Thursday, July 31, 2008


OWASP Maturity Model Project

The Open Web Application Security Project is conceptualizing the notion of a maturity model to help the industry understand better practices in making web applications secure. In usual form, this project is free and open for any and all to participate.

If you would like to contribute your thoughts, please join the mailing list...

| | View blog reactions

Wednesday, July 30, 2008


OWASP Certification Survey Results

The OWASP Certification Survey is now closed. The results are posted here. I will probably regret sharing this link, but in the spirit of being open, all insights are appreciated...

| | View blog reactions

Tuesday, July 29, 2008


IT Hiring Practices

IT continually disappoints the folks on the business. My thesis is that IT interviews is at the root cause as most test presentation skills vs ability...

Why does IT have to continue the HR facade of interviewing when the pendulum has swung too far towards emphasis on soft skills? Imagine if business customers were smart enough to figure out that the person running IT didn't actually know anything about IT or that their coveted very expensive enterprise application will fall apart in actually implementing it as the folks who sold it have never actually built anything.

Business/IT alignment cannot occur without having credible members on the team. This goes above and beyond their ability to present and there needs to be a common set of core skills that all within the enterprise has. If you are an employee of a large enterprise, have you considered asking each and every member of the enterprise architecture team what skills they 100% have in common?

The obvious answer of course is usage of Microsoft Office tools as we can draw pretty cartoons in Visio, our IDE is PowerPoint and we are more than capable of ranting via email and scheduling meetings of nebulous value via Outlook, what other skills do we all have?

If we all have nothing in common but soft skills, how can we concretely implement our strategy? How can we expect business customers to trust IT? Do we really think business customers are that dumb?

To make matters worse, we attempt to hire even more folks just like us. Have we ever realized that diversity should be embraced? The enterprise needs folks with soft skills. Likewise, we also need folks with technical skills and those who can hang technically with the best of them.

Nowadays, with the emergence of work from home strategies where face-time as a construct will become extinct, if we focus on soft skills, aren't we hiring to the past and not for the future?

| | View blog reactions


Links for 2008-07-29

  • Developers needed; hackers need not apply
    Jay Fields provides a scenario of who should receive an offer after a job interview. The funny thing is he is describing exactly how outsourcing to India works

  • Call for Practitioners: expertise in SOA & Security or sOA & ITIL
    The OMG is attempting to bring together a group of practitioners with expertise on SOA & Security for a roundtable conversation. Why practitioners? They want to explore actual requirements and issues prior to hearing from vendors and consultants on answers.

  • Issuing Managed Cards
    One aspect of the conversation around CardSpace that seems to never be discussed is the secure coding aspects. Many members of OWASP believe that parsers are the weakest part of XML security, yet Cardspace makes this a vital component and puts it right up front. This begs the question of whether the parser used by Cardspace can be considered as secure as say the one used by DataPower. I know that Rich Salz won't comment, but someone out there must have an opinion.

  • Active Directory 2.0
    I have been curious if Nishant Kaushik, Mark Wilcox and others from Oracle have a different definition of what constitutes an enterprise than say Microsoft?

  • Lack of ECM Standards and how it hurts the industry
    It has been a long time since anyone from Nuxeo, Documentum, Stellent, Alfresco or others actually talked about creating valuable standards as the conversation to date has only been about the challenges.

  • Identity Maturity
    Paul Madsen posts a listing of Liberty Alliance award winners. I wonder if he knows where the general public can get their hands on an actual federation agreement. No, not a framework or guidelines but one that has actually been executed (in a legal sense) between two parties.

  • Data Portability Governance Framework
    The concept of promoting open standards, whilst allowing people to own their personal data, to enable interoperability. The identity crowd should be following this...

  • Directory Trek Wars
    A humorous comparison between Microsoft Active Directory and Virtual Directories.

  • | | View blog reactions

    Monday, July 28, 2008


    Scrum Certification is a big fat joke!

    I bet you don't know what it takes to become a certified Scrum Master...

    For certification be truly meaningful, a certification must have some sort of experiential component to it (typically involving internship or apprenticeship) and the applications must be verified by other certified professionals.

    The Scrum Alliance continues to embarrass itself, and to a lesser extent the agile community as a whole, with its continued operation of the Certified Scrum Master (CSM) program. To "earn" this designation you need to take a two-day course, at the end of which, the instructor decides whether to award you with it. There is no test and there appears to be a 99 percent plus pass rate.

    It is clearly deceptive to claim that you're a "certified master" of something after taking a two-day course. Maybe those who are believers in the Agile Manifesto can learn something from the OWASP Certification Project...

    | | View blog reactions

    Sunday, July 27, 2008


    Grandmaster Frank Corbo: Shorinryu Karate

    Yesterday, I got to see Grandmaster Frank Corbo receive is his promotion to tenth degree...

    Grand Master Corbo began his training 1960 at the age of five. His first instructor at that time was his father who introduced him to boxing, grappling and knife defenses. Returning home from the Marine Corps in 1976 he sought out instructors who could help him expand his martial arts knowledge and develop his skills into an integrated system of martial arts training. Grand Master has had the pleasure of training under the guidance of some of the greatest martial artists to date. Grand Master William Chen, Grand Master Hu Jianqiang, Grand Master Pan, Grand Master Duan, and Master Jiang Jian-ye all have made impressions and improvements to his Integrated Martial Arts system.

    My son who is six years old, got the opportunity to do Jiu-Jitsu demonstration with his sensei (ninth degree in Komushinryu) where he demonstrated his routine. My son wasn't wearing his Gi at the time and was upset with his dad for leaving it in the car. Anyway, the video will be up shortly on Youtube and I will be posting a link here.

    I also had the opportunity to meet a wonderful master from New York who demonstrated close quarters combat along with a monk from the Northern Shaolin temple. Afterwards, we all pigged out at It's only natural which I highly recommend.

    Grandmaster Corbo is a judge on the 69th circuit probate court and a Marine. Duty, honor and country are no better represented than through the life of this master...

    | | View blog reactions


    Military Quote of the Day

    Always remember your weapon was made by the lowest bidder...

    | | View blog reactions

    Saturday, July 26, 2008


    Quote of the Day

    Give a jackass an education and you get a smartass...

    | | View blog reactions


    OWASP Maturity Model Project

    I will be starting on my second OWASP Project which is to create a maturity model to help enterprises index themselves in terms of maturity related to application security. We hope to have something published by the end of the year that will aid IT executives in understanding areas in which they need to focus.

    If you are interested in contributing, please visit the OWASP web site and subscribe to the listserv. In the meantime, I will be spending cycles on figuring out how to get Gartner, Forrester and other industry analyst firms to pay more attention to security (other than Microsoft Patch Tuesdays). After all, if they aren't paying attention to it, then software vendors aren't going to either and the industry will remain insecure...

    | | View blog reactions

    Friday, July 25, 2008


    What has been done in Smalltalk?

    This is a bit of a challenge to Smalltalkers as well as a request for education...

    1. What commercially packaged enterprise applications were developed using Cincom Smalltalk?

    2. Where is the equivalent for finding open source Smalltalk projects?

    3. What is the largest e-commerce site exclusively written in Smalltalk?

    4. Has anyone written a relational database engine in Smalltalk?

    5. Should developers be able to write Cincom Smalltalk using Eclipse?

    | | View blog reactions


    Is there an IT Talent Shortage?

    In my humble opinion, emphatically no!

    There is a shortage of perfectly healthy unmarried childless folk who need no benefits, aged between 22 and 26, who need no visas, who have done a previous job within the last two months so much like the one you need that they require absolutely no ramp-up time and who are willing to live anywhere and work cheaply in noisy cubicles on inferior computers without sunlight.

    IT executives need to stop being silly by imposing unrealistic requirements on talent. Fundamentally, I believe even if you ignore the above that we actually need less people in IT than today. Consider how much energy is put into time wasting activities such as governance which allows for increased financial transparency at the expense of productivity.

    I suspect that if you were to align all of the IT initiatives into two columns where one column is productivity and the other were transparency and you weren't allowed to practice hybridism as a mental disorder then the transparency column would outweigh the productivity column by ten to one.

    As far as recruiting talent, if you accept people over 27, give them time to learn what you need, keep them long enough to pay back the cost of training them in value to you, give good benefits, locate the jobs where there is already a supply of unemployed or contract IT folks, be willing to pay them a little higher than local market wages, give them state-of-the-art computers, and put them in one-person offices with windows to the outdoors, you will have a stampede of candidates battering down your door. No problem.

    If a young person asked me, I would advise them not to go into IT. Learn to use a computer much as one used to learn a foreign language or typing, but train to be the one that owns the business. That way you cannot be outsourced.

    However, there are more than enough older folks around to do everything you need...

    | | View blog reactions

    Thursday, July 24, 2008


    Last Day to Participate in the OWASP Certification Survey

    The Open Web Application Security Project (OWASP) is working on creating a certification targeted at software development professionals. The survey is located here.

    The survey closes on Friday July 25th (tomorrow)...

    | | View blog reactions

    Wednesday, July 23, 2008


    An untold perspective on software licensing and GPL...

    I used to be a big believer in GPL, but my perspective is slowly shifting...

    My significant other is working on a project which she hopes will allow her to work 100% from home while making more than I. A conversation between us emerged where we each debated our own philosophies on open source. She believes that BSD and its variants are the best for fairness and will serve to increase market competition which is important to her since she needs to get her software in a Gartner magic quadrant which right now doesn't exist. We concluded that GPL is useful for undermining competition and not encouraging it.

    More importantly her solution is avoiding all forms of GPL as she believes it is scary for business. She points to the GPL Violations site as evidence. 100 cases completed at 100% success rate! Is this a good story for open source? History will tell the true story. What is factual though is that regardless of who wins, everybody loses when it comes to litigation costs and the wasted marketing dollars that goes behind this activity.

    The one opinion that grows even stronger in my own mind is the evilness of dual licensing. On the surface, it appears to be the easiest arrangement to explain to consumers. However, the real problem of maintaining this strategy will be seen in software developer. The constraints of developing, testing, and packaging two separate but related software packages, each time a released version of the software, you have to go through the steps twice.

    Dual licensing also creates a usability obstacle for users simply because it requires users to run several interfaces at the same time. Isn't it better to have one license and one way to do things rather than complicate things for end users...

    | | View blog reactions

    Tuesday, July 22, 2008


    Quote of the Day

    If genius is one percent inspiration and 99 percent perspiration, I wind up sharing elevators with a lot of bright people...

    | | View blog reactions


    OWASP Preliminary Certification Results

    Several folks have pinged me offline in hopes of getting a peak at the results of the OWASP survey. Many folks wanted to understand the answers to such questions as which industry analyst firms best understand the challenges of Web Application Security. I found it somewhat insightful how folks perceive firms such as Redmonk, Gartner, Forrester, Entiva and the Burton Group.

    Anyway, below are preliminary results to a few select questions. The full report will be made available at the end of the week...

    Page: Introduction
    1. Please indicate your gender.
     answered question401
    skipped question

    2. Please select the category that includes your age.
    17 or younger 0.0%0
    18 to 24
    25 to 34
    35 to 44
    45 to 54
    55 to 64
    65 or older
     answered question400
    skipped question

    Page: Preferences
    6. Has not having a particular certification or credential ever hindered your career?
     answered question344
    skipped question

    7. In your opinion, what should be the target failure rate for first-time exam takers?
    No opinion
     answered question345
    skipped question

    8. Do you believe that exams with higher failure rates are more credible?
     answered question345
    skipped question

    Page: Marketing
    14. In your opinion, do you feel single-brand certifications and/or credentials such as Cisco, Microsoft, Novell, etc. help or hurt the industry?
     answered question332
    skipped question

    15. In your opinion, do you feel that training providers who teach courses geared towards obtaining OWASP certification should mandate that their instructors are certified?
     answered question331
    skipped question

    Page: Test Methods
    22. VUE ( and Prometric ( both provide computer based testing at existing testing centers throughout the world. While the actual payment to VUE or Prometric to provide an exam varies with volume, at least $75 of an exam's price would go to VUE or Prometric. What do you perceive as the
    advantages of having the exam available at a VUE or Thomson testing center? (choose all that apply)
    It would make the exam available in my geographic area
    the exam would be inexpensive
    the exam delivery would be secure
    It would be easy to register and pay for an exam
    I would prefer not to take the exam using VUE or Prometric testing center
     Other (please specify)23
     answered question296
    skipped question

    Page: Final
    30. Please rate which industry analyst firms best understand the challenge of implementing Web Application Security.
     First PlaceSecond PlaceThird PlaceFourth PlaceFifth PlaceSixth PlaceLast PlaceResponse
    Gartner51.2% (44)7.0% (6)10.5% (9)10.5% (9)2.3% (2)2.3% (2)16.3% (14)86
    Forrester19.4% (13)44.8% (30)9.0% (6)11.9% (8)4.5% (3)10.4% (7)0.0% (0)67
    Burton Group25.9% (15)12.1% (7)27.6% (16)13.8% (8)10.3% (6)3.4% (2)6.9% (4)58
    Yankee Group2.4% (1)16.7% (7)19.0% (8)35.7% (15)7.1% (3)11.9% (5)7.1% (3)42
    Redmonk13.3% (4)6.7% (2)10.0% (3)10.0% (3)50.0% (15)6.7% (2)3.3% (1)30
    The 451 Group6.1% (2)15.2% (5)9.1% (3)6.1% (2)18.2% (6)36.4% (12)9.1% (3)33
    Elemental Links0.0% (0)0.0% (0)4.8% (1)9.5% (2)9.5% (2)19.0% (4)57.1% (12)21
    ZapThink4.3% (1)21.7% (5)26.1% (6)17.4% (4)4.3% (1)8.7% (2)17.4% (4)23
    Nemertes6.7% (1)13.3% (2)13.3% (2)6.7% (1)33.3% (5)6.7% (1)20.0% (3)15
    IDC0.0% (0)25.0% (7)21.4% (6)21.4% (6)14.3% (4)14.3% (4)3.6% (1)28
    AMR0.0% (0)7.7% (1)23.1% (3)23.1% (3)30.8% (4)7.7% (1)7.7% (1)13
    Ovum10.0% (1)10.0% (1)30.0% (3)20.0% (2)10.0% (1)0.0% (0)20.0% (2)10
    Enterprise Strategy Group12.5% (3)12.5% (3)16.7% (4)12.5% (3)4.2% (1)25.0% (6)16.7% (4)24
    Macehiter Ward-Dutton10.0% (1)20.0% (2)10.0% (1)0.0% (0)10.0% (1)10.0% (1)40.0% (4)10
     Other (please specify)20
     answered question100
    skipped question

    | | View blog reactions

    This page is powered by Blogger. Isn't yours?