Wednesday, March 31, 2010


Why outsourcing firms will never deliver secure code to their clients without them paying extra...

At a 2008 OWASP Conference, Rohyt Belani, Principal of the Intrepidus Group described in elegant details, backdoor logic that was inserted into an internet-facing production enterprise application for one of their clients. Sadly, most enterprises don't have a process to catch this type of threat until after the fact. Anyway, Rohyt went on to explain that the enterprisey crowd will never be successful in getting an outsourcing vendor to write secure code without paying extra. Ever since this statement was made, I have been savage in attempting to prove him wrong...

After two years of hard work, he can still claim he is 99.99% right. I have made a small breakthrough with Cognizant in this regard where for a particular project I oversee, I have been able to change the game. Keep in mind that in our shop we have outsourced thousands of developer-level positions and I have had great success with a grand total of four people, so whatever I share in terms of my secret we must truthfully acknowledge the challenge of making it scale.

The first aspect of making this successful was to personally interview each developer for the team, something that most enterprises defer to their partner to handle. I wanted to understand the values of the developers working on my project and get a sense if they wanted to develop Rugged Software or simply wanted to punch the clock and solely deliver to whatever the requirements stated and not one single iota more.

The second aspect of making this successful was the fact that I didn't treat them as some unknown FTE where I throw specifications over the wall and immediately start talking about delivery dates. Instead, I treated them like humans and took interest in their well-being. We joked and laughed together where I got to know them as individuals. We even had sessions where we did pair programming together.

The third aspect of making this successful is that I let them develop the software outside of the usual bureaucracy of corporate controls. I didn't force them to be crippled in using tools that are enterprise approved but otherwise unproductive for them. They were able to develop wherever they wanted to develop. At times, even they worked from home.

The final and most important aspect of making this successful is that I didn't play head games when it comes to dates. There was one and only one date communicated. I didn't build in contingency where I tell the developers one date, the business the next and so on. Making oneself vulnerable isn't a weakness, its a strength that I leveraged to my advantage.

So, in conclusion it is possible for your outsourcing firm to deliver code written of high quality without paying extra for the privilege. The biggest challenge is in changing the mindsets of those within enterprises to break their own habits to allow those in India to be successful. If you want secure software, you have to treat others with respect and dignity, always remembering to be human and interacting with others in the same manner.

Since most enterprises have forgot the importance of humanity and humility, I guess at some level Royht is right that they have no other choice but to pay more...

| | View blog reactions

Thursday, March 25, 2010


A Privacy Manifesto

The notion of IT-oriented manifestos is growing by leaps and bounds. The first popular manifesto was created by the Agile community. Most recently, another group of fine individuals created the Rugged Software Manifesto. The one thing that is missing from many conversations is the notion of privacy and therefore I have harvested sage wisdom from many and propose the following as the start of a Privacy Manifesto.

Architects and Developers should consider their fidicuary duty to protect the privacy of their users, customers and business partners. With this thought in mind, we have come to value:

1. To minimize the data collection to that which is required to conduct business

2. To provide proper access control on all data collected that is personally identifiable by nature

3. To classify the data appropriately in terms of sensitivity and adhere to proper retention procedures

4. To dispose of data properly

5. To disclose in an ethical and timely manner whenever the trust others put in you is breached.

| | View blog reactions


Are Information Cards and OpenID appropriate for B2B?

I previously asked the question if Microsoft truly wants Information Cards to be sucessful. Today, I will explore another B2B scenario that both Microsoft and the OpenID community should seriously consider...

The National Institute of Standards and Technology (NIST) has a publication (800-63) that defines four Levels of Assurance for electronic authentication. There are ways to incorporate this notion into SAML but not user-centric identity models.

Wouldnt it make since for the Microsoft do define an element in the WS-SecurityPolicy document where a Relying Party (RP) could define what level of assurance it requires?

The Identity Provider (IDP) should be able to interpret the required security policies of the relying party in this regard and then require the user to use a credential that has been proofed to this level.

By not reducing these types of concerns down to a single attribute, it requires the relying party to have complex logic to derive this type of concern. Even then, it still requires lots of interactions in terms of legal agreements with identity providers whom will all have their own take on the problem.

Kim Cameron, Mike Jones and others could put this one down quickly...

| | View blog reactions

Wednesday, March 17, 2010


The value of Industry Analyst Relations

I have been following Barbara French of Tekrati and Carter Lusher of SageCircle on Twitter, both of whom help analyst relations professionals get better at interacting with industry analysts. Observing this conversation from an end customer perspective brings about a perspective that is less documented. Today, I will share a few observations.

In my interaction with analyst firms such as the Burton Group, Forrester, The 451 Group and others, I think it is nirvana to repeatedly find an analyst that can understand technology deeper than their clients. However, reality is far from nirvana in that the value proposition of analysts is more about offering insight that us end customers either cannot do for ourselves because we only have a single lens (our own business) or it would be too costly to develop ourselves.

Increasingly, at annual review time, many enterprise end customers in my network have complained about the trend of their bosses turning their strengths into weaknesses. Whether this is good for business is up to the reader. What I can say that sometimes in the world of analysts, this weakness can become a strength when leveraged appropriately. Sometimes, the best peer reviews and insight don't come from tenured senior industry peers but those who ask innocent questions that the rest of us take for granted. I have changed more presentations because my eight year old sons commentary in one year than I have from feedback from executives.

So, if I put aside ego for a moment, one has got to ask the question of analyst interaction with analyst relations folk. Maybe there is merit in an analyst relations context to help shape a new analyst where they may be new to the profession over working with seasoned professionals. If you are going to measure influence, wouldn't the best model be to influence those who are new and don't yet have a strong informed opinion?

Another general observation I have had regarding industry analysts in general is that typical background is usually one of two categories. First, there is the typical graduate from a journalism background who is really good at writing research reports that read well. Journalism teaches a person how to recognize general industry trends which can be beneficial to making the right strategic purchases. The second category are analysts who come from end-customer client organizations where they grew up in the trenches and can go a lot deeper into understanding the struggle that buyers of technology face. The analyst relations model needs to treat these two audiences differently, but more importantly need to figure out what type of analyst benefits their vendor's strategic intent.

In case you haven't noticed, we are in a recession and modern CIOs arent struggling with how to purchase SAP or other large dollar multiple year packages. They are however struggling with how to optimize their processes, how to leverage the technology they already have, and novel ways to innovatively deploy products they have installed in their data centers. This clearly gives analysts who are practitioners an advantage over their journalist peers in most scenarios. The question that analyst relations firms aren't asking themselves are whether they are gravitating towards journalism simply because it is easier to understand how to interact with because it feels like your existing marketing program with a few tweaks.

One may ask why does an Enterprise Architect for a Fortune 100 enterprise care about industry analysis in general and analyst relations specific. The answer to this question is deceptively simple. Industry analysts are one of the few professions where one is a participant in a continual process of reinventing oneself as experts. Technologies change, the business change, the coverage areas change, etc. This skill is something that is beneficial for any and every Enterprise Architect to observe, understand and emulate. I have observed the likes of Brenda Michelson, JP Morgenthal, James Kobeilus, Andrew Jacquith, Anne Thomas Manes, Nick Selby and others successfully transformed throughout their career and at some small level I want to learn their secret...

| | View blog reactions

Tuesday, March 16, 2010


Transforming India from Good to Great

Some simple thoughts on how India can improve its position in the world of information technology...

Corporations such as IBM, Oracle and Microsoft are expanding their global presence and not just outsourcing work to India unlike their enterprise peers, but acknowledging that they want the best talent regardless of geographic location of which India is just one of many beneficiary countries.

Many corporations with research arms, leverage India for low-cost access to people where there are lots of young, bright well educated individuals who have passion around technology and the desire to learn. Over time, people from India diversify to other parts of the planet and take advantage of opportunities to visit other research centers. A typical observation is that they may arrive with a degree from their home country but will leave with postgrad or doctoral programs from their host countries.

Once the mind has been expanded with possibilities that for a variety of reasons aren't explored in India, the country loses its best and brightest. Universities in India seem to be less flexible in terms of their curiculum than their US counterparts and are under control of private trusts which constrains their greatness. In the same way that the United States has benefited from education innovation, such as the University of Phoenix, India can benefit as well if it were to permit this model.

India also seems lacking when compared to the US model in that corporations in India have less of a sense of endowments and therefore are more heavily reliant on government grants and student tuition. As we all know, with the exception of the military, the government can only achieve mediocrity at best.

India needs a system where proper stimulus is received from their corporations (think Wipro, Infosys, etc) and given in quantities a lot higher than what has been done to date where it is targeted at undergraduate programs. India has an additional advantage over US universities and that is to leveraged the untapped Indian diaspora. Imagine what could happen if Indian universities started opening branches in countries such as Trinidad, Guyana and Suriname. Expanding the sphere of influence can only help a nation become more than itself...

| | View blog reactions

Monday, March 15, 2010


Why the vast majority of enterprises still do not contribute to open source...

Everyone knows that the vast majority of Fortune enterprises heavily use but otherwise don't contribute to open source. I wanted to explore some insight as to what would need to happen in order for this to change...

First, let me get some of my own beliefs on the table. The trend of outsourcing is causing many enterprises to treat IT as a commodity whereby they pursue lower cost, lower quality resources to develop applications. In this model, the ability to have developers who simply intuitively grok the requirements disappears and is replaced with comprehensive documentation and arduous specification. In order for open source contribution to work in this model, it would require the enterprise to specify even more than they have in the past which becomes a non-starter.

We have all heard the phrase that you get what you pay for and outsourcing most certainly is the poster child. You can find many CIOs who talk about getting lower cost resources in India but few if any that believe that the quality of their portfolio has increased since outsourcing. In order for outsourcing to work, you have to lower your standards when it comes to code quality. So, if you have developers writing low quality code, would you then want to have it published transparently for the world to see or would you want to keep it secret?

For enterprises that aren't outsourcing, they have picked up on the latest buzzword known as innovation. The enterprise architecture community has rallied around the notion of assets and is busy inventorying things they think make their business unique. Of course, the most transparent way of measuring intellectual property is via the patent model and therefore the enterprise architecture team is wired to think about not only not being open but making even more things closed.

Find someone you respect and view their resume. Do you see numerous listings for patents on them? Unless making things open is on par with the prestige of making something patentable then open source will also struggle.

Most importantly, one needs to observe the human dynamics within large enterprises where the construct of influence plays heavily into the decision making process. The best way to influence commercial software is by paying lots of money for it while the model for open source may be to either contribute to it or to at least talk about. Ask yourself the question of when was the last time you saw an enterprise architect at a conference talking about open source (other than me)? Is it because the majority of enterprise architects are blissfully ignorant when it comes to understanding open source or is it because they have a media relations policy that forbids them from talking about certain things. You decide.

I of course contribute my time and thinking to open projects such as OWASP and have worked hard to influence the direction of projects I am passionate about including but not limited to the OWASP Top Ten, SAMM and others. Could my boss, just because he is my boss escalate our organizational concerns to OWASP because he has a higher title and expect that it will be considered deeper? You get the point.

Open source is not driven by abstract authority but by credibility and contribution. Sadly, many executives in large enterprises have nothing of value to contribute. Open source is a threat that will be defended against through subversion by all but the few who truly care more about the strategic direction of the business than their own inadequacies.

Speaking of being inadequate, I can say that my very first contribution to open source was enlightening. While I delivered working software that was secure, it failed the higher standard and was mercilessly refactored to the point that only one single line of original code survived.

Code reviews and feedback within most enterprises are cordial, where the focus is more on aesthetics than structure. I remember receiving comments via email saying don't quit your day job and you code like you are an enterprise architect. Of course, I am capable of making fun of myself, but the masses of developers in corporations have yet to receive meaningful feedback on their code and the day this happens, their egos will be shattered.

Ask yourself, why developers write software for large corporations and aren't working at Microsoft, Oracle and so on. In the back of their minds, there is solace in knowing that the only measure is speed of delivery and their bosses aren't smart enough to recognize quality or lack of if it were staring them in the face. Sadly, open source is smarter than them all...

| | View blog reactions

Saturday, March 13, 2010


Does Microsoft truly want Information Cards to be successful...

I am a big fan of Information Cards and believe there are a few challenges that Microsoft needs to address in order for it to be truly ready for primetime...

The general industry trend towards mobile devices means that identity selectors need to be made available for Apple iPhone, Google Droid and the Blackberry platform if identity ever seeks to become mobile. Microsoft has no committed roadmap to develop identity selectors for other than traditional Windows platforms.

Another trend I have observed is that Microsoft field sales teams do a great job of selling other products, but they generally aren't visiting large enterprises and briefing them on their strategy around identity. I wonder if they expect the enterprise architecture community who trends towards blissful ignorance when it comes to security to stumble upon the identity conversation and just get it without any hand holding.

Let's be clear, enterprises and their employees need to be spoonfed. Without Microsoft field staff showing up with chock-a-block eye candy PowerPoint spelling out the value proposition of identity to all those non-technical IT employees, adoption will continue to struggle.

More importantly, as enterprises shift towards buying more software, the guys in procurement could benefit from having a few contract clauses they could insert into agreements with their strategic vendors. Right now, no one knows to even ask the question.

Has Microsoft acknowledged that many enterprise applications are built on Java and that many of the J2EE containers dont support it out of the box. Wouldn't it be great if Microsoft encouraged Oracle to include Information Card support in BEA Weblogic Portal as a starting point? Surely, Microsoft doesn't expect enterprises who use Java to go hunting for open source libraries and will at least acknowledge the importance of vendor support...

| | View blog reactions

Thursday, March 11, 2010



Gerry Gebel former analyst with the Burton Group and now of Axiomatics provided an interesting perspective on SAML vs XACML that I wanted to expand upon by providing a real-world business scenario...

Many people know that I am employed by a Fortune Insurance carrier and will use an example from this domain. An independent insurance agent does business with a variety of insurance carriers ranging from AIG to Travelers, CNA and so on, so the value of SAML becomes apparent in that this agent doesn't have to remember all those passwords each which could have its own policy around history, expiry and complexity.

An independent insurance agent could be licensed to sell insurance in multiple states, so in a claims-based model, you would need a way to assert multivalued attributes. As I understand, support for this will be forthcoming from Microsoft. I will of course defer to Kim Cameron to discuss in his own blog deeper.

Where the claims model starts to crack and XACML starts to shine is the scenario of the independent insurance agent not just being licensed in a particular state but also for particular lines of business (e.g. Personal, Commercial, Life, Health, etc) within each state. This is more complicated than just a simple listing of name/value pairs.

Within our business model, the independent agent may desire to track their commissions according to a structure they define. One independent agent may desire to see commissions based on line of business (personal, commercial, etc) where another may decide to view based on geographic region (e.g. Northeast, Southwest, etc) while another still may need to see based on size of company (e.g. Mom and Pop vs institution). In this model, it is not just about dynamically asserting parameters to a reporting engine in order to produce the right report but also needs to take into consideration whether one independent agent in a given agency can view say the Northeast commissions while another may only view the Southwest commissions.

In the above scenario, it would be very difficult to fit the declaration into a claims-based model. However, if this were based on XACML, the independent agent at signon time could include XACML in their SAML assertion and the XACML could be applied as a further restriction.

Anyway, if the blogosphere is going to debate the merits of one approach over another, I think it is vital that we do so within a business context going forward. Otherwise, the conversation won't be as productive...

| | View blog reactions

Sunday, March 07, 2010


Five Questions for Industry Analysts

Throughout my career, I have had many conversations with industry analysts on a variety of topics ranging from enterprise architecture, identity management and software security and have become intrigued with the profession. Likewise, I have had many interactions with industry analysts virtually including but not limited to: Ricard Veryard, James Governor, Alex Fletcher, Heidi Biggar, Nick Gall, Elemental Links, Guy Creese and others. I figured I would ask a few questions of industry analysts in the blogosphere in hopes that I may gain further insight...

1. Analysts frequently complain about travel but haven't shared the characteristics? I would think there is a difference between frequent day trips vs traveling every Monday morning and not returning until Thursday/Friday like many management consulting firms. So, how much time do analysts spend sleeping in their own beds vs a hotel?

2. Some analysts come from a journalism background while others come from an industry practitioner background. Do analyst firms have a preference for one over another? Does it vary by area of coverage or other factors?

3. Another frequently found complaint is that analysts believe they don't get paid enough but haven't provided a sense of what is enough. For analysts that have made the transition from corporate backgrounds either as Enterprise Architects or other management-level roles, are they getting a pay raise, taking a pay cut or staying on par?

4. This profession seems to offer work/life balance but is it just defined in the ability to work from home or is it also in the number of hours worked?

5. There are lots of analysts who previously worked for traditional corporations. Are there people who were industry analysts that transitioned to traditional corporations? My limited search on LinkedIn only uncovered one employee. Why is this so rare?

6. Gartner seems to have the highest retention rate amongst large analyst firms. What are they doing right that other analyst firms aren't doing?

| | View blog reactions

This page is powered by Blogger. Isn't yours?