Monday, March 31, 2008


If software vendors really cared about security...

Figured I would post ways for large enterprises to cut through the hype that software vendors use to market security especially when they aren't truly secure...

Here are some questions you should consider asking software vendors to respond to:

  • Make security a fundamental component of software design: Instead of focusing on security features, ask your vendor what practices are in place to ensure that the product is designed securely.

  • Support older versions of software: yes, it is more costly to support multiple versions of software, but you know that large enterprises take a long time to upgrade. Should you ignore this fact and let them stay exposed? For example, Microsoft has told lots of corporations that it won't be supporting Visual Basic 6.0, Windows NT and other products. How many IT shops have struggled to upgrade their systems built on this technology in an ROI-driven culture?

  • Publish metrics on security of new and existing products: Once again, if you acknowledge that large enterprises are slow to upgrade, do you think we may get faster if we understood that your product was made more secure or are you hoping that features alone are enough?

  • Publish a patch playbook: Shouldn't customers have clear guidance and explicit instructions for risk mitigation throughout the patch management process and especially in times of crisis? Do you think a simple note where we have to thoroughly find your bugs is a sane answer?

  • Comply with industry best practices before releasing software products: If your application is web-based, should you really release it especially if it doesn't align with the OWASP top ten? There are a variety of tools on the marketplace that can provide automated static analysis including OunceLabs, Coverity and others. Stop being either ignorant or arrogant and purchase software to do code reviews

  • Don't just participate, but also sponsor local security user groups: Software vendors shouldn't think of local OWASP chapter meetings as a way to make folks to buy your software. You should consider not only ensuring that your own employees attend, but that as software vendors, you should also consider encouraging other customers to attend. Lurking is the antithesis to real security...

  • | | View blog reactions

    Sunday, March 30, 2008


    Links for 2008-03-30

  • Enterprise use of Information Cards
    Glad to see that someone in the blogosphere has enough courage to not forget the enterprise. CardSpace actually has a stronger value proposition in the enterprise than in the land of consumerish web interactions. I would hope that Marc Wilcox and others who are fans of Virtual Directory technologies to talk about how their products will evolve into better STS.

  • Biztalk supports managed cards
    This feels awkward to me in that Microsoft isn't encouraging Sun to make their identity manager product perform the same functionality. It makes sense that Cardspace in many situations would require identity workflow.

  • RDFAuth: A secure replacement for OpenID
    I wonder if someone invents a better, more secure way of being user-centic would the OpenID community embrace it, fight it or ignore it?

  • | | View blog reactions

    Saturday, March 29, 2008


    Why Bex Huff is wrong about security...

    I figured I would throw daggers at Bex Huff and his recent posting...

    Bex, I bet you would be even more shocked to see how much it costs an enterprise to apply all those patches. Have you thought about patch management from a financial perspective? Let's say that a large enterprise has 500 IT software vendor relationships and each vendor iterates until they actually write their software securely. How many employees would it take just to understand the impact if this velocity were to increase?

    Can we acknowledge that the patch existed because the base software wasn't written with security in mind in the first place? Can we also acknowledge that the reason for the patch probably wasn't because the software vendor wasn't being proactive in terms of finding security defects and instead relied on the outside world and their customers to find them? Bex, I wonder if you were to take older Oracle code and run them through a static analysis tool such as those provided by Ounce Labs, Coverity and others, would the patch needed to be created later or could it have been discovered earlier in the product lifecycle?

    At some level, I agree. I guess customers configure things improperly because the software allows them too! Maybe, software vendors should choose configuration options where it is secure by default vs expecting customers to configure it securely? Can we at least acknowledge that for many products, us stupid customers tend to either configure things through wizards and/or take the defaults?

    We are in full agreement here but there are some challenges. First, I have no idea what are the best practices practical considerations around writing software to make patching easier. Do you think others in the blogosphere would be willing to dedicate a couple of blog postings to help figure this out?

    | | View blog reactions


    Links for 2008-03-29

  • IDTrust2008 Workshop
    It feels as if the RSA Conference will be repeating the Oasis XACML interoperability challenge already conducted by The Burton Group. I wonder why Hal Lockhart and others couldn't come up with something that shows more thought leadership? How about demonstrating XACML interoperability with non-security products such as BPM and ECM?

  • Running a great analyst event
    Is listening to canned speeches and software vendors mingling with the competitors valuable? I bet Mike would really hate Gartner conferences as the analysts are required to rehearse their thinly veiled speeches multiple times. Even this is pervasive amongst the Burton Group analysts as well. The thing I can say is that you can still get one-on-one insight from Burton analysts in the hallway while other firms, it really doesn't happen regardless of location. Maybe he should follow up his blog on whether analysts should attend OWASP events and others where they are not in control

  • More on Directory Evolution
    Mark did a great job of navigating around a landmine. On one hand, he agrees that applications such as Documentum who can that they support LDAP should not only handle authentication but also mapping but carefully avoided whether this should be separately licensed or part of the base package.

  • Sun plans to close its data centers
    I would have expected the analyst crowd to talk about the grand vision for utility computing and how Sun will eat its own dog food.

  • JSR-294 Early Draft
    This JSR is worthy of attention and incorporating superpackages will extend Java leadership within the enterprise over second-class approaches such as Smalltalk

  • Dollars tough to sell on streets of Amsterdam
    Even though the dollar is hovering at record lows, it is my prediction that it will continue to decline until America stops outsourcing to India and we stop confusing leadership for bad management.

  • | | View blog reactions


    Enterprise Architecture and Death by Planning

    As long as we follow the plan and don't diverge from it, we will be successful...

    In many organizational cultures, detailed planning is an assumed activity for any project. This assumption is appropriate for manufacturing activities and many other types of projects, but not necessarily for many software projects, which contain many unknowns and chaotic activities by their very nature. Death by Planning occurs when detailed plans for software projects are taken too seriously.

    Many projects fail from over planning. Over planning often occurs as a result of cost tracking and staff utilization monitoring. The two types of over planning are known as the Glass Case Plan and Detailitis Plan. The Glass Case Plan is a subset of the Detailitis Plan in that (over) planning ceases once the project starts. In the Detailitis Plan, over planning continues until the project ceases to exist, for a variety of unfulfilling reasons.

    Often, a plan produced at the start of a project is always referenced as if it's an accurate, current view of the project even if it's never updated. This practice gives management a "comfortable view" of delivery before the project starts. However, when the plan is never tracked against, nor updated, it becomes increasingly inaccurate as the project progresses. This false view is often compounded by the absence of concrete information on progress, which often is known only after a critical deliverable slips its schedule.

    Sometimes the solution to effective delivery is regarded as a high degree of control via a continuous planning exercise that involves most of the senior developers, as well as the managers. This approach often evolves into a hierarchical sequence of plans, which show additional (and unnecessary) levels of detail. The ability to define such a high level of detail gives the perception that the project is fully under control.

    Some of the symptoms you can find are:

    | | View blog reactions

    Friday, March 28, 2008


    Do software vendors consider vendor lock-in an antipattern?

    I wonder if folks from Microsoft, Oracle, Sun and others think about the notion of vendor lock-in being an anti-pattern in the same way that enterprise architects do?

    We have often encountered software projects that claim their architecture is based upon a particular vendor or product line. Other anecdotal evidence occurs around the time of product upgrades and new application installations: "When I try to read the new data files into the old version of the application, it crashes my system."
    "Once you read data into the new application, you can never get it out again."

    A software project adopts a product technology and becomes completely dependent upon the vendor's implementation. When upgrades are done, software changes and interoperability problems occur, and continuous maintenance is required to keep the system running. In addition, expected new product features are often delayed, causing schedule slips and an inability to complete desired application software features.

  • Commercial product upgrades drive the application software maintenance cycle.

  • Promised product features are delayed or never delivered, subsequently, causing failure to deliver application updates.

  • The product varies significantly from the advertised open systems standard.

  • If a product upgrade is missed entirely, a product repurchase and reintegration is often necessary.

  • Do vendors laugh at us enterprise architects when we allow products purchase decisions to be based entirely upon marketing and sales information, and not upon more detailed technical inspection?

    | | View blog reactions


    Enterprise Scheduling Antipatterns

    In a global economy where teams are distributed across multiple geographic regions and companies, activities such as scheduling a meeting are no longer simple...

    I remember the early days when scheduling a meeting was simple. You would simply walk down the hallway and ask a person when they were available. Nowadays, if you outsource your data center to Vendor X, your software development to vendor Y and require procuring the latest technology from Vendor Z, this simple act now takes several hours if not days to coordinate. No wonder CIOs are always complaining that lack of communication is their biggest problem. The key question is whether they recognize that they actually created it.

    More importantly, the notion of having buy-in has grown even stronger where accountability is distributed and some will even say non-existent. Regardless of opinion, it has the side effect of confusing who is responsible for what and sometimes schedules are determined based on the availability of the masses instead of being determined based on the availability of those accountable.

    I wonder what would happen if my significant other and I wanted to get married but otherwise wasn't available. Today's mantra would say that others should have the ceremony without us and we will come up to speed on what others agreed later. At some level, the ceremony happening on time is more important than the folks who actually should be married.

    Of course, every participant on a project is important. The real question is which folks are more important! Maybe we should stop, think and adjust accordingly? After all, isn't this a tenet of those claiming agility...

    | | View blog reactions

    Thursday, March 27, 2008


    Links for 2008-03-27

  • The First Rule of Programming: It's Always Your Fault
    Have you called Microsoft Technical Support lately? Do folks employed by Indian outsourcing firms have this mindset?

    This would help make ECM platforms such as Documentum, Alfresco and others more secure by helping to eliminate many web security defects.

  • Are Industry Analysts afraid to provide insight on certain topics?
    It seems as if Burton Group is the only one with enough transparency and integrity to jump in. I would love to be proven wrong!

  • Study shows that majority of open source developers don’t work for open source companies
    This shouldn't come as a surprise to anyone. I know I have been pestering Gartner (multiple analysts), Raven Zachary of the 451 Group and other industry analysts to do a case study on the work done by my peers and their contributions to open source without any success. I guess it has to do with which story is easier to tell? The story told by a well-dressed sales executive and all the wonderful things they do for their clients, or the story not told, the one of the poorly dressed enterprise architect and all the wonderful things he does for himself and humanity...

  • Directories 2.0 - Entitlement Services
    My take says that many directory vendors will talk about the directory becoming the PIP center for entitlements so as to sell more of their product. They however won't talk about when enterprise applications in the BPM space such as Pega, Intalio, Lombardi Software nor ECM products such as Alfresco, Documentum, Nuxeo or others will become good Policy Enforcement Points

  • More on Directory Evolution
    Mark Wilcox has why should folks pay Microsoft for AD and why shouldn't they be able to choose another directory server? The answer is simple and requires understanding a couple of perspectives. First, Active Directory is more than just a directory in the strict sense. Yes, it supports LDAP, but it also supports Kerberos, it keeps track of not just users, but computers and services as well and most importantly, the choices out there cost more. I suspect that if Microsoft allowed Oracle to serve in its place, it would have less features and most certainly cost more...

  • User Stories should be valuable
    I wonder if many business analysts understand the value proposition of capturing user stories. Many of them in the arena of worst practices such as CMMI have thought about business requirements along the same line as filling out the TPS cover sheet.

  • On OpenID Progress
    I wonder if Kim Cameron is secretly laughing at the OpenID community and their belief that the identity ecosystem is one way as implemented by AOL and Yahoo? You may note lots of press releases indicating that they are OpenID providers but if you already have an OpenID issued elsewhere, you can't use it to log into Yahoo or AOL. Now for the silence...

  • | | View blog reactions

    Wednesday, March 26, 2008


    Enterprise Architecture and Hiring Top Talent

    If you are an Enterprise Architect and Top Talent, then you need to noodle the following...

    Research shows that between 40 & 50% of ALL executives leave early, are dismissed or receive a poor performance review within eighteen months. Such failure is often despite a track record of success. Indeed, the appointment to a new job in management is always attributable to previous success.

    There seems to be three common mistakes that organizations make when instructing a new hire. The first is failing to communicate the exact results that are required. Success in a new job more often depends upon a boss’s assessment. New hires therefore, need to be told what constitutes a success in the boss’ eyes and how such success will be measured.

    The second mistake is failing to communicate the boss’s management style. This means informing the new hire on the best way to communicate with the boss. Is this by email, report or verbally, and how often? What decisions the boss likes to make personally and what decisions are clearly delegated?

    Information that contributes to success identifies to the new hire what help the boss is prepared to give. These include:

  • Identifying the people with the most influence in the organization?

  • When and how these influence makers should be contacted?

  • What support to plans and actions the boss will give?

  • A big mistake a new hire can make is to introduce systems and processes that have worked for them in the past without considering the new culture or the people affected. It’s also worth remembering that new hires are unlikely to positively affect the bottom line within their first few months. Yet in the new hire’s mind there is the need to prove oneself. This often gives the new hire a false sense of urgency that encourages the introduction of “quick wins”. However, the wrong “quick win” can permanently harm a new hire and point the individual towards the “Exit door”.

    A boss can help a new hire avoid the three main errors, understand the new culture, network with colleagues early and thus significantly reduce the 40% risk of failure...

    | | View blog reactions

    Tuesday, March 25, 2008


    Plant a row for the hungry...

    I have been notorously silent on the subject of charity lately and figured I would encourage all those gardeners in the blogosphere to consider planting a row for the hungry...

    | | View blog reactions


    Links for 2008-03-25

  • More on Directory Evolution
    A great response by Mark Wilcox on integrating products and enterprise applications with Active Directory. It is interesting though that Oracle has taken the thought leadership lead away from Microsoft and has acknowledged that authorization is a bigger problem for enterprises in many ways over authentication.
  • Security in the SDLC is not just code review
    This message is equally revelant to not only enterprise architecture teams, but also the folks who are responsible for procurement. An enterprise can't have any form of conversation of integrity when talking about buy vs build if they aren't also placing security requirements on their software vendors. I am curious at some level, whether vendors such as Lombardi Software, Sun, Quest and others use static analysis tools as part of their own SDLC? If so, I wonder if folks could chime in and provide comments on how it is working for them?

  • Shouldn't single sign-on be child's play?
    Jackson Shaw will be discussing consolidation of non-windows system directories into Active Directory which others should pay close attention to...

  • Speaking at OWASP Austin: Static Analysis
    It would be great if Cote of Redmonk where to blog on this topic...

  • 7 common lies told by enterprise software sales people
    Great article. I especially love the point that their solutions will save you time and money. I wonder if folks realize that if all sales people where telling the truth, that I would be the only IT person on the planet and even then I would only work ten minutes a day.

  • Lies about OpenID
    Good to hear that someone else realizes that AOL and Yahoo don't accept OpenID as a credential to access their own web site. This is all about command and control! I wonder why Johannes Ernst, Dick Hardt, Ashish Jain and others haven't talked about this behavior?

  • Information Overload
    All those graduates that work for McKinsey, Accenture and Diamond Consultants upon graduating from college weren't expecting to run into information overload.

  • | | View blog reactions


    User Groups and Marketing

    Many of the OWASP chapter leads have done great work in tracking down great speakers for their user groups, but haven't paid attention to important aspects of marketing...

    As a chapter lead, it occurred to me that going forward, I need to be more selective in the speakers I bring in for my local user group. Originally, I was focused on tracking down lots of industry analysts as they tend to be very influential, but I wasn't paying attention to the marketing aspects.

    Industry analysts are well known but otherwise do little to actually draw a crowd which requires having a large distribution list in which to send invites. Many analyst firms encourage their employees to participate in community activities but likewise don't market that they are actually participating.

    One could also conclude that inviting in employees of small software vendors and consulting firms may also have the same effect in that they bring in lots of knowledge but otherwise can't help in a big way towards filling seats. Software vendors are especially problematic in that they protect their client lists and usually will instead prefer to lurk.

    My latest conclusion says that I need to focus solely on large software companies who not only have great speakers but also market the fact that their employees will be speaking at certain venues. Microsoft is the best example in that they frequently market the fact that their employees speak in community settings and will use their own distribution lists to mention the events they will be at. Microsoft, unlike small vendors isn't afraid of having their customers stolen by competitors and therefore will participate more deeply and be less likely to lurk.

    Of course there are always exceptions to the rule, but I currently don't know of any. If you happen to know of consulting firms and software vendors who do market their participation in user groups that are focused on software security, I would love to hear from them. Of special interest are those who focus on static analysis, requirements gathering, penetration testing or of other topics of interest to software developers and architects, please do not hesitate to leave a comment.

    | | View blog reactions

    Monday, March 24, 2008


    Stupid IT Executive thinking creates insecurity...

    I was reading a great posting by Matt Flynn on what drives executive sponsorship when I concluded that sometimes having executive sponsorship for projects is a worst practice...

    Enterprises at most levels don't truly understand risk management, or at least from a security perspective. The project management and process weenie crowds think of risk as the ability to deliver mediocrity based on an arbitrary derived date made up by the business in order to meet perception management expectations.

    Have you ever seen some well meaning individual within a large enterprise attempt to sell security? They will most certainly be beat into submission by bean counters since security projects may not always have an ROI. Why does security always have to be the step-child of an organization and not leverage the trust model is so dearly attempts to steward? Security folks tend to be the most trusted individuals within the enterprise at one level in that they are charged with protecting the assets of the enterprise in an ethical manner but can't get assets to protect the assets in an ethical manner and have to resort to fear, uncertainty and doubt in order to be successful. Should enterprises force security people to do best practices when the best practices are unethical?

    What is even more problematic is that in order for security people to accomplish their mission, they have to sell not only the solution, but give away part of their soul along the way. When a security person decides that he doesn't want to sell his soul any longer, the process weenies and bean counters rejoice when in reality it is a sad day for us all.

    If a well-meaning individual puts a proposal on the table to solve for problem X and quantifies not only the risk but also the costs and accurately calculates that the amount of money spent to solve the problem is cheap, should he be rewarded or confronted with additional impediments? When the security person stops selling, the bean counters will issue a proclamation saying that I guess we didn't really need this solution and will pat themselves on the back. Since when does the need for something become coupled to the individual selling it...

    | | View blog reactions

    Sunday, March 23, 2008


    Links for 2008-03-23

  • There must be fifty ways to view your processes
    A great posting that is missing one bullet stating that another way to view your process is whether you can leverage it to be a substitute for competence

  • Data deduplication is so cool!
    Alexandra mentions that Data deduplication should be a core feature in platforms such as EMC Documentum. I bet if you were to submit this as an enhancement request, it would be ignored. In fact, I bet that if you asked ten other enterprises to submit the same exact request, it would be ignored equally fast.

  • If you want to be sloppy and do whatever you want...try Agile!
    Sarcasm is a good thing until it is no longer funny. Do you know what it is like when not one but several architects attempt to correct others when they use Agile incorrectly in a sentence.

  • Open Source Licensing: Obsolete or Of Importance?
    Stephen O'Grady provides some great thoughts on open source licensing. I would love for analysts though to provide amplification of why GPL isn't enterprise friendly and how the only licenses that encourage participation are those who stem from academia such as MIT, Apache and so on.

  • Trinidad Hindus celebrate Good Friday
    Trinidad is one of the few countries where diversity isn't just a phrase spewed by media relations and is actually practiced by all. If India or America for that matter could figure out that we need to practice what we preach...

  • Neuenschwander and the Burton Group
    Mike Neuenschwander recently left his position as Research Director for Identity at the Burton Group to join Mycroft. As I understand, other analysts have also departed. Could someone provide insight? Maybe Mike and his firm would be interested in sponsoring an OWASP meeting?

  • | | View blog reactions


    Are Industry Analysts afraid to provide insight on certain topics?

    Have you noticed that many industry analysts have moved away from discussions on outsourcing, security and ECM in the blogosphere?

    Maybe it is due to economic factors in that many of them have seen a decline in revenue lately. In order to stop the bleeding, several small analyst firms have moved away from providing deeper analyst insight into emerging controversial topics in hopes to avoid alienating potential paying customers.

    Likewise, you may also have noticed the trend that analysts are less and less participating in the larger discussions and have moved back towards conversations in which they control. The side effect of this behavior is there will be less conversation around pure open source and it will morph into discussions about dual-licensing as an acceptable form of being open while distorting other values.

    Listed below are a few posts that prior to the decline in revenue as seen by analysts, they would have been all over and would have posted several responses. Maybe the best answer isn't to sit around waiting for them to do anything and for others to start doing the analysis themselves...

  • Using XACML for Privacy Control in SAML-Based Identity Federations

  • Do outsourcing firms write secure code?

  • OMG RFI for Business Security and Authorization Policy Modeling

  • The wrongs of enterprise rights management

  • Untold facts about software vendors and federated identity

  • | | View blog reactions

    Saturday, March 22, 2008


    OWASP Summer of Code 2008

    OWASP is now launching the Summer of Code 2008 (SoC 2008)

    More Details

    | | View blog reactions


    Exploiting the Attention Economy

    If time is money, then money can be made wasting other folks time...

    Spam and telemarketing are viable businesses because there is a broken economy of time. When a telemarketer or a sales person from a software vendor has you on the phone, that person is on the clock and you aren't. The time you spend attempting to screen out spam email almost always exceeds the time that was spent sending it to you. Consider that sales folks spend some fixed amount of time shotgun blasting to thousands of folks and that time is negligible when compared to the total time spent by victims deleting their messages.

    Have you ever been in the grocery store where some pigeon head woman holds up a line debating something trivial? The imbalance is similar in that this person also doesn't put a high value on time. Likewise, folks that exhibit this behavior are most certainly using best practices in wasting the time of those in line as well.

    Imagine if you had the opportunity to automatically bill others anytime they wasted yours. I suspect many may even want to bill me a couple of minutes it took to read this blog entry. I guess the post is that spam isn't just something folks do via email, it is actually a common practice that we all do in our daily lives...

    | | View blog reactions

    Friday, March 21, 2008


    IT Architects and Bear Stearns

    If you know of IT architects who worked at Bear Stearns and are currently seeking employment, please do not hesitate to send them this way. I know of several opportunities with not only my employer, but others within the Hartford CT area.

    Of special interest are those who are heavy in Security, SOA and BPM...

    | | View blog reactions


    Software Vendor Sales Antipatterns

    Why do software vendors and their sales folks still attempt to call customers in a world of Blackberries...

    I wonder if sales folks haven't been paying attention? Haven't they noticed that the enterprisey executives nowadays are all carrying crackberries? With the population being so mobile, why do you waste your time hoping to get lucky to hear the human voice when reality says that they are more than likely to respond if you send them email?

    Would anyone care to guess how much time I have spent at my desk this week? Bet you didn't know that for those times that I was away from my desk, I did have my laptop and could access email. Have you ever considered that if you leave me a phone call and I am not around, yet I decide to take work home, that I might not return your call for an extended period or at least until I find time to make it back to my desk. For the small amount of time I do spend there, you have to understand that there are probably ten others before you who have exhibited the same illogical, inefficient behavior.

    If you send me an email, I might be able to at least compose a message while offline as I do synchronize Microsoft Outlook before departing for the day which guarantees higher odds of having a response in the morning. I am sure I am not alone in the way that my schedule is jam-packed during core business hours, so instead of just reading this, getting an inquisitive thought that lasts about as long as Twinkie at a fat convention and rationalizing your behavior, why don't you noodle what it would take to alter your habits so that you make not only yourself but your customers more productive...

    | | View blog reactions


    Does your name fit on a nametag?

    Why do folks with incredibly long names when leaving voicemail messages say there names as fast as humanly possible...

    Are folks that ignorant that their names are difficult to understand? If I happen to be a resident of the state of Canada and have a French name, do you think that folks in Texas are going to be familiar with it? If I am from India and I pronounce my name as fast as possible, especially if it has sixteen syllables do you think someone in Iceland will immediately know how to spell it?

    Unless your name is really, really, really short like Jones, Smith, Ann, etc could you slow down a little when leaving voicemail messages?

    | | View blog reactions

    Thursday, March 20, 2008


    Market Forces and Information Security

    Gunnar Peterson posted some great thoughts on market forces within information security that are worthy of further analysis...

    Hopefully Gunnar is aware that market forces are at work and Oracle is busy with plans to assimilate BEA where from a security perspective, nothing good can come from it. Of course this doesn't mean that they won't attempt to put together a thinly veiled chock-a-block eye candy Powerpoint lacking substance that will only convince IT process weenies who otherwise aren't technical and no one else that security is important.

    I wonder if Gunnar is aware that RSA doesn't actually have its employees putting out conferences and that this is an outsourced activity.

    Gunnar probably realizes that security companies will emerge when the right amount of money is placed on the table. Of course this assumes that the enterprise has enough money in their budget left over to do real security and haven't blown it all on identity management provisioning tools and upgrades to their porous firewalls.

    The enterprise most certainly has lots of problems and many of them start with the cartoon characters called enterprise architects that are too busy selling a finely polished pile of best practices without focusing on what is truly important. Interestingly enough, I think Gunnar uses the word top in a different way than most and is not referring to the organization chart but is referring to raw talent. The real question is what are the top talent folks actually working on? You would be surprised if the truth were revealed. More importantly is Gunnar's last sentence where he states that the market hasn't listened to the enterprises problems.

    For example, I and other bloggers have talked about the fact that having XACML-enabled applications in the BPM and ECM space is invaluable. Do you think you could find a single, solitary developer in one of these companies working on it right now? Even thinking on it? I seriously doubt it. In fact, I can tell you that for one ECM vendor, I arranged for not one but ten different enterprises including but not limited to Pfizer, Merck, Home Depot, Allstate, AIG and others to talk about why we believe collectively that ECM systems should store content and not users and was ignored. Maybe some discussion on how security requirements could get higher priority of feature oriented architectures is in order.

    I have to disagree with Gunnar in terms of the auto industry listening to customers or understanding their needs. If you were to walk down the street in any city in America, you would see that the width of folks is increasing. The cubicle disease is causing backsides to spread which should translate into making car seats wider, yet nothing has changed on this front and manufacturers instead emphasize legroom. Are American's getting taller or fatter?

    Sun does this but are they as bad as other companies such as Oracle or CA? For example, should an Oracle database not only be able to authenticate against Active Directory but also support externalization of groups and roles without requiring additional licensing? To be fair, part of me believes that if CA, Oracle and others were to improve security by putting stuff into existing products vs the current approach of thinking about security as a new product, things in many enterprises would get worse. I bet it you could back test the fact that unless you pay lots of money for software, you probably won't use it properly, if at all.

    The other aspect of this equation is that many of my industry peers who have the title of enterprise architect are absolutely horrible and outsource their PowerPoint work to software vendors who will gladly do it for them as part of a sales pitch; dog-and-pony show. If security were in existing products and there were no revenue to be had, then it would actually require enterprise architects to keep up with technology, understand risk and most importantly have stewardship over the domain they oversee instead of focusing on perception management...

    | | View blog reactions


    Links for 2008-03-20

  • 10 Reasons websites get hacked
    He of course forgot all the mistakes made by IT executives prior to a single line of code being written...

  • The End of Irrational Execution
    A discussion on the three elements needed for moving from inertia to agility

  • Is software practice advancing
    The answer is emphatically no! With much of software development occuring in second-class countries such as China and India, when combined with their closed source non-community command-and-control best practices hierachical thinking, the conversations on how to improve don't even occur. They are savagely busy thinking that process discussions are the answer and don't recognize that much of this is a trap.

  • qualities of good pen testers
    Folks who participate in OWASP need to amplify this entry.

  • The Business of Identity
    It is great to see a discussion around business models but what is missing from the conversation is the desire of consumers to pay money to an identity provider.

  • a huge loss in credit cards - Consumers will be torqued
    Hannaford potentially exposed over one million credit cards. If you haven't been paying attention to PCI or more importantly been doing the bare minimum to comply, you may think of this as a heads up that the bar will be raised.

  • The Identity Oracle
    Bob Blakely of the Burton Group in the past talked about the notion of an identity oracle. I would love for him to expand on his past thoughts to understand whether technologies such as EMC's VERID, authentify and others that do knowledge based authentication is the right first step and how these vendors can start to align with this thinking. The notion of identity proofing seems to hold real promise regardless of what the consumerish crowd thinks.

  • Do Indian IT companies write secure code?
    Dharmesh Mehta provides insight into indian outsourcing and software development and what folks there do best which is to plaigarize...

  • | | View blog reactions

    Wednesday, March 19, 2008


    Why CardSpace isn't Enterprise Ready!

    Kim Cameron is doing all the right things in terms of Microsoft by changing the way their products work, however for CardSpace to be enterprise ready, requires folks other than Microsoft to step up...

    Consider for a moment of how software should be developed. If you are a fan of extreme programming, then you understand the importance of building test cases first. Many folks in this scenario would use JUnit, HTTPUnit or similar tools and therefore all of the libraries for Java and .NET such as WSO2, Google and others should have test cases around them. In looking at the various libraries, it also becomes apparent that Microsoft funded security functionality but didn't ensure that these libraries adhered to good secure coding practices?

    Have you ever considered what would happen within an enterprise that used CardSpace to protect your medical information or even auto insurance where you insured a vehicle that your wife doesn't know about? At some level, a discussion of how Microsoft helps others write secure code is in order and should start with a discussion of usage of tools in the static analysis space such as OunceLabs, Coverity and others. I wonder if the identity selector went through any of these tools?

    Once your code is developed, it is typical practice to automate the notion of regression testing and to use tools such as Grinder, WebArt or HP/Mercury Interactive LoadRunner. If LoadRunner can't even log onto a website that is protected by CardSpace then your regression testing won't get too far. Ever hear of any HP bloggers talking about how they will be extending their own products to support?

    Consider that unlike all the consumerish discussions to date, many enterprises have more thoughtful architectures and leverage web access management products such as Tivoli Access Manager, Netegrity Siteminder, Oracle Oblix CoreID and others. So, in order for many enterprises to implement CardSpace, it requires these products to become minimally really good relying parties.

    If you were to dig deeper, the odds are that only 50% of the enterprise applications that are exposed to the outside world, probably use a directory service. My thinking says that much of this stuff is in relational databases where we need a way to STS enable them. The odds are even better that the directory service used isn't based on Active Directory. Let's say for a minute that you have been reading Marc Wilcox blog over at Oracle and the discussion around virtual directory products. Do you think that one may need for this product to become an STS?

    Microsoft is on the right track with their own products, but needs to re-double their efforts (CEO sounding, huh) in encouraging others to get on the identity bandwagon. I know that Kim Cameron, Mike Jones and others will reserve judgment on how enterprise applications such as Siebel, Documentum, Pega, Mercury ITG and others work sub optimally today when viewed through an identity lens, but creation of a roadmap for these vendors to embrace would be appreciated by your enterprisey customers as many of them may not be capable of creating for themselves...

    | | View blog reactions


    The Evolution of Directory Services

    I like Marc Wilcox and his thoughtful posting on the evolution of directory services and had a few more questions of him.

    1. Marc stated: I don't know how often I have to tell people this - but most Oracle products can connect to AD directly without additional licensing which begs first a refinement of the question of which Oracle products can connect to AD and ADAM using the LDAP protocol and more importantly since you said most which Oracle products currently cannot?

    2. Marc stated: EUS does more than just authentication - it also handles mapping of directory schema to directory users and mapping of directory roles to LDAP groups but didn't address whether the functionality described should just be a characteristic of any product that is directory enabled. For example, if Documentum told us that they support LDAP, should we interpret this to mean that they only authenticate against it or should this mean that they can also handle mapping?

    3. Marc stated: pretty much every one of the Global 1 Billion companies have additional user identity stores not stored in AD or even an LDAP server for that matter :) and described how a product could be a potential solution but didn't talk about any type of outreach to either these same global 1 billion companies nor the software vendors that haven't had the sense to buy the most wonderful books written by you. What is Oracle's obligation to help others write LDAP enabled software so that they don't require virtualization.

    4. Can we agree that consolidation is a better enterprise strategy than virtualization?

    | | View blog reactions

    Tuesday, March 18, 2008


    Links for 2008-03-18

  • Give me more to work with and I will
    Ian asked me to describe the differences between identity management and identity consolidation. Identity management says that I should go create a strategy around provisioning of identity and leverage tools such as Sun's IDM, Thor, etc where I still fundamentally allow enterprise applications to have their own user stores and takes me down the path of building lots of connectors. Identity consolidation says that I figure out how to get user stores out of my enterprise application and instead get these applications to bind at runtime to a directory service such as Active Directory. I am of the belief that identity management (provisioning) propagates and encourages an otherwise bad architecture. The one thing that I would also love insight into is how to get vendors who still insist on having their own user stores (e.g. Documentum, Alfresco, etc) to see the error of their ways and to take quick steps towards remedying them.

  • Businesses may be forced to pay for e-crime police
    I wonder if this is an opportunity for Wipro, TCS, Satyam and other indian outsourcing firms to show an act of charity and contribute to the cause in an open source way?

  • Fun TLR Log Management Questions
    I wonder if Anton has any thoughts on which enterprise application software vendors do the best job at creating high quality logs and which ones leave something to be desired?

  • Did Google miss the OpenID boat when they deployed 2FA this week?
    My humble opinion is NO! Let's say that you are a large enterprise who leverages google apps. Do you believe it is a good idea for this large enterprise to outsource the identities of their employees to free sites (albeit of high quality) such as Vidoop and others or is the better answer for them to somehow leverage their own internal user stores such as Active Directory and OpenID enable them? The later is better but it would require Microsoft to step up and turn ADFS into an OpenID provider. Since this is not reality, Google did the right thing.

  • Virtual Directories
    Marc Wilcox talks about virtual directories but doesn't talk about how Oracle products should be able to bind to Active Directory without additional licensing. I guess Oracle doesn't acknowledge that 499 of the Fortune 500 run Active Directory. Sometimes the best answer is less products, not more!

  • | | View blog reactions

    Monday, March 17, 2008


    Links for 2008-03-17

  • Microsoft, XACML, SQL and Sharepoint
    Jackson Shaw agrees but I wonder what the role of Kim Cameron, Mike Jones, Young Joo, Allan da Costa Pinto, Stefan Brands and other Microsoft employees in terms of making this happen?

  • SOA is not Enterprise Architecture
    Good to see that others are keeping the likes of Joe McKendrick honest...

  • Why Enterprise Architects continue to fall short with SOA
    I wonder if David Linthicum would ever provide commentary on not just the strategy aspects of SOA, but the development aspects as well? For example, does indian outsourcing make SOA easier or harder to properly realize? What affect does CMMI have on SOA agility? Does Zapthink believe that enterprises understand the value proposition of OWASP and what they bring in terms of SOA security?

  • Identity leprosy or identity zombies?
    Ian believes that identity needs brains but falls into the trap of thinking about identity solely from the perspective of provisioning and while avoiding runtime aspects. I wonder if he would blog on why enterprises should consider identity consolidation over identity management?

  • Drools: Business Rules Management System
    Ever notice how industry analysts never even mention drools but overhype other expensive commercial products? You owe it to yourself to investigate this open source implementation.

  • More Cardspace in the enterprise
    Folks are busy getting it twisted in thinking that an enterprise user should invoke cardspace multiple times during the day. Cardspace should only be invoked when entering another security realm. It feels more like a problem in that most enterprises don't have sound practices around SSO

  • Source Boston 2008 Security Conference
    Nick Selby, Industry analyst at the 451 Group comments on a particular security conference and mentions many names that I respect. I wonder if he could comment on whether other attendees learned about OWASP, its mission to make application security "visible" and most importantly that you don't need to spend a lot of money to hear great speakers as local OWASP groups provide them for free.

  • | | View blog reactions


    Do outsourcing firms write secure code?

    I was thinking about a comment made by Chenxi Wang of Forrester at our last OWASP meeting where she responded to the question of which Indian outsourcing firms provide secure code to their customers without them having to ask for it...

    In the world of outsourcing, customers have way too much they need to specify. At some level, most IT executives haven't thought about why security is so expensive and still tend to think that security is something bolted on towards the end of the project. While we all know that doing things earlier in the lifecycle is much cheaper than later, our behavior towards security is still suboptimal and pretty much all of the outsourcing firms aren't doing much to help in this regard.

    Should customers really have to specify that their code not be subject to the OWASP Top Ten or that it go through some form of static analysis for secure code reviews? When will customers or more importantly outsourcing firms start to think about secure coding as something one must do and not something customers need to specify?

    Do customers have the need to specify that source code actually compile? Of course there are lots of horror stories where folks have received code from offshore that didn't but thats not the point. Maybe the challenge of writing secure code is that folks in India aren't necessarily trained to write secure code.

    One intriguing observation is that there are a couple of individuals who work for Cognizant who are pretty bright and are OWASP chapter leaders in Chennai, Bangalore and Delhi who put on high quality user group meetings on a consistent basis, yet few folks in India attend.

    The statistics that I heard from the last meeting in Chennai was that there are 60,000 IT professionals within one block of the meeting, yet less than 60 actually attended. If folks in India want outsourcing to thrive, then they step up their community participation...

    | | View blog reactions

    This page is powered by Blogger. Isn't yours?