace smiles into passion, but the results are transparent and we as a profession are failing. Self-organizing teams is what can best align business with IT for strategic competitive advantage...

Below is a quote from Robert Handler of Gartner:

“Succeeding with enterprise architecture is challenging. But if done properly, it provides a balance of quick, easy wins and amazing long-term business value.”

I bet if you were to substitute enterprise architecture with security, ECM, BPM, SOA, CRM, ITIL, CMMi, dieting, innovation, apple pie, car maintenance, brushing your teeth three times a day, paying your taxes, changing your underwear or anything else that comes to mind, this statement will still hold true.

Now, if you really want insight, remember to always have strong business buy-in and a sound ROI. Oops, you have to also remember to incorporate the phrase best practices into your daily vocabulary and you will be successful...

It's 2009 and I haven't participated in a podcast in a long time. Some of the topics that I would love to talk about are:

penetration testing vs static analysis. Are enterprises doing the right thing when it comes to security.

OWASP, why I participate, projects I like, where I think OWASP needs to head

open source. Projects I like, projects I would like to see embrace security, etc

industry analysts. A call to action to publish more under Creative Commons and to engage the community at large more deeply.

What technologies am I watching and why I feel they are important

Anyway, I have a few of them planned and you will be able to listen to me on your MP3 player shortly...

Master Helio Gracie, founder of Gracie Jiu-Jitsu passes at the age of 95. The world of Jujutsu express their condolences and sadness to the bereaved family, his wife Vera, sons Rorion, Relson, Rickson, Rolker, Royler, Royce, Rherica, Robin and Ricci.

Everything is important, but what is more important...



Bet your business analyst can't answer the above question. Is it because we are following the worst practices of CMMI and focusing on creation of comprehensive documentation while ignoring what is most important?

A flat-out specification list is not economical. This is because in reality the features actually requested are not all-or-nothing. Some are necessary and some are "nice to have". But because a specification usually makes no distinction, one will pay for features even if they are expensive to implement (and also skip features that may otherwise be cheap).

A more economical approach would use give-and-take, using a formula similar to:

rank = need / cost


This would reduce the probability of implementing expensive features that are not really needed or have cheaper alternatives. However, this also complicates the negotiation process. An all-or-nothing fixed-bid list is much easier to administer and compare across vendors/contractors and therefore the folks over in procurement help sabotage the business value proposition.

I have always found it curious why Indian outsourcing firms such as TCS, Wipro, Infosys, Satyam and Cognizant have never asked enterprises to change their model in this regard? It would only help them to deliver higher quality in that they do need to appear as buffoons who are clueless and/or overwhelmed when it comes to understanding client requirements and instead could learn and implement incrementally.

What am I missing?

Why the Looooong Resumes from India
An interesting perspective on the length of resumes from folks in India and the burden of arrival. Maybe one answer is for us American's to figure out ways to for us to help Indian's adjust to our culture. Of course, it requires folks from India to also ask...

What is a technology certificate really worth?
Bex Huff states: I feel that a college degree means you can learn, experience means you've made the typical rookie mistakes, and certifications/conference attendance means you're dedicated to continuing your education which is accurate. When was the last time you ever met anyone from India in IT that didn't have a degree? So, we need something else to discriminate and certifications becomes the next easiest target. I wonder how Bex, Joel Spolsky or others would otherwise suggest that corporate recruiters who receive tens of thousands of resumes filter them down to something more managable.

Static analysis space for GRC of SDLC using BPMS
If BPM vendors don't have a clue as to what static analysis means, does this mean that BPM platforms are an easy target for potential hackers? I wonder if Lombardi software, pegasystems and others suffer from the same lack of knowledge?

Application Security and Micro-financing
Roland Hesz amplifies a most important topic...

# posted by James McGovern @ 11:00 AM

Here are ten resolutions that every participant in enterprise architecture should strive to achieve...



1. Start building an alumni network. In case you haven't been paying attention, Indian outsourcing firms are now the biggest risk. We caught Satyam lying and the employees are bailing leaving your outsourced portfolio exposed. You are aware of how long knowledge transfer takes and therefore the smart option would be keeping in context with all those employees the enterprise was stupid enough to let go off to save you later.

2. Stop being the exception that enforces the rules. Enterprise architecture is not a police force or bearer of standards, CMMi, common message formats, etc. Enterprise architecture is all about enabling the strategic intent of the business and therefore should focus on people over process and innovation over foolish consistency.

3. Start scouting for key talent. How innovative can you be in an outsourced model when folks in India stop being developers in order to become managers in five or so years? Talent is best groomed in a local context.

4. Start preparing for the unexpected. Satyam, Bear Stearns, etc are all examples of companies not preparing for what happens when a key business partner goes out of business? What would you do if you discovered that Documentum DFS was the intellectual property of Insecure Architecture Anonymous who asserted a claim against your enterprise SCO style? Indemnification and agreements are meaningless if the other party no longer exists.

5. Start using social systems yourself, visibly. If you aren't on LinkedIn and networking with your industry peers, then you are an idiot. Think about the benefits of Wachovia employees who networked with their new bosses in advance vs those who didn't.

6. Start taking security seriously. From one seat, folks will think that regulations are a waste of precious capital while another side will think that we didn't have enough. Which side do you think will win the argument? If you haven't been paying attention to OWASP then you should, as it is at the cornerstone of many regulations such as the next version of Basel, PCI 2.0 and the Unified Compliance Framework.

7. Stop ignoring people and focusing on process. Your savage focus on process will collapse. You need to focus on immediate needs such as financial survival and spending money on things with nebulous payoffs such as ITIL and CMMi are questionable in today's climate.

8. Start offering your vendors a free lunch. Why aren't you demanding more of them? Instead of customizing, why don't you figure out how to generalize your requirements such that they can be leveraged by other organizations and demand that they be included in the next version at contract time. Influence is good. Having a longer-term outlook on the features you need and demanding them at contract time is better.

9. Stop fearing the future; start driving it. Let's face it, if you are looking at Gartner magic quadrants, then you are practicing history and not architecture. At some level, the historical revenue figures of enterprise vendors is important, but driving their roadmaps is more important. If you aren't engaging the vendors and demanding new features and thinking about them as an extension then you aren't doing your job.

10. Discover newer technologies to get experience of in 2009. New technologies may allow you to rationalize away multiple older technologies with one new one. The enterprise needs less products, less vendors and less people governing them and new technologies is the potential opportunity to make this better.

The next meeting of the Hartford CT chapter of OWASP will occur on February 10th and will feature Mary Ruddy of Project Higgins along with Ramesh Nagappan of Sun.

OWASP events are 100% free to attend. Help spread the word especially to folks who work for Cognizant, Wipro, IBM and Accenture...

Noted Industry Analyst, Brenda Michelson asks What does a must-attend event for enterprise architects look like?. I hope that the likes of James Tarbell, Chris Swan, Todd Biske, Scott Mark and others in the blogosphere will share their thoughts...

Of the elements I've included in the blue circle above, which are most important to you?

I care most about compelling topics more than the credentials of the presenter. Way too many conferences focus on those who have excelled at Toastmasters but otherwise don't convey much useful information (Gartner conferences come to mind). I rate peer interaction as a second consideration in that I tend to like to hear what others are up to directly from them vs hearing some analyst tell the story on their behalf.

For instance, does a "credible speaker" have to be high-profile?

Analysts are high profile but aren't very credible. Of course there are exceptions such as Brenda Michelson, the guys from Redmonk, the folks over at Burton Group, Nemeretes, The 451 Group and Entiva but otherwise this holds true. Doc Searls once asked: Which story is easier to tell? The story told by a well-dressed person who has a marketing budget and all the wonderful things they do for their clients or the story of a lowly developer and all the wonderful things he does for his employer but due to media relations constraints isn't allowed to talk about it. I would rather hear from the later as the easier is easy to hear without spending money.

I don't care about the CIO title or other figureheads where I might care about those whose are lower on the foodchain who actually get the job done. I guess I am not interested in best practice Gartner style handwaving and posturing. I want to learn something.

Would you be interested in a highly participatory, un-conference type format?

Interested yes, able to attend, probably not. Remember, we are constrained with worst practices. The challenge with an unconference is that my boss (figuratively speaking) can't proactively heist his leg and tell me what sessions to attend. It would require enterprises to treat their employees like professionals.

How about topics? What's of interest? Would you rather go broad or deep?

Enterprise architects have many painpoints. Imagine a conference where they could learn how to exert more influence over enterprise software vendors such as encouraging Documentum to include full SAML support without having to procure additional products or how to Microsoft to implement XACML libraries as part of .NET. Enterprise architects for the most part have risen from a technical background and the introductory topics related to process and metrics is somewhat boring, so I think depth is important. Imagine a scenario where there was a session entitled: The Hot Seat, where you can grill enterprise architects on any question related to their enterprise and they could only disclaim things that are considered intellectual property. While it wouldn't be so structured, it would afford opportunities to truly learn from each other. Yes, I would entertain volunteering to be grilled by others in the industry in a public setting without knowing the questions in advance.

Then, on the red constraints circle, what are you willing to put up with for a low cost, high value event? A 30-45 minute sponsor talk (pitch)? Follow-on conversation with said sponsor?

I am fine with sponsor pitches but the follow-on conversations are problematic. Do I want to pay money to attend a conference and use it to speak with a sales guy? I can do that for free. This also begs the question of who schedules the conversation? There is merit in me scheduling it with others, but in all honesty, if I have to be coerced into listening to a pitch, It will not provide value for either party.

Or, perhaps a no-frills approach? Bring your own lunch? Hosting a small gathering at your organization? Other ideas?

Well, this at some level feels a lot like OWASP where conferences are only $400 instead of thousands as they have cut out lots of the frills. Likewise, they also offer local chapter meetings which are free to attend. If someone wanted to organize a gathering of enterprise architects and can provide Pizza, I would most certainly help out with space...

Consumers will continue to loose their personally identifiable information whenever you encourage enterprises to focus on compliance...



Ever ran across an Enterprise Architect who thinks what they do is somehow related to the building trades? Sadly, the conversation has shifted away from more important topics such as the OWASP Top Ten and learning how to build applications securely upfront to after the fact remediation.

The notion of building codes isn't meant to be the goal but is meant to be the minimum that a plumber, carpenter or electrician should meet. In the building trades, they do aspire to do better than code, but the same thing can't always be said of architects.

The funny thing is that our business customers truly want us to deliver secure software and they would like for us to be proactive yet we speak to them about spending millions of dollars on after the fact compliance. They want to pay for security that enables the strategic intent of the business and not stuff that is already amortized. Why are we always playing with dead snakes?

So, in my mind wouldn't it serve both demographics if we talked about technologies such as federated identity? Instead of having silly policies on password complexity, why shouldn't we all be having a conversation on eliminating passwords? Imagine if all enterprise applications could leverage Cardspace, we wouldn't worry about rainbow tables or whether I changed my password in the last sixty days. In other words, federated identity enable both the strategic intent in a going forward basis but also address compliance.

More importantly, there are some of us who want to use security as a strategic weapon yet are handicapped by foolish consistency. Using prescriptive regulatory compliance to “get your way” removes your ability to be a better architect and therefore have proper influence in building secure software.

If enterprise architects can't help make good decisions and therefore, in the eyes of management do not deserve the right to make the decisions that need to happen. Enterprise security needs to be more than just the guys who manages our PCI stuff. As Gunnar Peterson might say, you can't have security if someone else is telling you how to spend your budget...

James McGovern, Jackson Shaw, Mark Diodati, Jeff Bohren, Ian Glazer, Ashish Jain, and Pat Patterson have been discussing various aspects of federated identity related to SPML and SAML. It is now time to go a little deeper...



In today's posting, I wanted to analyze the response provided by Pat Patterson of Sun as well as ask some additional questions to see if anyone has the answers.

The most obvious mitigation is the use of SAML 2.0 persistent identifiers. A persistent identifier is an opaque string (in practice, a long random sequence of characters, such as ZG0OZ3JWP9yduIQ1zFJbVVGHlQ9M that is shared by exactly one identity provider and one service provider to identify a given user.

Does anyone know in typical deployments who has the responsibility of generating these identifiers (IDP or RP)? Do IdM products such as Sun's IdM, Oracle OIM, Courion, OpenIAM, Keychain, etc have a secure way built in to generate identifiers and pass them to third parties? Should they be exchanged via SPML, some other open standard or is this intentionally left undefined?

Federation products tend to be separate and distinct from web access management products.

While OpenSSO doesn't separate these two tiers, Oracle, CA and pretty much every other vendor does, so let's alter the scenario slightly so that Sun can participate in the discussion. Let's say that I have an application already protected by CA Siteminder, Oracle CoreID, Yale CAS, etc and I want to use OpenSSO strictly for its federation capabilities. How should OpenSSO pass authentication context to these web access management products and what APIs would it use?

All good points from James, I have to say, illustrating the fact that, even if your wire protocol is secure, implementation issues can easily lead to vulnerabilities.

When people are learning a new technology, they tend to keep it simple and develop suboptimal habits. I recently did an exercise to see if past books I have written had examples of OWASP vulnerabilities and found several. To think that folks have learned to program high quality but otherwise potentially insecurely from my writings is troubling. So, what is the call to action to prevent this same thing from happening in the world of federation? Are vendors keeping it too simple? If you were to search the documentation for RSA, PingIdentity, Oracle, etc do you think they cover the aspects you outlined? Does Sun become a member of OWASP to have someone analyze the insecure aspects of federation help?

There are other ways of implementing this that spring to mind; segregating local and federated users into different domains for example, or testing some attribute in the user profile.

Wouldn't segregating local and federated users into different domains require deploying additional unnecessary infrastructure? If the RP gets its profile by reading a UID value in a cookie and then binding to a directory service, wouldn't this require changing the security model of the application which begs the question of how enterprise applications need to change to support federation. For the most part, this is undocumented and never discussed in the blogosphere Is this a use-case for leveraging XACML?

Now for some additional questions:

1. If a federated identity product is deployed as a separate tier from an application and the IDP when sending an assertion needs to not only send values that may be stored in a directory (e.g. OpenDS, OpenLDAP, etc) but also include values that may be calculated by the application at runtime, how would this work? What APIs would be used and more importantly what APIs should exist but are missing?

2. SAML 2.0 identifiers is a great concept and Pat shows how OpenSSO can leverage them. I am curious though when they are stored in a directory service such as OpenDS, should they have a standard IETF OID for holding this attribute/objectClass?

3. I haven't looked in detail, but the SAML 2.0 identifier outlined feels the same as the PPID leveraged in Cardspace. If they are different, then did Microsoft violate some principle? If they are the same, then shouldn't there be a standard as to how this is represented as MS will generate it differently than Sun? What other "best practices" exist around generating this value?

4. Did Gerry Gebel of the Burton Group test out these scenarios at the Catalyst conference?

5. Recently, I had the opportunity to hang out with some folks from Voltage who discussed the concept of identity based encryption (IBE). Should federations support IBE in addition to traditional PKI approaches?

6. Does Sun have any plans on making the J2EE Petstore OpenID and federation-enabled?

Alan Pelz-Sharpe is one of the sharpest industry analysts in the ECM space. Analyst firms manage a lot of their own content. I am curious when he will blog on what cmswatch.com uses for their ECM platform. Maybe he could provide insight into how analyst firms think about ECM for their own use?

I ran across a coworker who mentioned that their kid attends Premier Martial Arts and was curious if this is a real martial arts program or a McDojo?

I was thinking about a message I saw on the OWASP chapter leaders list regarding working with software vendors to help make application security visible and was curious to know what is the best way to work with folks from Sun and the Ruby community on deprecating insecure servlet APIs and providing more secure replacements without running into the repeat-after-me I would rather have insecure web applications than to break backward compatibility.

The Identity and Privacy side of the house of Burton Group has wonderful interoperability events where they have investigated SAML, XACML and OpenID. I wonder if Anne Thomas-Manes and Dan Blum would be game to start a similiar event focusing on static analysis tools where they would have Ounce Labs, Fortify Software, Coverity, Klocwork, etc all scan and show results publicly of three different applications chosen by analysts?

It's 2009 and James Governor of Redmonk hasn't blogged on any published papers in the security space. The COA work several years ago was brilliant and I hope that he knows that the masses are screaming for round two.

In my homework of federated identity, I haven't ran across any customers of either Sun nor PingIdentity that have customers in the P&C insurance vertical. I wonder what they are doing to talk about identity federation in a vertical context?

The blogosphere has been somewhat quiet on the value proposition of CARML and AAPML. Other than bloggers from Oracle, no one else seems to care? I would think the identity crowd and the likes of Jeff Bohren, Ian Glazer, Mark Diodati, Gerry Gebel, Pat Patterson and others would have some opinion on it by now.

Awhile back, I said publicly that Ruby on Rails is not enterprise ready. This statement still holds true in 2009. The key change though is that I will expend some effort to invalidate my own beliefs.

I've noticed an interesting behavior that I find somewhat frustrating. Many folks would love to know my opinions on Barack Obama but are afraid to ask. Political correctness blows. Who cares about offending someone as it is more evil to allow others to remain ignorant and remove their opportunity to gain new insights.

Robert McIlree runs the Carnival of Enterprise Architecture which sums it up. He has a way of promoting finely buffed circus oriented architectures.

I am glad that James Robertson has found something better to do than to provide commentary on why I am wrong regarding Smalltalk being a dying language. Hopefully, he spent some time looking at market trends.

Log management platforms such as Splunk, Logarythm, LogLogic, etc are all the rave in the world of PCI, however another conversation needs to occur where we talk about the insecurity of logs generated by shared platforms. For example, if Credit Suisse, Goldman Sachs and Monsanto all use the same SaaS vendor who writes one big log file with all the users intermixed, then how do these platforms allow for monitoring without causing leaks

I am a shareholder of Cognizant and figured I would post suggestions on how they can exploit other enterprises to boost my wealth...



Can we acknowledge that enterprises can make their processes heavier and more documented but otherwise don't have the ability to truly add maturity to their processes? So, maybe they should stop attempting to align and instead start attempting to exploit.

Walk the corridors of a large enterprise and gather up all the process weenies you can find. Encourage IT executives to put them in charge of all outsourcing efforts and congratulate them for achieving paper-based milestones while ignoring the fact that you can't put comprehensive documentation into production. Convince them that working software isn't important as their customers don't come to their web sites to order products but to understand where they are in terms of CMMI maturity models.

Indian outsourcing firms should fix bid everything! No matter what the project requirements include, fix bid it for $1. Take advantage of foolish consistency in that they will advocate to everyone the stellar deal they negotiated and put into their statuses that they are ahead of budget. Set them up to look stupid or should I say dependent on you. The tactics of drug dealers is to give their product away cheaply upfront until they are addicted. Align your approach to this thinking until they can no longer say no.

A hooked client after having promised delivery of something cheap will be owned. In fact, they will compromise their own budget and you don't have to look like the bad guy once all those change orders start rolling in. Let's face it, no one on the planet can define all the requirements for a system upfront yet there are lots of process weenies that will attempt to try!

Enforcer for Microsoft Office Sharepoint server
The trend of securing access to ECM platforms such as Microsoft Sharepoint via XACML is growing by leaps and bounds. I am curious when Microsoft will wake up and realize that they should support this natively versus encouraging others to bolt-on security after the fact?

New Financial Components Released for Insurance and Capital Markets
Everyone has a different expectation of what a reference architecture should contain. My definition would include some mention of the security model used since claims data can contain anything and everything from credit cards to social security numbers to healthcare information and therefore is a great source of risk. The ecosystem of claims also includes lots of third parties from doctors, to lawyers to autobody shops and so on. How does the world of identity look through this lens?

The Value of SPML Gateways
Mark Diodati of the Burton Group provides insight as to how SPML can enable better provisioning to enterprise applications. The IdM crowd hasn't talked much about rationale for separating the provisioning service interface from the user interface from workflow which would be more inlne with SOA and other architectural styles. This of course, may call out the fact that most provisioning products are monolithic in their architecture.

In Defense of Top N Lists
Mike Tracy of Matasano challenges an article posted by Gary McGraw on the value of Top N lists which I agree. While I believe that distillation is a mental disorder, it happens to be the status quo for many enterprise architecture teams and allows them to at least get an understanding of what they need to focus on. Of course, most shops never make it past Top N lists but the suboptimal behavior of humans doesn't make the concept flawed.

I have never worked for but have worked with consultants from both firms and figured I would compare/contrast these two organizations...



The primary difference that I have noticed between these two firms is in culture. From my seat, Accenture lets the "best idea" win where IBM seems to be based more on where one falls in the hierarchy. Accenture gives young persons a lot of responsibility and expects them to sink or swim while providing excellent training and resources where as IBM seems to also believe in the sink or swim without always backing it with the right support model and instead relies on consultants to build their own networks for support and learning is more under fire or via online training but almost never through conferences or more effective methods that usually require physical presence.

I also had the opportunity to see the annual review cycle for both firms in that consultants from both had asked me to provide input to their managers. In one firm, it seemed as if they were handed their personal development goals while another allowed them to create their own. It is difficult to determine which model is better as there are times in my own career where I have preferred one over another.

For example, many shops force your boss to participate in HR exercises where it is more of a ritual than anything meaningful. In this situation, I would rather just have it handed to me so as to not waste precious time of me actually thinking about how to improve without of course getting a budget for conferences, training or even purchasing books. For companies I have worked for that did value education and backed it with real tangible dollars, the model of creating your own development plan feels more appropriate.

Another experience that I have had was in encouraging folks from both firms to participate in my local OWASP chapter. The Accenture partner embraced the idea and immediately forwarded the calendar invite to everyone he knew where the IBM partner made less effort. I get the general feeling that to be a partner in Accenture comes with more responsibility, more autonomy and more desire in the way of making the client happy than in IBM.

On the other side, I think the IBM partner model feels more structured which is beneficial to clients who want their interactions to feel more scripted. There are times when you desire waterfall and IBM feels better in delivering against this model where everything is known upfront while Accenture feels more comfortable in an agile environment that is a lot less locked down.

A former co-author of mines, Scott Ambler is currently employed by IBM and is working very hard to encourage the engine to become lighterweight. I wonder what internal struggles he would love to talk about. I wonder if IBM will allow him to be truly successful?

Speaking of Scott, I remember several years ago an interesting debate he had in attempting to convince an Accenture consultant who was based in India that the only thing that proves working software is working software. The concept that comprehensive documentation proves working software is still a concept that is lost on both firms.

Finally, I would say that IBM cares about its employees a little bit more in that they have figured out more in the way of helping us thick headed client types eschew face time and instead work from home. I get the sense that work/life balance is more valued at IBM than it is at Accenture.

If you have any thoughts on Accenture vs IBM, please trackback or leave a comment...

How come Microsoft and Oracle catch a vast majority of the scrutiny when it comes to open source and their lack of participation? I wonder why EMC is spared? I wonder when bloggers will redirect their efforts to make more things open within the various EMC divisions? What would happen if EMC made portions of Documentum open?

The pendulum of focus on heavyweight process is starting to swing back to common sense practices of the 90s when IT was at its prime. Companies will be expending less effort on CMMi & ITIL and instead will focus on security and other system qualities.

I am curious as to why my two nephews Nicholas James and Ian haven't yet joined facebook? They are computer literate having transitioned from living in Biche to Slough. Maybe they don't want me to know what they are up to?

I find it somewhat dumb in that major retailers increased the prices on TVs after the Christmas holidays. You would think with the impeding digital switchover, they would attempt to make additional sales.

I am announcing team OWASP, on Kiva, a non-profit website that allows you to lend as little as $25 to a specific low-income entrepreneur in the developing world. You choose who to lend to - whether a baker in Afghanistan, a goat herder in Uganda, a farmer in Peru, a restaurateur in Cambodia, or a tailor in Iraq - and as they repay the loan, you get your money back.

Check out the OWASP lending team, and learn more about lending teams on Kiva in general, by clicking here.

I wonder what it would take to encourage George Bush and Barack Obama to join...

Tim Lawless was quoted as saying: Policies (and processes) make smart people do dumb things...



The savage focus on process is destroying innovation within large enterprises. 2009 is the year where we need to focus on the human aspects of technology and solve for the impeding knowledge crisis. Let's be honest with ourselves and acknowledge that in the history of IT, no process has truly saved the business money. Sure, we can get creative and account for cost avoidance but if we look at IT holistically, it certainly isn't getting cheaper nor more efficient.

So, would you rather restrict smart people from doing smart things or dumb people from doing dumb things? This is not about intelligence quotients nor their ability to even pay attention but rather acknowledging that if folks are effective at their jobs, regardless of whether they are the CIO, an enterprise architect or even a process weenie like Robert McIlree, you really don't need a lot of rules.

So, when will Nick Malik and the Gartner crowd ever do a great service for their end customers and figure out a methodology that will help large enterprises understand when the processes they implement are counter-productive...

What does it mean to the planet that America will have a new President shortly? I wonder if he realizes that one way to cut government spending would be to not just eliminate welfare in the inner-city but to drop welfare countries such as Israel.

I finally have visibility into how many of my coworkers are reading my blog. More importantly, I have made it a lot easier for them to do so in stealth mode by including links within Plaxo.

I haven't spoken at an international conference since 2004 and am long overdue. I would love to be an invited speaker for one in Brazil, London or in the Middle East.

How long will it be before Craig Randall shares with the public DFS 2.0? More importantly, will he be smart enough to publicly share the WSDL with non-EMC customers and ask for input/review from customers before making it final?

Ever notice how analyst firms aren't transparent when it comes to trends that affect them? Large enterprises have been cutting discretionary spending of which analyst research fits into this category. Analysts of course believe there proposition is different than how customers view them. Maybe Barbara French of Tekrati has her own take on this trend.

Oracle and Sun Microsystems are the two major software vendors that haven't yet joined as a sponsor of OWASP. I wonder if they are shortsighted and think of it as an expense, are sitting back awaiting someone else to spoonfeed them the value proposition or simply haven't figured out that whenever Microsoft beats them to the game, they are seriously in danger of missing an important trend.

I was thinking that I have failed in encouraging enterprise architects who read my blog to join Kiva. Could a few of them join just to not make me feel so depressed?

I haven't figured out why to do yet about my other blog on George Bush and whether I should shut it down, start a new one focused on Barack Obama or something else.

Awhile back, I blogged on How Microsoft is better than Oracle in response to Mark Wilcox but never heard anything back. Did I upset the Oracle crowd with too much honesty?

I also asked the question on How come there is no innovation in LDAP and was curious why no one is working towards standards that will allow for integration with XACML and SPML. I would be happy if OpenDS or OpenLDAP communitities figured out more basic things like incorporating referential integrity.

I am sorely in need of a new TV. I am probably the only blogger that doesn't have Plasma or LCD. Hell, I don't even have Cable or Satellite. I wonder if anyone in the blogosphere would be generous enough to donate a 32" so I can catch up on House MD reruns.

Both of these topics are frequently discussed in isolation. I wonder how they would work when deeply integrated...



The folks down the street at ESPN have scheduling challenges that are even more complex than airlines. Did you ever consider the fact that in order to display a commercial, you can't always plan exactly when it will air upfront? In sports such as football, the ability to predict commercial scheduling more than 10 seconds in advance is problematic.

Not only is the time considerations a challenge, but you also have to take into account the fact that you would never display a Coke advertisement back to back with a Pepsi advertisement. Sure, it would be easy to identify competitive situations as part of an algorithm, but it is more complex than that as well. Bet you never thought about the subliminal message of displaying a Budweiser commercial right after a commercial for Ford trucks. I could see class action lawsuits for those who would immediately be guilty of being an idiot by reading into the message vs just reading the message.

So, whether you are using Fair Isaac Blaze, iLog, Drools or some other business rules engine, how would it work in an overall scheduling architecture that includes complex event processing where the event is some opportunity to go to commercial break and the rule would need to determine the next commercial to show? I wonder if James Taylor, James Governor or any other brilliant person named James in the blogosphere has any thoughts on how they would approach this scenario?

What would it take for Microsoft to support SPML?
Jackson Shaw provides an insightful look into the inner thinking of Microsoft. Someone at MS must care? More curious is why folks at the Liberty Alliance aren't advocating for this?

Hippocratic oath for the enterprise architecture profession
While process is important, values are more important...

Fun with claim games
The identity crowd has been notoriously silent when it comes to best practices in mapping enterprise applications, roles and other considerations into claims. Hopefully, others will chime in and discuss this important topic.

Have you noticed the frequency in which the need to defend those who get called to the carpet has increased...



Gaining buy-in is both good and bad. Sadly, this is the mantra of Gartner. Likewise, the best way to accomplish this goal is through the worst practices of focusing on process over competence.

Nowadays, the trend of getting called to the carpet occurs when folks attempt to do the right thing vs what is popular. What does it say about your enterprise if it is better to duckdown than to do the right thing?

Why does your boss need to publicly support you when the facts should stand on their own? Have we lost the ability to do fact based reasoning? Is enterprise architecture nothing but a glorified ponzi scheme that was embraced by Madoff or do we have a higher calling?

The Agile Manifesto is filled with wisdom that is not understood by many who claim agility...



Another architect I know, recently commented that in 1999, if he presented a suboptimal (aka half-assed) architecture, he would have gotten it handed to him. In 2009, he can present suboptimal architectures with relative ease but if he violates the "process" he will get it handed to him. Is this true in your shop?

Seeing things through the lens of process encourages folks to focus on things such as CMMi and Scrum while ignoring practices such as extreme programming which has the potential of increasing quality.

My theory on it is that there's an increasing lack of architectural competency, which leads to the inability of an architectural governance group to form an educated opinion regarding the technical quality of any particular architecture.

When you factor in the political power that many architectural governance boards have, you end up with power brokering just to be in the group. All of that leads to a lack of technical knowledge. So, how does a non-technical group make evaluations of technical solutions? They rely on something they can understand and measure, like whether the solution follows the process.

It doesn't take long for the governance group, often driven by politics and power brokering, to start claiming success based their metrics for "process following". Reported success leads to more power, ad infinitum.

On the other hand, there's more than one way to skin this cat. You could argue that there's a "minimum" technical solution which meets the business case at hand, and some range of solutions from there up to the "optimal" technical solution. It would then be a matter of cost/benefit analysis in determining the best solution overall for the business. Of course, in this model, you would still need the technical expertise in order to identify whether the solution at hand is "minimum" or better; a process, by itself, will not suffice.

Gartner analysts are doing a disservice to many end customers! How much guidance have they been providing on clickjacking? Is it about the same as the SEC providing analysis on hedge funds? Seriously, if you are in an enterprise and you actually get jacked, the only answer may be to figure out how to rewrite applications from scratch within days. An enterprise can't just turn off iframes and use the noscript approach for the vast majority of their work unless this was thought about in the conceptualization of the application.

Bet you didn't know that Massachusetts allows for mixed martial arts (MMA) competition for kids as young as seven? My oldest son is eligible for the lowest weight/age class and has started his training. We hope to capitalize on the crowd that "reads into" vs just "reading" as a tactic for success. For example, way too many folks when I say he is a student of Jujutsu, will make the wrong mental shift to Brazillian Jiu-Jitsu which is all about grappling. He is good with takedowns, locks, throws and grappling but his strategy will be to simply come out of the gate Mike Tyson style but punching others in the face.

I finally splurged and purchased an MP3 Player. My $1 radio from Walmart will be retired. I got a good deal on a generic model on ebay which I hope to load up with podcasts of folks who are known and respected within OWASP circles. Of course, I also need to think about doing more podcasts in 2009 as last year I exercised my right to remain silent in this regard

With the imminent failure of Satyam, do you think that CIOs will get a clue and realize that they shouldn't be outsourcing strictly to India? Maybe they will wise up and choose nearshore destinations such as Trinidad, Jamaica, etc.

Jackson Shaw, Mark Diodati Ian Glazer, Jeff Bohren and others talked about and acknowledged how the Liberty Alliance along with Sun and Oracle has made mistakes in idM provisioning. Today, we will talk about the insecurity that exists within federated identity...



I apologize in advance to Pat Patterson, Nishant Kaushik, Gerry Gebel, Johannes Ernst, Bob Blakely, Kim Cameron, Mike Jones, Ashish Jain, Patrick Harding and others for bringing up the issues I will discuss. Hopefully, they will appreciate the notion that from incite comes insight.

First, let's dig into OpenID. An OpenID XRI can look like anything, including a SQL injection attack. Shouldn't this mean that folks over in this community should noodle at least some type of regular expression of permissible identifiers vs leaving it as yet another weakness?

Second, many of the federation products when serving in the role of relying party can potentially create several new exposures. Many of the products will perform a lookup of the subject within a SAML assertion against an LDAP store. Imagine in a world of SaaS should salesforce.com choose to use one of the off the shelf products, would this be sufficient? Of course not as there is a gap in logic.

So, if salesforce.com is a SP and supports multiple customers of which Credit Suisse is one and the other is say Goldman Sachs. Salesforce.com would have a trust relationship with both of them but what would prevent a rogue Goldman Sachs employee from putting into their directory the subject (say email address) of a Credit Suisse employee and allowing it to be passed along? More importantly, the SP should do more than trust as we all believe in the security principle of trust but verify and therefore would need to have entitlements capability built into the proxy in order to defend against this type of attack.

Have you ever looked at how this would be discovered after the fact from a forensic perspective? Hopefully, they are logging all federation activities to a separate tier and leveraging products such as loglogic, splunk, logarithm, etc but are the log records created detailed enough to catch this type of scenario? Nope.

Cardspace is fascinating and a solution to many problems but there are some risks that I don't know the answer to. Many enterprises have embraced the notion of an XML firewall be it layer 7, vordel, datapower, etc as the importance of handling secure parsing is something many have gotten burnt by. Now, Cardspace as an approach says lets ignore some of the best practice of XML firewalls and instead put a generic .NET parser on the front lines of our security model. Can Microsoft say that its parsing approach is as secure as Vordel? Would Mark ONeill of Vordel agree?

One way to make Cardspace more secure would be to at least guarantee it isn't subject to the OWASP Top Ten. Imagine being able to perform injection attacks on self-issued cards? Should Microsoft at least consider embedding the OWASP Enterprise Security API as a way to make it better?

Going back to the federation scenario for a moment, we would also need to consider the fact that federation products tend to be separate and distinct from web access management products. So, in this scenario the application wouldn't even have an opportunity to protect itself as the federation product would simply create a cookie and not pass context as to how this user was authenticated.

More interesting is the fact that even if the federation products wanted to pass it along to applications, there is no standard way of doing this. So, how would Ping Identity pass along the fact to Netegrity Siteminder that I signed on via federation? Does this mean that standards need to exist in the web access management space? Should Oblix, OpenSSO and others address this?