Friday, February 29, 2008
Forming a security community...
It was surprising to me at some level that our turnout was actually larger than the Boston and New York chapters in that I would expect a demographic that is closer together to unify around such an important topic. I guess though in my vision that I didn't think that reality says that most IT folks in large enterprises still aren't paying as much attention to software security as they should.
I can say that 0.0 folks from either an ECM or BPM background were in attendance. Maybe it is because they still haven't grasped that security isn't about features but about figuring out ways to break things.
The event featured me attempting to give an opening that I made up on the fly in that I ran out of time to do a proper Powerpoint in advance. Of course, the presentation by Chenxi Wang of Forrester on Web 2.0 more than made up for my deficiencies. The analysts at Forrester have a really great perspective on security and web 2.0 and I encourage folks if they are subscribers to their service to have a dialog with them on this.
I asked Chenxi two questions of which I was happy to learn that she is not one of those bullshit analysts found at their competitors and gave straight answers. One of the questions I asked was when did she think outsourcing firms would simply start producing secure code without clients having to ask for it. My analogy was that clients should have to ask for secure code in the same way they should have to ask that code produced in India actually compiles.
For the record, I have seen lots of code produced in India that didn't compile but that is a topic for another blog. Anyway, she commented that pretty much across the board, all the outsourcing firms suck at producing code that is secure and that she hasn't observed any of them taking meaningful steps towards this goal. I suspect that many of them have some sort of ceremonial process in the works that is littered with best practices bullshit phraseology, but to real professionals that understand was security is all about, will realize that the emperor is wearing no clothes.
One of the more politically incorrect questions I had in the back of my mind that I decided to avoid asking in a large audience was how many large enterprises are doing static analysis also have strong technical leadership. I guess my general observation of the market is that for enterprises where the IT executives came from a strong technical background tend to be better positioned than those who have IT executives who are either process weenies or even worse pretend business customers.
The second speaker was Gary McGraw, CTO of Cigital who talked about exploiting online games. Most folks in large enterprises who are full of themselves wouldn't take the time to understand how game security relates to them. Do they really think that their silly little architectures that support 500 users concurrently is somehow more challenging than implementing an architecture that supports 2 million concurrent?
Enterprisey types get giddy whenever the performance of screen to screen transitions takes more than 3 seconds where in the online gaming world, a person would go ape shit if there was latency of more than 1/4 of a second. At some level, for security to improve in large enterprises, someone has to un-enterprise the enterprise architects.
Gary speaks at lots of conferences and it is well worth your effort in attending one that he will be at. Likewise, if you are in need of consulting services, his firm Cigital has a value proposition that is worth listening to.
The sponsor of the meeting was Ounce Labs which will help large enterprises remediate their source code and make it more secure. Their licensing model is incredibly attractive and in many ways better than their competition. A smart consulting firm would be well served by also forming a relationship with Ounce Labs as I predict the notion of code review as a service will get hot later in the year. After all, ask yourself how much money you can make by telling enterprises how horrific their code is...
Thursday, February 28, 2008
Exposing ECM Security Vulnerabilities
So, instead of attempting to convince others through blog narrative, I figured I would show folks how to break ECM security for real as the next topic for our local OWASP chapter. I suspect that if participants from dozens of large enterprises see their software busted in front of them, this will have a lot more powerful effect in getting software vendors to step up and embrace many of the considerations around security that I talk about including incorporation of XACML, secure coding practices and binding at runtime to Active Directory while eliminating synchronization.
Hopefully, folks in the blogosphere even if they aren't on the same side of town as I, will be willing to make the trek...
Wednesday, February 27, 2008
The struggle of forming a security community...
Hopefully many folks will be attending my inaugural meeting on Thursday, February 28th at 5:30 pm. Anyway, one of the issues in kicking off a group such as OWASP is in identifying all the folks who have interest in such a topic. Generally speaking, OWASP is relevant to anyone who writes software,but the issue is in figuring who still writes software nowadays since much of this is being done offshore.
Of course, if you are an employee of Wipro, Accenture, Cognizant, TCS, Satyam, Infosys and so on, you would have keen interest. The problem is how does James McGovern invite you? I guess at some level, I would have to have a way to know that you actually live in my area which there is no great way of learning this.
I could of course forward invites to others from your firm, but many people who accept invites tend to not forward to others they know which makes the problem of figuring out who you are more difficult.
Another approach is to ask software vendors to participate and of course they usually do. The problem though is that they tend to be lurkers and are only thinking about attendees as sales lead. Most sales folks tend to not have any desire to build community unless it benefits them. How successful do you think I would be if I were to ask IBM, Oracle, Sun, EMC and others to forward invites for OWASP to their customers?
Note this is not just about software firms as consulting firms will struggle with the same mindset. Maybe the best strategy is to simply blog about it and hope that some random individual who happens to live on the same side of town as I will forward to folks they know...
Tuesday, February 26, 2008
Ways to learn about software security for free!
Security is the job of everyone, yet in most consulting firms they haven't spent a single nickel in terms of learning about software security. This is especially prevalent in consulting firms that focus on ECM, BPM and SOA. After all, if you are going to be exposing these systems to the outside world, wouldn't you want to know that they are secure?
The next time you talk with one of the offshore firms, ask them to enumerate in detail the training that their developers go through in order to learn secure coding practices. If you don't, you will pay for them to rewrite the code in the outsourcing model a second time once you get breached.
Of course, many folks have complained about the low quality of code being written in India outsourcing firms and are still struggling with basic functionality while not even worrying about security. While it is good that the masses are learning to become developers on your nickel, it is still important that everyone have the same body of knowledge.
On the chance that the issue is budget, then you may want to know that OWASP has an answer. Simply find the closest chapter to you and make sure you attend their next meeting.Maybe your firm is even ethical and able to step up and sponsor food and beverages.
If you are in the MA/NY/CT area, you will notice there is a chapter meeting in Hartford on Thursday, so there is no excuse for you to remain ignorant to how to make software more secure...
Monday, February 25, 2008
Links for 2008-02-25
Good to see that open source is also occuring in game development
An interesting perspective on violence.
OpenID doesn’t have the privacy characteristics that would make it suitable for government applications or casual web surfing. And it doesn’t have the security characteristics necessary for financial transactions or access to private data
Yakov Fain challenges a past posting in which his reply I mostly agree. I wouldn't agree that consultants automatically keep their skills up more than folks in the enterprise. I would say that they are better at marketing the skills they do have.
Barbara French comments on attitudes towards industry analyst research which is a good read if you work for a software vendor. At some level, it does indicate the need to diversify the analyst relations portfolio.
Sunday, February 24, 2008
Ten Mistakes that CIOs consistently make that weaken enterprise security
Saturday, February 23, 2008
Thoughts on School Shootings...
I wonder when Americans will stop blaming guns for the deaths of Americans in school shootings and start seeking out root cause. Consider the simple fact that in Canada, they have even more liberal gun laws than in the United States yet you don't hear of school shootings there.
Maybe the issue isn't that all school shootings tend to have guns in common but do tend to have drugs in common. I bet you didn't know that every single school shooting had in common that a person fell off their medication that was issued by companies such as Pfizer, Merck and others?
Ask yourself, does the FDA ever consider studies before a drug goes to market that tests the side effects of when a person stops taking a drug? If we all know the effect of a crack head and what happens when they don't get their fix, then why would we expect it to be any different? I hope you aren't delusional into thinking that it is different simply because one is legal and the other isn't?
Friday, February 22, 2008
Random Thoughts on how IT Managers prevent hiring of top talent...
When are we going to admit that the masses of mediocre folks in IT are threatened by people who have new ideas and a fresh approach? It is the diversity of ideas that fuels real innovation and unless you like to focus on the perception of innovation or reality, you need to stop thinking about diversity and inclusion as cliche and instead figure out a way to make it actionable.
Sometimes folks are threatened by people who come from the outside and upset the status quo resulting in a loss of power. Many enterprises hire people who think like the rest of their employees and then wonder why they cannot keep up with competitors in terms of market innovation. If you ever interview an outside candidate and hear folks talk about how great of a fit this individual may be, this may be a predictor towards status quo.
Real innovators sometimes don't get along with others. Of course, you can use the they do not fit our culture excuse or you can step up and figure that sometimes fit doesn't matter. At some level, this is covert discrimination. Unlike in India and other parts of the world, employers in the US are legally required to recruit and hire based only on experience and capability. Whether they are a good fit, you liked them or whether they would get along is discrimination.
Another interesting trend is that corporate America isn't hiring folks from the military which happens to be one of the most diverse corporations on the planet! Hiring a military spouse or member would provide a corporation with some of the most diverse, talented, loyal employees they could ever want. These folks have agreed to put their lifes in harms way and therefore are most certainly capable of listening to the endless mind numbing dribble spewed by your clueless IT executives. You need to step up and less folks from insulting firms and more from the military. Duty, Honor and Country...
Thursday, February 21, 2008
Is your web application secure...
One of the major problems with security in general, is that it is not "visible" to the masses. Consider the fact that on September 10th, secure airplane doors did already exist and even a few smart airlines bought them in advance, yet the masses didn't understand its importance until after an attack already occured. The real question is to we want to be proactive in finding potential exploits in our web applications and ECM systems or is being reactive sufficient?
One of the major problems of why enterprises still continue to suffer from security breaches is that no one is watching the hen house. Typically, Enterprise Architects got into their position because they had the ability to learn, see trends and were usually the best technologists. Of course, we must redirect their value proposition to things of higher value such as creation of compelling PowerPoint where the details matter less.
Many security professionals do their best to educate others but are often confronted with two phrases which are highly problematic. The first is the infamous, this isn't in my budget. Could you imagine me being in charge of constructing a new bank and telling the bank manager, excuse me, I didn't have the budget to build the vault securely, but here are these nice sturdy paper bags to keep your money in. This is exactly what most IT professionals practice.
Of course, you could be from the school of thought that uses the other cliche phrase of I don't understand. If you don't understand, does that mean it isn't important? Should security folks waste time explaining everything until the dimmest of the bunch understand? I wonder if you expect a hacker to call you up and ask for a slot on your release calendar in order to align with your ITIL goals? While you are busy distilling things into IT executive speak, hackers are busy understanding the details of your infrastructure and looking for weakness.
One of the best ways to become secure is to discourage insulting firms and software vendors from talking about security as if it is feature. Likewise, security is everyone's job and it requires everyone to stop thinking that they are secure and to start thinking more like an attacker. A little paranoia in the enterprise hasn't hurt anyone...
Wednesday, February 20, 2008
Feedback on Improving my Blog...
Generally speaking, I love to provide feedback to Microsoft as their feedback as always managed to make it into the upgrade path without causing me to have to resell it internally for funding purposes once implemented. I can't say the same for most other vendors. Are their tips for getting vendors to not create yet another product?
John also commented that blogging may be a more potent form of user advisory board. How about trying a user-led versus vendor-led advisory board organized through the blogosphere. In thinking about this, it feels like a win-lose situation. At some level advisory board members are compensated in terms of equity ownership where your suggestion removes this out of the equation. I can also tell you that I actually tried to organize a user-community of ten different Fortune enterprises to submit security use-cases to a particular ECM vendor (name intentionally withheld) where we all got on the phone at the same time and agreed to amplify each others sentiments. The call had folks from Pfizer, AIG, AllState, Johnson & Johnson, Merck, Home Depot, Credit Suisse and others.
Of course all of these names are well recognized and are paying customers yet their requirements were still ignored. So, what should a community do when vendors ignore the requirements of their customers especially when they are security related? I respect those who take time out of their busy lifes to read my blog and want to serve them better but need their assistance and more importantly wisdom to point me in a better direction. Help me, so I can help you...
Tuesday, February 19, 2008
Thoughts on Black History Month
Being that my son can literally check every EEOC box, I am not sure what is the right perspective for him. I can say that in the original I got the Power song by Chil Rob G (the clone was by Snap) where he opens with the phrase: Don't say this, don't say that, change the lyrics, everybody's a critic, it's getting kinda hectic and closes with It takes a nation of people to feel proud, about a brother who speaks out real loud is spot on.
Anyway, for those who keep getting it twisted, Black History Month is really about Black History. It is a month dedicated to removing the mental handcuffs of a nation who needs to take time to reflect on other perspectives. For those who find it distracting for me to go offtopic, I guess you should explain your rationalization to our creator, but for those who aren't closed minded, I encourage you to click play on this video (below) that I ran across today...
Links for 2008-02-19
James wonders how much energy does beauty take? I would of course modify the question to ask if vendors started to focus on writing secure code then we can most certainly quantify a reduction in harmful emissions. Instead of having an application firewall and an application, why not just have one. If code is written securely, you have reduced the number of tiers significantly. Secure coding is green.
I am surprised that no one hasn't yet attempted this idea.
Unbounded scope is a recipe for disaster. I wonder how many folks believe that EA vs the World is accurate? I suspect that more folks would believe that it is EA against a few folks though.
Gunnar Peterson shares a great story that even the dimmest of IT executive could understand.
The reason why discussions around SOA Funding are important is that software product vendors haven't yet figured out whom the decision makers really are within an SOA and can't quite figure out who to suck up to and whom to ignore.
Anton Chuvakin of LogLogic is running a poll that others should take part in. I wonder if in a future blog entry, he could comment on what a really good logging strategy looks like from the perspective of a BPM and ECM architecture.
Deloitte just announced a new way to help society. Its vision is laudable - " transform the way the organization supports charitable organizations and strengthens the nonprofit sector". This emulates other result-oriented charitable organizations such as the Gates Foundation, where charitable contributions are made with clear line of sight to outcomes and return on initial investment. I hope that folks from Accenture, Wipro, Cognizant and Bearingpoint will be fast followers in emulating this most wonderful show of humanity.
Why Enterprisey Types don't participate in unconferences...
The interesting thing is that nowadays, enterprise behavior isn't so focused on individual learning and has even more big upfront planning than software development. Consider the fact that it is getting more difficult for your boss to approve you to go to conferences and even when he/she does, it usually involves an arduous heavyweight process. Likewise, others will desire the opportunity to see the agenda in advance and make recommendations as to which sessions you attend.
The unconference agenda isn't so well known in advance and allows for better sessions to emerge over time, which is great for attendees but only if you can overcome the upfront hurdle. For speakers, this also presents a challenge in that many of us will put up a facade of altruism in that we want to be community oriented, but reality says that events where we get quoted and our employer gets some press tend to get priority.
The biggest challenge to hit corporate America is the notion that you can send one individual instead of a team whom can simply take notes and others can learn from it. Instead of attending a conference to learn, one will attend and lurk. It is simply too difficult to engage in meaningful dialog and to scribe at the same time.
One thing that I haven't seen tried yet is for enterprisey types to convince their boss that someone else will take notes as many conferences have bloggers in attendance so that you can actually pay attention and meet others. Likewise, if you know that some sessions will be videotaped, then this may be an opportunity to eliminate the nebulous practice of conference trip reports.
Of course, there are a handful of folks that have managed to get to these events and it would be appreciated if they can help others overcome enterprise conference attendance obstacles...
Monday, February 18, 2008
Links for 2008-02-18
Barbara French wrote a thoughtful piece on the mindset of IT research consumers that I suggest you read.
Being a book author isn't what it is cracked up to be.
It is ashame that others are ruining the profession.
I refuse to believe that analyst firms other than Gartner and Forrester can be bought. I am of the believe that firms such as Entiva, Redmonk and Elemental Links have more integrity bar none.
Explaining how security works in a blog entry is a recipe for confusion, but I still haven't learned my lesson. A thoughtful discussion on security requires folks to not focus on how thing work, but how they can be broken. I guess I am underestimating the effort of getting others to think like an attacker...
Sunday, February 17, 2008
Thoughts on Archery and Discipline
We hung around to watch a Japanese girl whom shot six bullseye in a row. She was wearing a Jiu-Jitsu shirt as well which is my son's style. I would hate to wonder what would happen if her boyfriend acted up...
Bex Huff and John Newton 1 vs James McGovern 0
Normally, security-oriented types tend to think of REST approaches as being less secure than SOAP invocations since SOAP allows for the addition of additional security features such as federating identity via SAML and/or WS-Federation, injecting encryption and signing, etc. The funny thing about the world of ECM is that since this domain hasn't came up with a great standards-based way of querying for documents that meet a particular criteria, each vendor has invented their own in, and some have even made security weaker in the process.
In a previous blog entry, I commented on how ECM can be subjected to the equivalent of SQL Injection attacks and even more because the service interface allows for passing SQL grammar directly to the backend. The funny thing is that REST style invocations don't suffer from this problem and may be inheritely more secure than SOAP.
Maybe some ECM folks are more security literate than I have given credit for...
Saturday, February 16, 2008
Ways to Defend Yourself in the Blogosphere...
Please note that I am intentionally withholding the name of the blogger who asked me to write this blog entry, but will comment that he did thank me for making security transparent and did mention he was sharing several of my postings on this topic with several customers.
Anyway, I think if I were Craig Randall, I would do several things. First, I think it is important to acknowledge that any and all feedback is good feedback and thank individuals for taking the time out to provide it. I would probably comment that feedback on products is important towards making the product even better.
I would also include some message that states that security is top of mind and we pride ourselves on not only doing the right thing for customers who purchase our product, but also the entire ecosystem at large in which we are just one piece.
I would take about the importance of transparency and encourage others that find security vulnerabilities to provide even more feedback at an even faster rate. It is vital that you let folks know that you have a sense of urgency around security issues.
I would probably conclude with a cliche sounding statement about redoubling our efforts to not only provide a feature-rich ECM architecture but also one that is most secure, bar none.
Of course, I am not Craig Randall nor any other individual who gets called out in the blogosphere, so these are simply suggestions for general applicability and not meant to be predictors of actual behavior...
Secure ECM Systems
Laurence Hart commented on testing for the unexpected where he stated that one of the responsibilities of vendors that provide systems is to make the system secure and safe to use. This goes beyond authentication and authorization, two related yet different concepts. This covers securing against unexpected acts by the user, both accidental and malicious, but didn't take it deep enough.
At some level, security isn't about making something work but instead focusing on how things may break. Likewise, the average security professional works from a perspective that most folks may never understand. Consider for a moment, that I am the CISO of a large Wall Street firm of 60,000 employees. It can be assumed that 59,995 employees come to work every single day and do their jobs with integrity and that security is probably focused on 5 individuals at any one time. Does it make it less relevant if the 59,995 employees don't understand the importance?
One thing that Laurence did state was the use of automation to help find vulnerabilities. My initial posting talked about static analysis tools which help find defects in coding. Of course, you also have to acknowledge that only 1/2 of all defects can be fixed via code as much of insecure software speaks more to bad/suboptimal design. Generally speaking, input validation can be addressed in code while vulnerabilities that exist to do latency of syncronization tend to be things that have to be addressed at design time.
I am not really worried if others choose to be offended. I do care that folks who procure software do so by ensuring that their software vendors are using automated tools and that others within the enterprise are smart enough to at least add it to their RFPs. My motivation has nothing to do with my profession but does have everything to do with being a consumer. For the record, I am on my fifth data leak and the last one came from an insecure ECM platform. My only goal is to make sure that this doesn't happen to others simply because others felt offended and believe this is a valid excuse for making their platforms less secure.
Management 101 teaches one tactic that encourages instead of stating an answer, is to start by asking a question. Many folks get frustrated with their bosses and think they are idiots when in all reality, their appearance of ignorance is on purpose. In terms of not getting the answers I seek implies that I don't already know the answer. Sometimes, I ask questions so that others can observe the answer.
One security principle that is time proven in Microsoft software is that security is sometimes the polar opposite of backward compatibility. Microsoft has some of the smartest employees on the planet yet software still gets attacked daily. If they were permitted to break backward compatibility, then things would improve immensely. Imagine if reuse of legacy code weren't required, do you believe that the products you use would be more secure?
Creation of evidence is easy but still requires someone to respond in a public manner. If you put up an instance of an ECM platform on the Internet along with appropriate disclaimers and legal stuff, I think it will emerge in a manner of minutes. Barring this, you aren't looking for evidence but something else.
In terms of Laurence and any abuse he may feel, I hope that he is cognizant that others appreciate his dedication and even though they may not leave a comment stating such, he is inspirational and helpful to many. If anyone attacks him, they will most certainly need to duckdown...
Friday, February 15, 2008
Architects who love Gartner
By nature or nurture, architects fall into two camps regarding their general attitude towards abstractions: Believers and Non-Believers.
Believers tend to trust abstractions, and are comfortable working with abstractions without "opening them up". Non-Believers have a general mistrust of abstractions, as long as they don't know or can't get their hands on the details of a particular implementation.
Many non-technical IT executives are fans of abstractions in that humans fall short in summing up the world around us. Abstractions afford them lots of wiggle room. I wonder which side of the fence you reside?
Links for 2008-02-15
I absolutely love Bex Huff and is transparency. I have not worked the Stellent product but if Bex is publicly talking about security and the others in this space aren't, the odds are probably good that Stellent is more secure than others...
The opportunity to work with top talent in the industry such as Jackson Shaw is very compelling. I do wish though that he talked less about skills required and more about what the position feels like. Of course some mention of compensation is also in order.
I haven't looked at a Ruby on Rails application, but if it requires sending passwords in the clear, then this certainly is fugly. Likewise, it shouldn't be too difficult for folks in the community to build an authentication module.
Thursday, February 14, 2008
Links for 2008 Valentines Day
Chances are that there are lots of architects who feel depressed and should seriously consider changing employers...
It is good to hear other architects ask the question of why more folks aren't challenging Gartner if they don't like their output. I wonder if we will see an increase in 2008?
Tom talks about the motivations for joining OpenID and other industry consortiums which is pretty accurate. Unfortunately, much of the change in IT products come not because vendors are good at listening to customers, especially for Security Concerns but solely because it provides them with a marketing lift.
There are several themes worthy of discussion. First, Microsoft must create the illusion that it wants OpenID to succeed when in all reality, it would be against Microsoft's best interest to support a protocol that has known security vulnerabilities. Likewise, Microsoft has done a horrific job at marketing CardSpace because unfortunately in doing so, won't necessarily create any additional revenue opportunities. In 2008, you shouldn't expect to see any more deep marketing of CardSpace other than Kim Cameron and Mike Jones doing grassroots blogging
I wonder if David Millman believes that ESBs should support SAML and XACML PEP without having to purchase additional products?
I still haven't figured out why folks in the world of ECM continue to purchase dysfunctional architectures?
Microsoft has a great model around talking to developers. I wonder when we could expect to see Oracle and Sun engage the developer community on the same scale?
ECM: When Fugly Architecture becomes a feature...
I really wonder if folks in the ECM community understand SOA? The notion that a service interface should be language agnostic seems to have been lost. Why would anyone need additional code in the .NET world to talk to a WS-I compliant WSDL unless of course it isn't!
Can someone please acknowledge that if a producer of a service is required to provide libraries to a consumer that there is no magical way of calling this loose coupling? Maybe you should ask yourself, why would a consumer need to have help files if the whole point of WSDL is to make a service self-describing?
I wonder if Apoorv Durga, Dave Robertson, Sumanth Molakala, Bex Huff, Lee Smith, Billy Cripe or Wayne Boerger could tell me what I am missing?
Absence of evidence is not evidence of absence!
If you look for "X" and don't find it, does that prove that there is no "X"? No. But the more you look in places where X "ought to be" in ways and at times that X "should be likely to be there," the more confidence you can have that there is no "X".
If security were important to ECM vendors, then Bex Huff, Craig Randall, John Newton and others would gladly talk more about it.
If security were top of mind, all of these guys would talk about how they would seamlessly integrate into security models provided by Active Directory, how ECM authorization models could be made consistent with other enterprise applications and how they even ensure that there own products are resistant to the OWASP top ten vulnerabilities by leveraging static analysis tools from vendors such as Ounce Labs, Fortify, Coverity or others.
I would think that the best evidence would not be for me to prove anything but to hear it from the horses mouth as to how they realize the above considerations. If they aren't doing anything in this space, then the odds are that they probably won't say anything as being transparent is probably frowned upon by their employers. However, if they are doing something in this regard, you can surely count on them telling the world...
Wednesday, February 13, 2008
Why Architecture initiatives always fail...
A lot of times, architects are senior developers who are pushed into the role and lack the necessary political skills to create this perception in an organization. Typical IT shops are reactive in nature, and they live by releases and current customers. In a reactive environment, it is nearly impossible to create value for using architecture. Architecture in a typical company is always doomed to fail.
The problem almost always makes itself even worse in that reactive mindsets will conclude that architects need to become politicians and focus more on communicating thinly veiled chock-a-block eye candy powerpoint that lacks any substance under the guise that this is of higher value. Over time, IT is filled with folks who wouldn't know good architecture from bad architecture and IT devolves.
Architecture is not easily measurable or quantifiable in numbers. You can not really attach a dollar figure to architecture benefits. Gunnar Peterson describes an interesting situation that says that the analogy of SOA is a car while security is the brakes in the car. Having better breaks allows you to drive faster. At some level, the same thing can be said of good architecture in that you won't notice it for short trips to the grocery store but you can certainly haul ass for long distances across the planet...
Tuesday, February 12, 2008
Links for 2008-02-12
The Agile Elephant discusses the perspective of employers and the value proposition of recruiters. The challenge I see is that while I can personally vouch for his value, I have to say that the vast majority of recruiters out there are horrific and simply provide little value proposition. The question of whether employers should avoid recruiters is one thing, but a discussion about the plethora of folks who also avoid them in terms of their next search is also worthy of being discussed.
I wonder if they appeared again because Ismael Ghalimi wrote a check?
Did you take a look at the agenda? Did you happen to notice that 99% of all presenters aren't end customers? Did you happen to notice that there are no breakout sessions that provide the opportunity to discuss what new standards should be created in the world of ECM? Did you notice that there are no interoperability events either? Did you notice that there are no sessions on integration of ECM and BPM? I guess at some level this is OK in that most ECM folks don't really come from a deep technical background and therefore appreciate the opportunity to lurk at conferences
Pat Patterson shared some links on how to authorize access to resources other than web pages which may make for a great read by the ECM and BPM crowd. I would love to know how Sun is reaching out to vendors in the ECM and BPM space to ensure that this becomes an out-of-the-box configurable security solution by both parties.
Microsoft's acquisition of FAST is brilliant as it will cause both EMC and Oracle to scramble to find another OEM search component. I would speculate that both of these companies may decide to go open source by embracing Lucene. Of course, they will not only use but also contribute which all can benefit from.
Todd is one of the best architects in corporate America I have ever ran across. I know that he understands that governance is the hottest cliche word in 2008. For many, it is a four-letter word and for software vendors it is a word you must use in your powerpoint presentations to get executives to pay attention. For the record, Todd is right and David Linthicum is wrong.
You need to read the article by Sameer Tyagi as it is absolutely brilliant. Besides, he is one of the few bloggers who has enough courage to display worthy charities on his blog.
Matt Asay asks an interesting question but also assumes that Asia has lots of talent. The reality is that they have lots of people which is separate and distinct from having lots of talent. Many of the outsourcing firms such as Wipro, TCS, Cognizant and others would avoid having their employees contribute as they would expect to find some braindead IT executive in the states to pay for it. Likewise, we all know that quality of the masses isn't up to par and contribution could only serve to embarass their firm.
I wonder if Cornelia Davis, Dave Robertson, Robin East, Apoorv Durga, Smitha Narayanarao, Alan Pelz-Sharpe or the folks over at AIIM have any thoughts on how ECM systems can improve their internal security models?
Monday, February 11, 2008
Outstanding Questions for Hillary Clinton
2. Are you man enough to secure our borders?
3. Would you support a bill that gets tougher on illegal immigration and has no clauses that even remotely feel like amnesty?
4. What demographic will be most affected in terms of tax increases you will push through upon election?
5. How many high-paying jobs do you think America will lose while you are in office that will be replaced with lower-paying jobs so that the job count numbers will look better on paper?
Sunday, February 10, 2008
ECM and Insecurity
Before I get started, it is important to acknowledge a few things before we get into details.
1. Neither my day job nor night has anything to do with ECM and therefore one cannot assume that I am indoctrinated into certain ECM nomenclature. I may not use the right terminology but the concept is still applicable.
2. My thoughts aren't specific to any one vendor, but with a few exception apply to every single ECM vendor. I believe that ECM as a domain when viewed through a security lens, is weaker than BPM, ERP, ESB and CRM vendors combined.
3. One should never attempt to understand why I post. It is almost guaranteed that you will get it twisted if you think I am doing so just to get under people's skins in order to provoke a response. The only response I am truly interested in is for software vendors to make the security of their products better. If they respond to me in order to have a dialog, that is fine. If they choose to exercise their right to remain silent then that too is fine. As an agilist, I believe that high quality secure working software is the primary measure of progress...
With all of this being said, let me attempt to respond to Laurence. First, Laurence uses an example of how quickly a particular vulnerability was patched but this isn't a holistic view of security. Consider that patching tends to be reactive where much of what I discuss requires one to be proactive.
Put yourself in the shoes of a customer. Would you rather have a vendor that reactively patches software or proactively changes the design of their product to meet future needs. Bex Huff talked about an ECM should store content and not users. If we acknowledge this to be a good thing for security reasons, then if an ECM products underlying design doesn't support this notion, then can we really say that are responsible for being thoughtful about security if the product doesn't actually change?
Sure, we can copy data via synchronization mechanisms but we have to acknowledge that anytime latency is introduced into a solution that it exposes a window of opportunity for attack. The key thing I can say is that John Newton publicly acknowledged this flaw in the design of his product yet didn't bury his head in the sand as he is genuinely interested in understanding how to make his product better. Now if only others did the same.
Laurence, have you ever heard of SQL Injection attacks? The world of ECM needs to understand the clever indoctrination and renaming of SQL (with a few features piled on) is somewhat delusional. If Oracle came up with OQL, Nuxeo with NQL and Alfresco with AQL, at the end of the day it is still SQL that when exposed as a web service makes security weaker.
The key takeway is that a Java developer would never allow unvalidated input to traverse to the backend, yet that is exactly what ECM developers do all the time. If you aren't familar with SQL Injections check out the OWASP Example. Did you happen to notice the notion of PreparedStatement being horrific? One of the approaches to making this secure is to consider usage of stored procedures and to minimally validate incoming input. Can I validate on the client-side whether the ECM query language is valid or am I required to send it to the backend? How do I do the equivalent of a stored procedure in the world of ECM?
My third thought says that SOA in ECM is also insecure in that it minimally violates SOA principles. Can we agree that a consumer shouldn't know what language the producer is implemented in? Can we say that holds true in the world of ECM? I think we all know the answer.
If you study the WSDL from many of these products, they also violate another security principle in that for a SOAP fault, many of them actually return the Java stack trace. To understand why this is fugly, please check out the Common Weakness Enumeration as this is classified as a system information leak. It has CWE ID 497 if you want to read in more detail.
Laurence, this posting is getting kinda long and I will answer the remaining questions shortly. I appreciate the dialog with you and your passion for serving the community. I do hope that others will also participate in this important conversation you have started...
The Missing Conversation on Authorization
It is difficult to talk about web application security without acknowledging that web applications get busted not only from outside attacks but also the insider threat. Consider that if you were to ask my boss whether I am still an employee, he would say yes, but if you ask him what I have access to, he would tell you that he has no freakin clue but as soon as you find out, let him know.
The authorization problem is fascinating at a variety of levels in that most vendors don't pay attention to this problem space. Imagine a scenario where I work for Verizon and I want to see the phone calls of my neighbor. One approach may be to access the billing application where I may be locked out because the software vendor was thoughtful enough to define RBAC properly. I would of course move on to ECM systems where images of the bills may be stored. Regardless of whether it is Stellent, Alfresco or Documentum, it is almost guaranteed that to access the same information, they will have different authorization models and hence an opportunity for bad guys to do harm.
The funny thing is that software vendors in the ECM, BPM and CRM space know about the authorization problem yet refuse to think more than a minute about actually providing a solution as their insular all about them mindset prevents them from doing the right thing for their customers.
The real question though is when will customers stand up? Maybe the problem gets brought to the surface as industry groups such as OWASP and Oasis plan to tackle this challenge...