Wednesday, December 31, 2008


What those words mean on your annual performance review...

| | View blog reactions

Tuesday, December 30, 2008


What do enterprise architects do all day?

I took one week off and now have exactly 1086 new unread messages in my inbox. Tomorrow, I will be in the office hoping not to spend all day simply managing email...

| | View blog reactions


Do Enterprise Architects realize when they are being enterprisey?

The adjective "enterprisey" is sometimes used to imply the software recommendation is overly complex even for large organizations and simpler, proven solutions are available...

Alan Pelz-Sharpe asked who loves the incumbent vendor and talks about this scenario from the perspective of relationship where over time legacy products grow features that aren't really that useful. Consider the scenario of the average user of Microsoft products. How many of us truly need the features that Office 2007 provides? For me, I am satisfied with Office 2000 and haven't found a compelling reason to upgrade. Of course, sooner or later, Microsoft like all vendors will force an upgrade.

So, in order to answer the question of whether enterprise architects are too enterprisey requires us to look at other participants in the IT ecosystem. Are industry analysts part of the problem in that they only cover large enterprise class offerings that cost millions while not guiding us to cheaper, more economical solutions? If I were to talk with a Gartner analyst and ask them to provide me with a list of why Alfresco is better than Documentum, could they?

Let's acknowledge that software vendors have a vested interest in ensuring that enterprise architects also stay enterprisey. Should we spend millions on portal software and CRM technologies when the functionality provided by Liferay and SugarCRM may be adequate? The funny thing is that many enterprise architects know that open source is capable of satisfying the business need yet continue to ignore its value proposition. So, ask yourself why?

I believe part of the challenge with open source in enterprise settings has absolutely nothing to do with the babble spewed by others under the label of support especially since the decision-makers aren't accountable for the operational aspects of the chosen software. What they are accountable for is in gaining buy-in early in the lifecycle and ensuring that any proof of concept is successful. Now, the best way to gain buy-in is to acknowledge that open source projects don't typically come with chock-a-block eye candy Powerpoint that an enterprise architect can simply throw their name on and present to others, it would require them to create all this themselves. When you compare this amount of work that needs to be done upfront compared to simply picking up the phone, ringing your favorite sales guy and asking him to do the demo, the enterprisey behavior starts to emerge.

Now, lets also understand that the vast majority of enterprise architects nowadays have lost their technical chops and couldn't get Hello World working. In this situation, do you think they want to be accountable for making open source work or would they rather call up the same vendor who will get something to work for free on their behalf?

Hopefully, you are starting to see the point that enterprisey behavior benefits the IT ecosystem and while silly, wasteful and insulting, it will not go away anytime soon. The drivers for making it go away would require industry analysts such as Gartner to include non-commercial open source in the same quadrants as proprietary closed source, it would require enterprise architects to stay more technical and of course for open source to value the sales model within large enterprises by creating powerpoint as an equal importance to writing software. Of course, I don't see any of this changing and therefore I say to those who make fun of the enterprisey, the entertainment of us enterprisey types will grow by leaps and bounds.

Merry Christmas, Happy Kwanzaa and Three Kings to Matt Secoske, Dare Obasanjo, Stefan Tilkov, James Robertson, Chris Petrilli and other enterprisey lovers in the blogosphere...

| | View blog reactions

Monday, December 29, 2008


Is Team OWASP part of your New Years Resolution?

I am announcing team OWASP, on Kiva, a non-profit website that allows you to lend as little as $25 to a specific low-income entrepreneur in the developing world. You choose who to lend to - whether a baker in Afghanistan, a goat herder in Uganda, a farmer in Peru, a restaurateur in Cambodia, or a tailor in Iraq - and as they repay the loan, you get your money back.

Check out the OWASP lending team, and learn more about lending teams on Kiva in general, by clicking here...

| | View blog reactions

Sunday, December 28, 2008


Enter CMIS, a Proposed ECM-SOA Standard

Laurence Hart provided an insightful blog entry entitled: Enter CMIS, a Proposed ECM-SOA standard. Still there are lots of unanswered questions...

The likes of Nick Patience, Chuck Harris, Craig Randall, Cornelia Davis, Bex Huff and others have chimed in on the CMIS specification. I wonder if any of them have thoughts on the following:

| | View blog reactions

Saturday, December 27, 2008


Enterprise Architecture and Budgeting Worst Practices

Has anyone else noticed that enterprises expend a lot of effort on strategic planning yet their budgets don't always align...

How come we do budgeting based on activities vs outcomes? Is it because we get it twisted and mistake the budget for the plan and not acknowledge that the budget is supposed to be how you intend to invest to achieve your objectives?

Outcome-based budgeting is developed based on aligned goals, strategies, priorities and performance measures, as defined in the budget and other planning documents and actual resources (money) are allocated directly to achieving the stated goals. By assigning money to the anticipated outcome itself, enterprises can clearly communicate its priorities and can then go about “buying” results to those stated goals.

Outcome budgeting enables policy discussions and encourages questions such as:

An outcome-based budget not only allows for more informed decision making, it also makes enterprises more transparent to those in the business as well as within IT. In order to noodle this deeper, you have to ask yourself honestly whether you understand how budgeting works in your enterprise and how clearly do you believe it communicates the priorities and how money is actually spent...

| | View blog reactions

Friday, December 26, 2008


Thoughts on Entitlements Management

We know that Bob Blakely and Gerry Gebel of the Burton Group has provided extensive coverage on entitlements management in terms of interoperability, but the conversation needs to go a lot deeper...

We know that vendors such as Securent, Jericho Systems, Oracle and others can provide deep value in terms of technology around entitlement's management but product implementation isn't the entire story. Reality uncovers a simple fact that entitlements management is not sustainable without having a cohesive view as provided by business architecture. If you don't know what your business really looks like from a normalized perspective, then how can you sustain entitlements?

The vast majority of enterprises that have purchased entitlements management products have not even implemented all the necessary business processes. In my presentations at industry conferences, I have always said that identity management is a decent approach to problems in the enterprise, but doesn't get at the complete problem-space needed to increase efficiency related to employee onboarding and reduction in force.

Consider the fact that I am an employee of a Fortune enterprise and all my coworkers know this fact as well. My boss hasn't fired me yet so my identity regardless of how it is sprayed through hundreds of enterprise applications isn't that big of a problem. Now, if you were to ask my boss, what does James McGovern have access to, he would tell you, he has no freakin clue but as soon as you know, please let him know. The funny thing is that I some responsibility for security and even I don't always know what I have access to.

Within large enterprises, the practice of annual reorganizations where folks change roles is a growing trend. On each event a person may gain some rights and lose some rights, or at least that is how it should work. Reality says that over time, most folks are gaining more rights without necessarily losing any. As a person changes role, their identity or even the applications they touch may not change, but identity management runs out of steam when it comes to finer-grained access which is vital to not allowing for entitlements creep.

I wonder if the likes of Josh Bregman, Mark Wilcox, Pat Patterson, Mark Dixon, Nishant Kaushik, Rajiv Gupta or others would be willing to blog on the business aspects of entitlements management...

| | View blog reactions

Thursday, December 25, 2008


The effects of a declining economy...

Regardless if you are a believer in Judaism, Islam or Christianity, we can come together today and acknowledge that there is just but ONE God...

In prior years, I made a lot of money off investments in the stock market. Of course, this year I managed to loose money and therefore have less available for charitable activities. This troubles me deeply in that while I am truly blessed, I have to wrestle with my own conscious of keeping my own family vibrant vs having the ability to help those who are more in need. Just to think that across the planet, there are billions of people whom don't get a proper meal each and every day? Am I being selfish? The answer is a resounding yes. Is this OK considering that much of it is driven by self-preservation, maybe?

It takes a lot for all of us to not focus on our own challenges and to consider those who are in more need than us. As I watch my portfolio go down the drain, at least I can find solace in helping others do better. Over the holidays, my family will be volunteering time to help in soup kitchens. Sometimes, folks just need to know that others care to make the effort to talk to them...

| | View blog reactions

Wednesday, December 24, 2008


Liberty Alliance 2.0

SAML 2.0 supports an XACML payload. Anyone care to guess why you can't find a single product that can't make effective use of this specification...

Imagine a scenario where you need to adjust the authorization model at runtime based on how a third-party defines their organizational structure where company A may want to access a system that displays commissions and they only want employees in the Northeast to see commissions generated in the Northeast. Likewise company B may want to restrict views into your commission system where they may be organized into two groups: individual and institutional. The permutations on how outside parties can organize is infinite and XACML is a great way to handle the description aspects without forcing provisioning of entitlements at each and every service provider.

You may have noted that many of the federated identity management products support bridging access into products such as Tivoli Access Manager, CA/Netegrity Siteminder, Oracle/Oblix CoreID and so on, but do so in a way that simply requests of these products that they generate a cookie and nothing else. At runtime, you can receive a wonderful SAML message containing XACML but it will get thrown away if you are using web access management solutions.

Likewise, the entitlements management vendors (e.g. Jericho Systems, Securent, etc) only think of entitlements as something within the enterprise (this isn't necessarily bad) where they are constrained in that they don't integrate with any of the federated identity management products (OIF, RSA FIM, etc), so I got this wonderful SAML/XACML thing happening but how do I get the entitlements management product to consume it. Of course you may have also noted there is a problem with session management in these scenarios in that web access management products should also cache the XACML and not think of them as one-time requests.

The entitlements management products in the scenario of commissions should allow one to say that a company can only access its commisssions which will prevent company A from seeing company B and vice versa. Likewise, it should also consume the SAML/XACML and apply additional restrictions.

Anyway, what does this have to do with Project Liberty? In order to have a cohesive identity ecosystem, it requires solving for issues that are a couple of degrees away from products that directly produce/consume identity. Web Access Management products need additional features, entitlements management needs a standards-based way of participating in federated identity and so on. Is anyone from Liberty noodling this? Probably not as most folks are still working on the basics. Of course, I can spend lots of money in order to gain influence which may never actually materialize, but at least I get to network with folks I probably would interact with for free anyway...

| | View blog reactions

Tuesday, December 23, 2008


Enterprise Architecture and Meeting Worst Practices...

Isn't it sad that many will acknowledge my list as meeting worst practices but they still allow it to happen...

If folks are not prepared for a discussion in a meeting, then it is guaranteed to be useless. The main problem I see is that in a lot of status (and other) meetings things are discussed with no preparation or just details which are of no interest to the rest of participants. For every meeting you need an agenda with the topics described, the amount of time you want to spend and the results you want to have.

How many of us ever have meeting that have:

Of course the absolute, most braindead thing that I see repeated is when we have meetings in conference rooms where there is no projector, the technical folks aren't given laptops and they want to show the application...

| | View blog reactions

Monday, December 22, 2008


Joining Team OWASP is an enterprise best practice...

I am announcing team OWASP, on Kiva, a non-profit website that allows you to lend as little as $25 to a specific low-income entrepreneur in the developing world. You choose who to lend to - whether a baker in Afghanistan, a goat herder in Uganda, a farmer in Peru, a restaurateur in Cambodia, or a tailor in Iraq - and as they repay the loan, you get your money back.

Check out the OWASP lending team, and learn more about lending teams on Kiva in general, by clicking here...

| | View blog reactions


How Oracle is better than Microsoft

Awhile back, Mark Wilcox of Oracle asked me to blog on why I believe that Microsoft groks open source deeper than Oracle. Today, I will blog on ways that Oracle is better than Microsoft...

Microsoft and Oracle have two different sales models where Microsoft tends to appeal to the technical audience in a more bottoms up fashion while also attacking the executives based on price. Oracle's model is a lot different in that it tends to pursue the executive crowd more and has less in the way of appealing to the technical crowd, but this is fast changing in a very positive way.

Lately, Oracle has been holding free one-day workshops on various technologies. I attended one on database security and another on entitlements management that were excellent. While the workshops used Oracle technology, you would have learned something that you use regardless of technology and is equally applicable to Jericho Systems, Securent, etc.

Many vendors will attempt to continually sell you new products, but Oracle does a fine job at helping you use technologies you may already own. This notion is something that I wish industry analyst firms would pay more attention to.

I wonder if Sun Microsystems, EMC and IBM have plans to be less like Microsoft and more like Oracle in this regard...

| | View blog reactions


How come there is no innovation in LDAP?

Misc thoughts on LDAP...

1. Regardless of whether you are using Microsoft ADAM, OpenLDAP, OpenDS or Oracle Virtual Directory, the challenge of adding/removing users remains. Maybe they shouldn't think of identity management as something separate but instead figure out how to incorporate support for the SPML protocol directly into the core.

2. There are lots of LDAP tools that will allow you to administer users, browse schemas, etc but none that will allow you to actually model in LDAP. Consider how many tools allow you to produce an ER diagram, so why can't a few do the same for LDAP? I would love to see Mark Wilcox of Oracle take the lead in getting an Eclipse plugin created. Likewise, if Pat Patterson could do the same for Netbeans, it would rock.

3. Someone should figure out a way to incorporate the notion of referential integrity into the protocol such that LDAP stores can have the same functionality as relational databases.

4. Most J2EE application servers support the notion of JDBC connection pooling. What would it take for the LDAP folks to push for a standard way of doing LDAP connection pooling to be incorporated into J2EE containers instead of everyone writing their own?

5. Many within OWASP talk about the importance of protecting against SQL Injection, but the notion of LDAP Injection also exists. What if the LDAP servers could provide an interface that would allow you to at least validate input? Would it be great if you could attach a regular expression to each AttributeClass?

| | View blog reactions

Sunday, December 21, 2008


Five Gift Ideas for James McGovern

If you are feeling generous, here are five gift ideas you can give to me for the holidays...

  1. Many folks know that I am the leader for the Hartford Chapter of OWASP. To hold a meeting requires incurring several expenses. It would be great if the community would consider making a small donation of $20 that will be used to cover Pizza for upcoming meetings.
  2. I am savage in the pursuit of making poverty history and encourage bloggers to add the banner to their blog.
  3. Giving money to the needy is good but helping them start their own business is better. The best way to do so is to embrace the notion of micro-financing where folks in third world countries can receive loans at low interest rates. I am a participant in Kiva and encourage others to make a small loan.
  4. If you prefer donations instead, then please consider making a donation to the Palestine Red Crescent Society. The Palestine Red Crescent Society (PRCS) is a national humanitarian society which provides a wide range of health, social and other humanitarian services to the Palestinian People throughout the Middle East.
  5. It is easy to write a check but harder to make time to help others in a personal way. If you know how to swing a hammer or have other home improvement skills, please consider volunteering for Habitat for Humanity...

| | View blog reactions

Saturday, December 20, 2008


Enterprise Architecture: How many meetings are required to save a project?

Scheduling meetings to a late project makes it later...

Why do enterprises continue to make the fatal mistake of wanting to hire project managers and ending up with project coordinators? You have a problem with schedule and to solve this problem, you start making meetings. People that should be involved with delivering the project start to be involved in these long, boring, dry, useless meetings. Project gets later, oh... Yet another meeting will solve it.

Oops, everyone agrees that meeting minutes are a good idea, but have you noticed that many project managerscoordinators don't feel it is there responsibility to capture? If you have no meeting minutes and you also invite someone who didn't attend the prior meeting, it is guaranteed that you will spend time revisiting past discussions.

Do folks in India laugh at our immaturity or do they feel pity on us? Is Indian Outsourcing a failure because American's can't seem to provide something that makes sense to throw over the wall? Have we ever thought about the fact that maybe we need to remix our thinking when it comes to who participates in meetings?

Ever been in an IT crisis? Good project manager's understand the value proposition of isolation and in a sense are a condom for the team making sure that infectious interactions don't occur while project coordinators invite promiscuous interactions with anyone and everyone. Let's invite everyone to the party better known as a meeting.

So, when will we conclude that the best meetings have the fewest number of attendees? Have we considered that the fastest way to get something done is to allow developers to develop, for managers to manage and for others to exercise their right to remain silent...

| | View blog reactions

Friday, December 19, 2008


Enterprise Architecture and Reduction in Force...

The economy is on the decline and corporations need to practice fiscal responsibility, but is cutting jobs the right answer?

Some folks are strategic in their thought process while others are tactical. When these two are forced to combine, it equates to distractical. When the pendulum swings the other way, will companies that have downsized a large portion of their employees be prepared for an upswing in momentum? How do they plan on sustaining top talent if the rationale for letting folks go is all about expense and not performance?

The real costs of downsizing may actually have a larger price tag than disclosed. Have you seen how much companies take in "charges" related to downsizing? The costs of severance, benefits, outplacement, unemployment costs, cashing out vacation time, legal fees, etc is simply spending money that doesn't advance the strategic intent of the business. It is wasting money.

Ironically, this is also when companies may need to spend even more in terms of training yet they cut. What happens when you eliminate the folks who know how to do the job and replace them with folks that don't? Do you think training makes sense here? If you don't train and just let folks struggle, what else suffers?

OK, so let's stop looking at this from either an employee or company perspective and consider the outcome if you are a stock investor. We can conclude that Q4 is likely to be more profitable than Q3 because of layoffs, but if you are an investor (distinct from trader) you can't figure out what long-term benefits are gained by this event. Sure, we can drink the Kool-aid and intuitively understand that cost today may equate to lower salary burden in the future, but reality is much different than perception as this is not backtestable.

Has anyone ever ran across a company that has grown revenues yet seen the salaries of all its employees shrink? The amount spent on payroll tends to be correlated to revenues. If you cut salaries, over the long term you will also jepordize revenues. What is more saddening is that executives haven't yet figured out that these moves also have a side effect on employees who stay and is guaranteed to drag down morale.

I wonder if executives have ever thought about the fact that they can do more simple things to save money. For example, Why would you spend millions on Documentum when you can choose an open source offering such as Alfresco for easily 1/100 of the cost? You are not losing functionality, scalability or any illity. In fact, the brains behind both products is the same guy, John Newton. What if all IT folks were to stop attending Gartner IT events and paying for research and were to instead attend local user group meetings and network with each other?

For example, if I wanted to understand something about technology used on Wall Street, instead of paying lots of money to talk with an analyst who will give me over-summarized information, why can't I just pick up the phone and talk with Chris, John and others in the blogosphere that are employed by these firms.

Consider how much it costs to attend an analyst sponsored conference say on IT security where you spend several hundred a night just for hotel, another couple of hundred for airfare, etc. Now compare that to attending a local OWASP users group which has the same speakers, the same attendees yet it is free to attend. If you attend the one that I lead, you will find that you will even get fed for free. See the difference in expenses.

Anyway, I guess the missing action item that executives need to do a better job at is in encouraging their employees to eliminate the luxuries such as industry analysts, trips to locations that lose their appeal over time (Vegas and Orlando is cool for the first time, but going there every year?) and most importantly reducing expenses while not comprimising the strategic intent of the business is in order...

| | View blog reactions


Thoughts on Sun Microsystems and Java Development...

Most recently, I switched IDEs away from Eclipse towards Netbeans and couldn't be happier...

Isn't it sad that the better technology always loses to those who do the most marketing? I wonder why Sun Microsystems can't do a better job of selling their value proposition?

Many have found my previous commentary on why I thought Microsoft Vista OS rocks as strange but when Microsoft released the Mohave Expirement, it proved my thinking was correct after all. I suspect that if Sun took 100 Java developers to a Caribbean island and told them that NetBeans was a new version of Eclipse, they may find it faster, more usable and with more useful plugins.

Anyway, one can hope that Sun would acknowledge this but I suspect that they will exercise their right to remain silent and will waste this wonderful opportunity to remix Java development as we currently know it...

| | View blog reactions


OWASP Testing Guide

The OWASP Testing Guide is an ideal reference for both developers and testers—version 2 was fantastic, and this new version is even better. The testing framework now covers 66 controls and, like in the previous version, each control has a brief summary and is described in detail followed by black box (no additional knowledge) and grey/gray box (partial knowledge) testing methods and examples where appropriate.

This should be mandatory reading for all CISSP, CLSSP, software developers that are part of Indian outsourcing, Accenture, Wipro, Cognizant, Infosys and Satyam and of course those who are concerned with PCI...

| | View blog reactions

Thursday, December 18, 2008


Enterprise Architecture and Endless Meetings...

For many people meetings are boring, but not for extroverts like yours truly. I am convinced I am not the only one who likes meetings...

Meetings are good because:

  • When your leadershipmanagement has something important to reveal, the mere fact of calling the meeting gives an importance right away to what he has to say. An E-mail to all employees would not have the same effect.

  • They give leadershipmanagement the illusion that they still speaks very well in public; that they are good orators and capture the hearts and minds of their staff.

  • You get to meet people in the company you haven't seen for years!

  • You are paid to do nothing.

  • You can use the time to brainstorm what your garden will look like, scribble out your shopping list or even plan out other after-hours activities

  • You can do eye-contact with a nice woman. Just don't cross the boundaries if you are married.

  • Your patience is tested

  • Everyone can provide feedback instantly. Hopefully, you don't have to think about feedback as a gift but as something that can be filed in the appropriate bin.

  • It gives everyone a sense of belonging to a group, an organization. This is important for those who get no love elsewhere.

  • | | View blog reactions

    Wednesday, December 17, 2008


    Google and Interesting Photos...

    Have you been to google lately? When you type into the search box, it provides you with an AJAX like experience by helping you with search terms. Over the weekend, my son, wanted to figure out the best way to make fried chicken as he was going to print out a recipe for his mom.

    As he typed the phrase: the best way Google presented an option that stated: the best way to commit suicide which caused me fly out of my chair and spend lots of time explaining this concept to a seven year old.

    All of this makes it past the plethora of parental controls on his computer. Someone at Google needs to make sure that this doesn't happen to others. I can see a lawsuit in the near future if they don't take steps to censor this type of functionality. For now, they can make it up and agree to market my local OWASP chapter for free in terms of keyword searching.

    In the meantime, ponder this photo I used google to find. I wonder what this person was thinking after the FBI visited his house...

    | | View blog reactions


    Blog Readership: Increased Traffic in December

    Below is a listing of all of the countries and number of unique visitors from each to my blog. I wonder why folks in Jamaica have read my blog more than Trinidad or why folks in Pakistan read my blog more than Israel. I guess this is interesting trivia and there is no insight to be had...

    United States (US) 5,364
    United Kingdom (GB) 809
    Canada (CA) 682
    India (IN) 454
    Germany (DE) 303
    Australia (AU) 288
    Netherlands (NL) 248
    France (FR) 115
    Spain (ES) 105
    Belgium (BE) 89
    Sweden (SE) 82
    Brazil (BR) 82
    Italy (IT) 81
    Poland (PL) 76
    Europe (EU) 75
    Philippines (PH) 73
    Denmark (DK) 72
    Singapore (SG) 64
    Switzerland (CH) 57
    Ireland (IE) 56
    China (CN) 52
    New Zealand (NZ) 51
    Indonesia (ID) 50
    Finland (FI) 50
    South Africa (ZA) 46
    Portugal (PT) 45
    Turkey (TR) 45
    Malaysia (MY) 44
    Mexico (MX) 44
    Korea, Republic of (KR) 41
    Hungary (HU) 38
    Romania (RO) 37
    Czech Republic (CZ) 36
    Norway (NO) 35
    Saudi Arabia (SA) 35
    Taiwan (TW) 34
    Pakistan (PK) 33
    Israel (IL) 32
    Thailand (TH) 32
    Austria (AT) 31
    Argentina (AR) 27
    Japan (JP) 27
    Russian Federation (RU) 26
    Serbia (RS) 26
    Greece (GR) 25
    Lithuania (LT) 25
    Hong Kong (HK) 24
    Colombia (CO) 22
    Bulgaria (BG) 22
    Chile (CL) 21
    United Arab Emirates (AE) 20
    Vietnam (VN) 20
    Croatia (HR) 17
    Morocco (MA) 17
    Egypt (EG) 17
    Jamaica (JM) 16
    Bangladesh (BD) 15
    Slovakia (SK) 15
    Estonia (EE) 15
    Peru (PE) 15
    Iran, Islamic Republic of (IR) 14
    Slovenia (SI) 14
    Sri Lanka (LK) 13
    Trinidad and Tobago (TT) 12
    Malta (MT) 12
    Venezuela (VE) 12
    Kuwait (KW) 10
    Ukraine (UA) 10
    Macedonia (MK) 10
    Algeria (DZ) 9
    Lebanon (LB) 8
    Cyprus (CY) 7
    Costa Rica (CR) 7
    Georgia (GE) 7
    Panama (PA) 7
    Albania (AL) 7
    Puerto Rico (PR) 7
    Latvia (LV) 6
    Iceland (IS) 6
    Qatar (QA) 6
    Tunisia (TN) 6
    Bahrain (BH) 5
    Jordan (JO) 5
    Dominican Republic (DO) 5
    Mauritius (MU) 4
    Bosnia and Herzegovina (BA) 4
    Nigeria (NG) 4
    Libyan Arab Jamahiriya (LY) 4
    Sudan (SD) 4
    Belarus (BY) 4
    Palestinian Territory (PS) 4
    Ecuador (EC) 3
    Ghana (GH) 3
    Guyana (GY) 3
    Luxembourg (LU) 3
    Kazakstan (KZ) 3
    Cameroon (CM) 2
    Tanzania, United Republic of (TZ) 2
    Montenegro (ME) 2
    Bermuda (BM) 2
    Mongolia (MN) 2
    Uruguay (UY) 1
    Namibia (NA) 1
    Zimbabwe (ZW) 1
    Guadeloupe (GP) 1
    Virgin Islands, U.S. (VI) 1
    Mozambique (MZ) 1
    Paraguay (PY) 1
    Bolivia (BO) 1
    Oman (OM) 1
    Guatemala (GT) 1
    Azerbaijan (AZ) 1
    Cayman Islands (KY) 1
    Djibouti (DJ) 1
    Grenada (GD) 1
    Afghanistan (AF) 1
    Nicaragua (NI) 1
    Nepal (NP) 1
    Marshall Islands (MH) 1
    Brunei Darussalam (BN) 1
    Maldives (MV) 1
    Aruba (AW) 1
    Cambodia (KH) 1
    Lao People's Democratic Republic (LA) 1
    Bahamas (BS) 1
    Netherlands Antilles (AN) 1

    | | View blog reactions

    Tuesday, December 16, 2008


    Serious security flaw found in IE

    Users of Microsoft's Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed.

    See the following news as outlined by the BBC. It is fascinating to know that Firefox nor Chrome suffer from this latest flaw.

    I wonder how many others from OWASP will be blogging on this...

    | | View blog reactions


    2009 New Years Resolution...

    I have been blogging for the past five years now. During the last three years, I have managed to write a blog entry every single day without missing a beat. I have always been curious if this qualifies me for the Guinness Book of World Records, but never made the effort to research it.

    Anyway, I am thinking about scaling back my blogging activities in 2009. In earlier years, the blogosphere was about dialog where bloggers would trackback to each other and new insights would emerge. Nowadays, nobody makes the effort to have a conversation in the human voice as everything is sanitized by media relations until it is sterile.

    If there is anything you would like for me to write about, please don't hesitate to ask. I do hope that you have enjoyed reading my thoughts on open source, enterprise architecture, smalltalk, SOA, OWASP and the human aspects of technology...

    | | View blog reactions


    Microsoft's Strategy on Identity

    There are lots of Microsoft bloggers who cover authentication aspects around identity, but ignore the provisioning/deprovisioning part of the equation.

    What would it take for MS to provide code that simply takes a SPML request on one side and on the other performs the appropriate operations against either/or Active Directory and/or ADAM...

    | | View blog reactions

    Monday, December 15, 2008


    My Blog just won another award...

    My blog is listed in Top 100 Blogs for Developers...

    | | View blog reactions


    Does James McGovern write secure code?

    Many folks now that I am a chapter leader for OWASP and therefore may assume that the code I have written in the past is secure. I figured I would remove all doubts in terms of my abilities...

    I have spent lots of time lately reviewing code that I have written in the past NOTE: I kept copies of things I shouldn't :-) and concluded that from a security perspective I am still better than average (this is not saying much) and have a lot of room to improve.

    In 1999, I made some changes to a design for a session management application (a precursor to Yale CAS, OpenSSO, etc) and introduced a defect related to cookie handling. This code was for an online bank. Luckily, they are now defunct.

    In 2001, I wrote several articles for Java Developers Journal under the column: Ask Doctor Java. Out of this series, one article contained sample code that I directed towards a reader who asked a question regarding security and it contained one place where input validation was missing.

    In 2004, I was the lead author for a J2EE book where the goal was to write a book as fast as possible in order for it to be available for JavaOne (we missed the date) and so far, I have identified seventeen vulnerabilities in the sample applications.

    The thought that others may have learned how to program by reading my books and now have indoctrinated themselves into worst practices is somewhat troubling. While I can't rewind the past, I can most certainly make things better going forward and hope to double the amount of chapter meetings I lead in 2009...

    | | View blog reactions

    Sunday, December 14, 2008


    US anti-kidnapping expert abducted in Mexico

    A U.S. anti-kidnapping expert was abducted by gunmen in northern Mexico last week...

    U.S. security consultant Felix Batista — who claims to have helped resolve nearly 100 kidnap and ransom cases — was in Saltillo in Coahuila state to offer advice on how to confront abductions for ransom when he himself was seized, local authorities said. Unknown assailants grabbed him on Dec. 10, said Charlie LeBlanc, the president of the Houston, Texas-based security firm ASI Global LLC., where Batista is a consultant.

    | | View blog reactions


    How fast can you write code?

    I am a dinosaur and one of the last remaining enterprise architect's on the planet that still knows how to write code...

    I remember earlier in my career when I worked with folks in India in the last 90s, I would sometimes throw in the towel in frustration and simply write code myself instead of bothering to explain requirements and/or quality long distance. On more than one occasion, I would put my ego aside and just tell them to put their name on my code in order to move things along.

    In the days of old, I used to pride myself on how fast I could write code and it was my own way of measuring my own productivity. Today, I have concluded that it is a poor measure, but it's not completely worthless. The level of productivity I achieved in these cases is clearly a lot higher than I normally achieve. I think it's important to point out that in the last two cases I had a very good idea of exactly how all the code should be written. You can write code very fast when you know what you're doing.

    The rest of the world that attempts to measure this same notion has different starting points where some just measure the raw act of writing, while others at least count the time required to get a clean compile. Others still go one step further and count time including debugging vs sweeping things under the rug.

    Peak programmer output is much greater than average programmer output. One conclusion that can be drawn from this is that the actual process of coding doesn't dominate development time. One implication of this conclusion is that writing more code won't necessarily slow you down much. This is one reason prototyping can pay off so much. You can spend a lot of time writing prototype code and then lose very little when you throw it away and start over from scratch. You can regain the functionality implemented in the prototype far more quickly than when you wrote the prototype because you are now programming (at least partially) in a problem space that you have just explored. This is exactly the kind of circumstance that one can achieve maximum productivity in.

    So in one sense I am suggesting that writing a lot of mediocre code quickly is often a good idea, but I am also suggesting that you then fix it, refactor it, rewrite it, or start over from scratch as appropriate to get good code...

    | | View blog reactions

    Saturday, December 13, 2008


    Martial Arts and Mediocrity...

    In the past, I have blogged on martial art schools on my side of town that are worthy of attendance including Yousef Taekwondo, House of Kokondo and Igor Gracie along with a few in the mediocre category such as Avon Kempo and Aikido and Villari's which are suitable for children whose parent's can be classified as soccer mom's. Let's continue the dialog...

    Most recently, I ran across Greater Hartford Bando which is non-profit (aka no price gouging) and of higher quality in instruction than most other schools in the area. It is noble to see that the instructors aren't just doing it for the money or to even cover expenses, but that they have a higher calling. This school is most certainly worthy of consideration and is perfect for both the soccer mom crowd as well as those who truly want their kids to learn a martial art.

    Ultimately, the Martial Arts center around fighting. Everything else (discipline, philosophy, culture, etc) is not only incidental, but often disingenuously inflated in importance so as to cover up a school/instructor/student's lack of fighting skill, or in many cases, to make MA instruction "palatable" to soccer moms shopping around for after-school activities.

    There is absolutely nothing wrong with going after substandard schools and giving them negative publicity. These schools harm the community by instilling their students with a dangerously false sense of confidence in their ability to defend themselves, which could lead to being raped or killed in a real threat situation.

    If you're not at least occasionally doing hard contact, non-stop sparring as a part of your Martial Arts training, you're simply not doing Martial Arts. You might as well be attending an Asian-themed dance class, cultural seminar, or Tae-bo. You will not have a realistic understanding of whether your skills work in a live situation, and (in my experience) are very likely to have an overinflated, unrealistic, and unfounded belief that can and will get you hurt.

    This is not kindergarten; all styles and training methods are not equally precious little snowflakes. Some are superior to others, and some are wholly inferior for preparing you to defend yourself. And it's by no strange coincidence that those who fit this criteria are typically those which throw up the most smoke about self-improvement and other marginally-related nonsense.

    Schools that stay true to the essence of martial arts while not just talking about cliche practices around leadership need some amplification and I encourage all who read to encourage their kids to attend one of these programs just once and the difference will be immediately apparent...

    | | View blog reactions

    Friday, December 12, 2008


    Conference Attendance is on the decline...

    In a down economy, the first thing that gets cut is education...

    2009 will bring with it many conferences that are no longer viable and where you will see last minute cancellations of events. The conferences that have the best chance of survival are the ones that shifted more of the expense to software vendors who pay lots of money for booth space and where attendees don't have to pay fees.

    Some of the conferences may observe the shift in economics and make their events for free but will make one fatal mistake. As software vendors will be expected to pick up more of the expense, they too will demand even more speaking slots which will be filled with thinly veiled chock-a-block eye candy PowerPoint that lacks substance causing the attendees to not attend for other reasons and hence the downward spiral begins.

    The funny thing is that as conferences seek more money, the software vendors will want to spend less and the economics simply won't work. The funny thing is that software vendors (at least the masses) haven't realized that there is a viable alternative and ways to meet end customers without shelling out so much money. It is best known as local user groups.

    Consider the economic model if a vendor decided to sponsor the upcoming Hartford CT Chapter of OWASP where they would gain access to hundreds of IT professionals for the cost of pizza. Think about the economics of investing $2 a head vs the usual $50 or more for sponsoring a conference such as Gartner. Sure, there are some additional things that Gartner provides such as mailing lists that user groups don't, but you will typically find that there is a correlation between the two.

    For IT management, you need to do what is right for your company economically while also continuing to increase the competencies of your IT staff and user groups are the absolute cheapest way to accomplish this goal. For vendors, you can sponsor an OWASP meeting for a total cost of $200. First come, first serve for our next meeting on February 10th...

    | | View blog reactions

    This page is powered by Blogger. Isn't yours?