Tuesday, September 30, 2008


Enterprise Architecture and Stupid Thinking...

If guns kill people, then...

pencils miss spel words.
cars make people drive drunk.
Spoons made Rosie O'Donnell fat.
Process makes developers in India competent...

| | View blog reactions

Monday, September 29, 2008


Comparison of Federated Identity Products

I haven't been able to find a comparison of products in the federated identity space and figured that others within the blogosphere would be able to point me in the right direction. Much of the industry analyst publications are overdistilled and start with an overview where I am looking for a list of all possible features that could exist within a product and which products satisfy the criteria.

For example, where I can I find a list of features that Ping Identity supports that say RSA Federated Identity Manager, Microsoft ADFS or Oracle doesn't? I wonder if Nishant Kaushik, Pat Patterson, Mark Dixon, Ashish Jain or others have any information in this regard that they are willing to make public? I really hate private pings...

| | View blog reactions


Question for LDAP Experts

Have you ever used a tool to model a relational database such as Erwin or Visio where you can print out the visuals but also generate DDL? What is the equivalent tool for LDAP?


| | View blog reactions

Sunday, September 28, 2008


The secret relationship between enterprise architecture and the United Nations

Have you ever figured out that both enterprise architecture and the United Nations has awful lot in common? Decisions are never made on fact and perception is more important than reality. An enterprise architect would have seen the collapse of Wall Street. Likewise, The United Nations saw the unravelling of Darfur yet in both cases everyone refused to take action.

So why do both enterprise architecture teams and the United Nations fail to come to any Resolution? If you were to take a survey and ask: Would you please give your honest opinion about solutions to the food shortage in the rest of the world? you would be guaranteed a failure...

In Africa they didn't know what "food" meant.
In Eastern Europe they didn't know what "honest" meant.
In Western Europe they didn't know what "shortage" meant.
In China and India they didn't know what "opinion" meant.
In the Middle East they didn't know what "solution" meant.
In South America they didn't know what "please" meant.
And in the USA they didn't know what "the rest of the world" meant

| | View blog reactions

Saturday, September 27, 2008


700 Billion Dollar Information Security Bailout

The parallels between the financial crisis the US currently finds itself in and the state of information security is uncanny...

Please consider:

1). Failed regulatory oversight (SOXs, HIPAA, GLBA)
2). Failed self regulation (PCI, ISO)
3). Failure for consumers to manage risk (education, awareness)
4). Failure for companies to manage risk (risk analysis, awareness)
5). Failure for the current bailout to protect the consumer (no need to explain)
6). Reaction only when a threat is upon us (building security in vs slap on)

In both situations, the consumer is talked about...held up as the main focus, but the actions do not seem to support protecting them. Look closely at our privacy laws, security laws and identity theft laws and you can see the lack of any real consumer based legal causes of actions that are available.

Do you see any opportunity to leverage the current crisis to finally focus on the consumer privacy and security rights? At a time when the government is calling upon greater oversight and regulatory authority, should the security industry be lobbying to get the consumer protections front and center?

The unfortunate thing is the agents of change are the ones most guilty of violating consumer privacy and security. Much of the meltdown has been the savage exploitation of consumer behavior. Have we also considered that much of corporate behaviors in information security are trending in the wrong direction? Have we also considered that bureaucrats and politicians are too easily swayed by corporate leaders?

Risk management shouldn't be a cliche phrase thrown about by the likes of process weenies such as Robert Mcilree. In the same way and the folks over at Gartner and CMMi advocate that process can be a substitute for competence, information security in many large enterprises are equally guilty of using it as a substitute for true risk management.

Identity management is one thing that is way overhyped where every enterprise was forced into a one size fits all approach instead of focusing on optimizing cost/benefit for any given situation. Would Pat Patterson, Nishant Kaushik and others acknowledge guilt? I think not as their employers are technology legislators that have generated a hype cyclce that is a boon to consultants and have helped generate a lot of paperwork and control process but otherwise has become a distraction from core risk management practices and ends up being an architecture that is driven by the whims of an external auditing group rather than targeting a prioritized list of business specific risks.

So, let's acknowledge that what will save the day is architecture and that maybe we do need a new kind of leadership, one that understands the need for an agile enterprise architecture, strong technical leadership and an understanding of the human aspects of technology. The key is whether the masses will stand up for what is right or simply devolve back into perception management.

The government needs OWASP style governance. For the current power structure, don't worry, your jobs are safe as no one is listening...

| | View blog reactions

Friday, September 26, 2008


Are you an IT Security Idiot?

How often do you pontificate that others need to look at IT security holistically but otherwise in your daily practice eschew secure software development? Do you continue to allow your lack of software development background become an impediment to making your enterprise truly secure?

Instead of focusing on what not to do, perhaps you should figure out how to focus on doing something securely and interaction with developers may be a great place to start. At the very least, you should learn enough SQL so a properly parameterized query can be illustrated on a whiteboard.

Maybe IT security professionals could also consider being an example by encouraging software developers to attend security-oriented user groups targeted at them such as OWASP. Bill Barr nailed it when he said: I have yet to come across a "security professional" I can't send packing after speaking 3, simple words: Show me code...

| | View blog reactions


Today, I have reached my 2,000th blog entry...

Across all of my blogs, I have crossed the 3,000th mark. I wonder how I should celebrate?

| | View blog reactions


Enterprise Architecture and Martial Arts

In the past, I have blogged about why Villari's Martial Arts is garbage but didn't propose a better alternative. Today, is when I will share thoughts on an idea I am working on...

By now, if you have read my blogs, you would know that I am savage when it comes to charity focused on improving the lifes of children. Several of my coworkers will be forming a program to work with the local Boys and Girls club to teach martial arts to inner-city children.

We will be starting off with an introduction to several different styles including Tai Chi, Shotokan Karate, Traditional Japanese Jujutsu and Taekwondo. We are targeting kids ages seven to twelve. The kids will receive martial arts lessons twice a week.

We will start with the basics of punching and kicking with lots of focus on mastery of horse stance since this is universal to all styles. I will be teaching the first four forms of Tai Chi. I am working on convincing my significant other that she should teach all the girls, Eagles Claw (the style made famous by Master Pai Mei of the White Lotus Cult) with a finale of my son leading others in Japanese Jujutsu.

Since I am the king of mashups, I figured I could combine this with my love of IT and figure out whether there are any software vendors in the blogosphere that would be interested in making a small contribution of $50 which will go to the purchase of martial arts uniforms for the kids (Japanese Gi's). We are targeting the purchase of twenty of them Of course, vendors are also encouraged to throw in an additional $100 so that we can receive patches of the vendor's logo to be applied to the uniform in which kids will learn to sew on themselves.

When large corporations get involved in community activities, lots of media is sure to follow. If you want to donate, please leave a comment and I will contact you. This is one of the cheapest branding investments a software vendor could make. Besides, the human aspects of technology are just as important...

| | View blog reactions


OWASP Hartford September 2008

On Wednesday, The Hartford chapter of OWASP had two great speakers. First, we had Andrew Stone, a senior manager of Accenture who talked about the authorization problem within enterprise applications, something of which enterprises need to start paying more attention to. I have been on record in saying that the identity conversation is overhyped and that authorization is more important. Good to see that Accenture is starting to carry the same message.

We also had Paul Roberts of the 451 Group, which is an industry analyst firm unlike Gartner. They aren't historians who measure what has happened, but focus on innovation and help customers understand what will happen in the future. In other words, some analysts help you make tactical purchasing decisions while others help architects with strategic goals such as using innovation to enable long-term business drivers.

For the October meeting, we will be having Rohit Sethi of Security Compass and the Agile Elephant speaking on elite IT talent. The agenda will be posted over the weekend here...

| | View blog reactions

Thursday, September 25, 2008


Why McCain will win the election...

Bet you didn't know that John McCain will be the next president of the United States, but it won't be because he won by capturing the most votes. He will be successful by using tactics such as invalidating the votes of legitimate American's.

Ohio and other places in Middle America will be too stupid to see that their vote doesn't truly matter and will simply let their votes not be counted...

| | View blog reactions


OWASP Web Services Top Ten

Gunnar Peterson presented this morning on the OWASP Web Services Top Ten. While many have become familiar with the OWASP Top Ten via PCI/DSS, many haven't considered what aspects are common between web applications and web services vs what is distinct.

I believe there are three action items for me upon hearing this most wonderful presentation.

1. On the long train ride back home, I need to compose all my thoughts on worst practices that I have came across within my travels and include even the ones that I have personally made. Hopefully, this will help provide additional guidance for others to develop secure web services.

2. We need to figure out that once this list is finalized, how vendors who produce web services as part of their product offering could immediately fix deficiencies in their products. For example, it would be wonderful if Craig Randall, Laurence Hart, Bex Huff and others within the ECM community were to be the first to embrace.

3. I also need to fail miserably and repeatedly in attempting to encourage industry analysts to dedicate a research report to aspects of developing secure web services. I will be pinging Gartner, Burton Group and Zapthink with others to follow..

| | View blog reactions


CMMi and IT Security

I find it fascinating in learning of how many members of OWASP find much of CMMi silly. The notion of documenting bad process gets you to level three is the joke of the century.

Pravir Chandra presented at the OWASP conference, the notion of a maturity model that is being led by Brian Chess and the folks over at Fortify and will be in the near future published under OWASP which was well received. If you would like to learn more about this activity, please join the OWASP mailing list here...

| | View blog reactions


OWASP NYC and Embarrassing moments...

Imagine being at a conference filled with security professionals and you loose your cell phone. It of course is discovered and they do the right thing by announcing it to all attendees that they have found one and where to claim it. Of course, being a security conference, the announcer checks to see if you did something like keep the default password...

| | View blog reactions


Links for 2008-09-25

  • One important difference between federation and internal IDM projects
    Not that Ping shouldn't attempt to expand its marketshare or make money, but one should ask whether the right solution is have folks over at Microsoft figure out how to turn Active Directory into a provisioning mechanism. Why couldn't you have ADFS take care of SaaS provisioning activities? While I know that Mike Jones, Kim Cameron, Jackson Shaw and others would probably not think about provisioning in this manner, there are many enterprise customers that would think it was a sane approach.

  • A kinder, gentler federation agreement
    I like when bloggers provide insight into topics but really hate when they assume we don't care about the detail. I would love to see the exact documents that he refers to (in a sanitized way) and not just summaries of what they contain. If anyone else has copies of federation agreements they have used, I would love to see real copies.

  • Needed: ‘five times’ as many SOA architects as we now have
    Sure, the answer is always quantity over quality. Does it make sense to bring on even more folks to build SOA's incorrectly? There are very few high quality sources of information in the form of books in the marketplace and the analysts are providing horrific guidance. This feels like a scenario of more people to a late project makes it later. Joe McKendrick and others should lead with enumerating the competencies required and not just the count.

  • The lost art of informal communication
    I couldn't have said it better myself...

  • | | View blog reactions


    Cell Phones are Evil and tamper with work/life balance...

    I previously blogged about Work/Life balance and how cell phones and crackberries are at the center of destruction of it. Today, I will share additional tips of how I have achieved balance...

    In high school, I worked for Cigna where I noticed that there were a lot of IT professionals who didn't have a college degree in IT and concluded that what you have your degree in doesn't matter as much as simply having a degree. I rationalized that the degree was something one achieved simply to satisfy arbitrarily specified HR criteria and served little other purpose.

    Applying this same set of thinking, I knew early on in life that I needed to have the same thing in terms of communications when it comes to phones. Whenever you apply for a credit card, visit a business in which you are a consumer and so on, it is mandatory that you provide them with a phone number. The challenge is in convincing them that they can call you for purpose X but not for purpose Y. In fact, once you give up your phone number, it may be passed along to other parties in the due course of business.

    My solution to this problem is simple. I have a phone number which I list as primary in the phone book that I give to anyone simply to satisfy the fact that they require one. The phone number though is never answered and the only thing connected to it is my DSL line. If you want my phone number, I will give it to you, only though I don't have to suffer with the Pavlovian effect of checking to see who is calling. I don't even have a voicemail connected to it and therefore won't even waste time reviewing it later.

    For those who will get it twisted, I do have another number such that friends, family and other folks such as my kids' various teachers can reach us. Only twenty or so folks outside of family have it and even if it is leaked, I have a second protection mechanism to avoid the potential of Pavlov.

    Many phone companies allow you to have the ability to program the number of other phones such that it results in a different ring. So, if my parents call me, I don't even have to look at caller ID and can simply pick up the phone while if it rings for others I may look and respond accordingly...

    | | View blog reactions

    Wednesday, September 24, 2008


    Enterprise Architecture and Confrontation Management

    Confrontation Management is the new Perception Management...

    Perception is reality yet many enterprise architects suck at managing it. The one question that we haven't asked ourselves is whether management of perception has gone overboard. Would Wall Street be very different if folks stopped worrying about the perception of stockholders and instead payed attention to the reality of finance.

    Good enterprise architects do some perception management but it doesn't consume them. While perception management is important, confrontation management is more important. The best enterprise architects I know are great at exerting pressure, saying no at the right times to the right things and start and win fights when necessary.

    The need to be collaborative is important, but the need to be assertive is more important. To get the right price from software vendors, to build great high quality working secure software, to reject bad work, critizize a strategy and to defend those who are correct but not popular requires being assertive.

    Way too many folks (especially those who call themselves leaders) will do almost anything to avoid confrontation. They may fear that expressing any displeasure as being dangerous or shameful. Nothing could be further from the truth.

    What would happen if enterprise architects started to quantify to cost paid for fleeing the good fight? This would include everything from hours of correcting underling's work (rather than sending it back) to being perceived as a weak leader who tolerates mediocrity...

    | | View blog reactions


    Holistic IT Security Thinking is non-existent in most enterprises...

    I previously asked When was the last time you ran across a holistic IT security professional and figured I would continue the dialog...

    It is vital to acknowledge that holistic thinking requires strong technical leadership, something that is lacking in most enterprises. Let's be honest, how many IT executives are technical? If Gunnar Peterson, Mark Curphey, Robert McIlree and others were to be honest, they would acknowledge that while building security upfront within enterprise architecture is cheaper, in all reality it would take true IT leadership (distinct from management) to recognize when it actually occured.

    Consider the fact that many enterprise architects aren't even technical with many never having written a single line of code in their entire life. Do you think they combined with the plethora of non-technical process weenies (aka project managers) would recognize a high quality secure architecture from a less optimal one? Many within the enterprise make the mistake of simply thinking it is a matter of bringing on expertise at the right time and rationalize their thinking by pontificating that no one can know everything! Reality says that this approach is doomed from the start in that a project manager is rewarding by delivering anything of quality that will be accepted by business customers. Since security isn't visible to most business customers, security architects will never be permitted to do anything that Gunnar and Mark suggests.

    Another viewpoint says security professionals are best positioned when security becomes visible. Usually this happens at the expense of the enterprise and the loss of their customers personally identifiable information. The HR reward systems are still based on heroics and not integrity or prevention. If I do a good architecture or bad architecture within my own job, how many of the folks that have the ability to express their two cents on my annual review could possibly recognize the quality or lack of, yet if something bad happens and I fly in to save the day, it is visible by all.

    In terms of my own day job, I have a healthy balance of proactive and reactive, but I bet you can predict which one will make me more money...

    | | View blog reactions

    Tuesday, September 23, 2008


    How many fingers are required to count the number of clueless IT Security Professionals?

    Today, I figured I would analyze a most wonderful comment left by William Barr...

    Mr. Barr stated:The more interesting question is whether the CISO of many enterprises are aware that their staff isn't providing any value in helping protect enterprise applications in which the vast majority of the IT budget is directed at. Enterprises spend more on developing their own inhouse applications than they do on Oracle, Microsoft, Sun and Cisco combined.
    The concepts of getting security professionals of encouraging them to attend OWASP and other free user groups where application security concerns become visible would be a great first start.
    Actually, that isn't a bad idea. Most so-called security professionals nowadays are really practicing network hygiene and while pontificating the need for holistic approaches to security that obviously includes software development, they obviously aren't practicing what they preach. Maybe the better answer is for IT security departments to harvest the best of the software development staff (you know the ones who are disgusted with working with Indian outsourcing because they actually care about the quality of code and not just dates) and turn them into holistic IT security professionals...

    | | View blog reactions

    Monday, September 22, 2008


    OWASP Hartford: September 2008

    The Hartford CT Chapter of OWASP will be holding its chapter meeting on Wednesday September 24th at 5pm. The agenda is posted here. This event is well attended by local companies including Aetna, Microsoft, Oracle, Cigna, ING, MassMutual and GE.

    Haven't yet figured out why the headcount is low from employees from IBM and Sun though...

    | | View blog reactions


    Predictions on how Indian Outsourcing will be affected by recent market gyrations...

    It is my humble prediction that Indian outsourcing will grow even faster but folks in India who are starting to become competent will be displaced by freshers...

    When American companies lose money, they start to tighten their belts and find ways to accelerate expense reduction where outsourcing to India is one potential solution. The challenge in India though is that as the currency of the US dollar declines, it becomes more difficult to support the salaries of higher-end IT workers in India and they too will also have to practice expense reduction.

    If you are in India and have crossed the five year mark and more importantly have transitioned out of being technical to become a form of middle-management, then you can expect your job to be in jeopardy. Indian outsourcing firms will have to leverage the same playbooks as American companies in the 90s by cutting out folks in the middle.

    My prediction also states that India will need to eliminate many of those who are really talented and were compensated for their abilities and will need to replace them with freshers who are cheaper and available for half of their salary.

    Unlike America which used to have a culture of the employer caring for their employees, India never really adopted this way of thinking and will think of their talent as more expendable. Executives in India will figure out ways to make folks work more, get paid less and ruin any opportunity for work/life balance.

    The key is whether folks in India will not repeat the mistakes of American IT workers and seriously consider unionizing...

    | | View blog reactions

    Sunday, September 21, 2008


    People don't kill people, Cell Phones Kill People...

    James Robertson, Chris Petrilli and others have managed once again to get things twisted. Keeping folks straight is difficult...

    Maybe the best way to get something straight is to also twist titles to fit a purpose and align with their thinking. Let's start with an analysis of the responses:
    It is of course important to establish expectations, the challenge is that most folks don't have the same sense of what is important and what is not nowadays. Even if you choose to NOT answer, you will still react in a Pavlovian dog like fashion every time it rings which can only serve to distract you.
    So, he agrees that lots of open source software is written without ever meeting yet responds with what works for him which is more anecdotal than a necessity. I wonder if he is the one who actually organizes the meetings...
    I bet most folks in IT will not admit it but the folks most guilty of violating work/life balance tend to be non-technical project managers who think that everything is urgent. At least on this topic, Chris and I are in full agreement as to his response...

    The one aspect though that is backtestable is that 25 lives in California would still be here if some stupid conductor weren't focused on his freakin phone. Good to see that one employer has started the trend in banning them...

    | | View blog reactions

    Saturday, September 20, 2008


    Making a difference in a sustainable way...

    Pat Patterson discusses how to make a difference. It would make my day if James Robertson, Robert McIlree and Chris Petrilli joined in...

    | | View blog reactions

    Friday, September 19, 2008


    When was the last time you ran across a holistic IT security professional...

    If I had a nickel for every time a security professional uttered we need to think holistically about security, I'd be able to personally buy all the stock of AIG and Merrill Lynch...

    This week, I had the opportunity to speak at IT Security World on SOA and Security. My opening question was to ask attendees how many of them believe that security needs to be looked at holistically and lots of hands were raised. I then asked, if they thought that holistic included software development and all the hands stayed up. I then asked, how many of them actually had a software development background and pretty much every single hand in the room dropped.

    Mark Curphey and Gunnar Peterson have blogged on the fact that security is 90% focused on breaking and 10% on building is just plain bad. A quick analysis of why this occurs is really simple in that to be a builder, you must understand how to write software while to break software you can get away with a simple operations/infrastructure background.

    Gunnar and Mark, do you really think that the masses of security professionals will be willing to throw themselves under the bus by acknowledging that they may not be qualified to defend their own enterprise against future threats? Do you understand how long it takes not to learn a language if it is your first but to actually become competent? Do you think it is wise for an enterprise to wait around for security people to learn no matter how motivated a handful of them may be?

    To refine one of Gunnar's comments: When was the last time you saw an attack drawn out as a UML sequence diagram? . Let me be on the record and say that I am guilty of not doing this either, but I have a valid reason. First, I absolutely despise sequence diagrams and prefer activity/swimlane diagrams instead as they show who clearly along with the boundaries. I have encouraged folks that especially draw process flows to choose this notation over more simplistic sequence diagrams.

    For folks who want to truly be a holistic security professional, I personally endorse taking Gunnar's course at the upcoming OWASP conference. The challenge though is figuring out how to convince IT executives that the folks who currently consider themselves security professionals aren't really practicing anything more than network hygiene and that their is nothing holistic about their approach regardless of what they tell you...

    | | View blog reactions

    Thursday, September 18, 2008


    The Youngest Victim of IT Outsourcing

    My previous blog on the youngest victim of IT outsourcing generated a lot of responses I wouldn't have predicted...

    One of the responses received:
    Another response received was:
    Interestingly enough, I expected folks from India who are part of the outsourcing ecosystem to be more passionate than any American regarding the loss of a child, until I received this response:
    I have never worked for nor with Infosys, have never met Mohan Babu K. nor any members of his family, but as a human I still grief for his loss. I guess I am a dinosaur for responding with my heart instead of my sterile indoctrinated repeat after me best practice answer...

    | | View blog reactions

    Wednesday, September 17, 2008


    Does this make me a liberal or conservative?

    Today's blog is slightly offtopic but I feel compelled to comment on the absurdity of making a profit from healthcare. I believe that the principles of open source when applied to this problem could make things better...

    One of my cousin's is a recent graduate of a nursing program and has started to learn first hand how people suffer and die because of HMO's, big insurance (Aetna, Cigna, United Healthcare, etc) and Pharmaceuticals (Pfizer, Merck, Bristol Myers Squibb, etc) and their decision making process. They are, by law, beholden to their stockholders and the bottom line, and therefore have an ethical conundrum in that at times they have an incentive to deny needed care in the name of profit.

    I am not for government healthcare because it suffers from much of the same problem as the current system. The government also is beholden to many of the same financial burdens. Imagine if the principles of open source were applied to healthcare where HMO's had to make their business rules publicly available in a well-formed XML format that could be inspected by others? Imagine the ability for a consumer to use an open source rules engine such as JBoss Drools and could proactively tell whether a claim is going to be approved or denied. The current model requires consumers to expose themselves to financial risks as they don't have a clue upfront as to their own liability.

    Good governance is also required in that disputes should have an SLA attached to them. Consider the scenario of James Robertson being admitted to the local hospital for a mental disorder and is healthcare provider decided it didn't want to pay claims. While James Robertson couldn't figure out how to leverage a business rules engine since he uses an antiquated language known as Smalltalk, he could at least demand that a response come back within say four hours vs the current unknown/unbounded timeframes that exist today.

    What if society at large were able to define the actual rules instead of actuaries in each of the HMO's? Folks could define four choices that HMO's would simply implement and determine the price associated with each set of rules. Consumers would know exactly what they would get upfront when paying premiums and be able to make better informed healthcare decisions. Likewise, the decision making process would also be normalized such that all HMOs would provide the same answers in the same situation...

    | | View blog reactions


    How you can create your own foreign policy and increase IT security...

    I am announcing team OWASP, on Kiva, a non-profit website that allows you to lend as little as $25 to a specific low-income entrepreneur in the developing world. You choose who to lend to - whether a baker in Afghanistan, a goat herder in Uganda, a farmer in Peru, a restaurateur in Cambodia, or a tailor in Iraq - and as they repay the loan, you get your money back.

    Check out the OWASP lending team, and learn more about lending teams on Kiva in general, by clicking here...

    | | View blog reactions


    Thoughts on Basel II

    Basel II is making its way to America and is a solution to many of our "governance" problemschallenges, yet they could have invited us enterprisey architects to help make it even stronger...

    Within many enterprises, the notion of a common message format is all the rage within enterprise architecture. The thought that an enterprise can have a global taxonomy such that all of its systems can talk to each other while avoiding semantic integration headaches is the goal. So, how come Basel II folks didn't consider a taxonomy for describing risk reporting?

    Do we think we can understand risk throughout the planet if there is no taxonomy that everyone uses? The word risk itself has many different meanings to different enterprises.For business people, Risk is an omnipresent feature of life, an attribute to calculate potential returns or losses in investments. Many business careers are made by taking risks. For an IT person, Risk is something to be avoided at all costs, the result of flaws in architecture that lead to vulnerabilities and loss. Many IT careers are lost by taking risks.

    So, wouldn't it be cool if Oasis or even OWASP for that matter got together a few of their best and brightest and figured out how to describe the notion of risk within XML? Unwavering clarity around reporting of credit, market, operational incident, loss events and IT architecture all need one way to be described in order to be exchanged without semantic loss of fidelity.

    Imagine if us within the insurance vertical could encourage all those actuarial types we work with to noodle creating such a specification along with us in an open source way. The insurance vertical is best positioned to nail this challenge as they best understand risk and the elements of it such as incidents, events, losses, claims, exposures, forecast and reserves since this is what they do all day, every day...

    | | View blog reactions

    Tuesday, September 16, 2008


    Will you be attending OWASP NYC AppSec Conference?

    By now, if you are a reader of my blog, you will have come to realize the importance of secure software development. Unlike commercial conferences, you won't find high-level thinly veiled speeches by clueless IT executives with fancy titles. You will however find folks who actually are intimate with the challenges faced in developing secure web applications.

    If your budget allows for you to attend one last conference this year, I highly recommend that you spend it on OWASP NYC AppSec 2008 Conference. If you have already registered, I would love to meet up with other bloggers in attendance. Finding me won't be too difficult as I can stand out in any crowd...

    | | View blog reactions

    Monday, September 15, 2008


    How should I celebrate?

    I have been blogging every single day for the last three years without even missing one day! I am soon fast approaching my 2,000th blog entry and wanted ideas on how I can celebrate...

    | | View blog reactions

    Sunday, September 14, 2008


    Will you be attending IT Security World in San Francisco?

    I will be speaking at IT Security World this week on the topic of SOA and Security. My presentation will have a healthy dose of how to attack web services (OWASP style).

    If you will be attending, I will be staying at the conference hotel and would love to hook up with other bloggers...

    | | View blog reactions

    Saturday, September 13, 2008


    Enterprise Architecture: Is this a good idea?

    I receive lots of private notes from bloggers hoping to gain insight on a variety of topics of personal interest to me. Being savage in making pretty much everything I do open, I wanted to dedicate several upcoming blog entries to address questions that others may have of me.

    So, if you have questions regarding enterprise architecture, application security, SOA, open source, OWASP, outsourcing or any other topic that I have blogged about in the past, I will redouble my efforts to provide more commentary.

    I do ask that bloggers use trackback/links instead of leaving a comment in order to aid in transparency as others will be able to also see not only the question but the answers provided in a seamless manner.

    Even James Robertson, Robert McIlree or others are welcome to ask any question they desire...

    | | View blog reactions

    Friday, September 12, 2008


    Enterprise Architecture: The lost art of informal communication...

    Why does everything nowadays have to be a thinly veiled chock-a-block eye candy Powerpoint that has to be reviewed a dozen times? Have we forgot that business folks are human and sometimes appreciate informal communication...

    The more informally a team works, the less the strain on management to keep track of things and micro-manage activities which is usually the first sign of a project death spiral. To encourage informal communication, team building and team dynamics is absolutely vital.

    Maybe enterprise architects need to stop worrying about perception management and instead adopt the practices of a gadfly. A gadfly is someone who goes about asking questions that stir thinking and discussion. Some folk are just natural gadflies and are prone to think outside the box, throw out unconventional ideas from time to time which ultimately leads to the innovation that the business desires of IT.

    When was the last time you had a conversation with the business that you deeply enjoyed? How about when was the last time you had a conversation with your bosses boss that you truly enjoyed? Maybe enterprise architects need to refactoring thinking and not just processes and code...

    | | View blog reactions

    Thursday, September 11, 2008


    Are vendors distorting the value of identity management?

    A couple of days back, I asked the question of whether identity management is overhyped. Today, I will comment on the responsibilities of vendors in this space to make things better...

    Identity management is here, but it doesn't solve most of our problems. It is expensive and forces processes on large enterprises that honestly don't belong there. Identity management and the processes around it shouldn't be the responsibility of enterprises but of vendors.

    Imagine what would happen if Kim Cameron, Nishant Kaushik, Pat Patterson, Jackson Shaw and others started to outline and conclude that identity management is a process for identity providers and not enterprises. Why can't an enterprise outsource the identity problem to some specialized provider while focusing more on how it can be made reliable. Wouldn't it benefit enterprises more if there were not only standards but actual implementations within existing products that supports notions of verification/vetting and indemnification?

    What would happen if there were an industry standard way of measuring the amount of customization required to make identity products work? What if Gartner didn't hype vendors but instead figured out how heavily customized, extensively configured and sometimes even hacked this products are in order to adapt them to most enterprises?

    What is more amusing is that most identity management software is vulnerable to common attacks. It is very sad to see security folks actually purchase insecure software. Does anyone have any evidence as to whether the product managers of these firms are familiar with OWASP? What if OWASP were to make public the vulnerabilities of the respective products or at least enable others such as Gerry Gebel, Dan Blum and Bob Blakely to see basic vulnerabilities during the interoperability challenges at the next Catalyst conference?

    Anyway, enterprises should solely focus on being really good relying parties where the industry at large figures out how to create reliable identity providers. Until this happen, enterprises are forced to manage identities and are participants in the hype cycle...

    | | View blog reactions

    This page is powered by Blogger. Isn't yours?