Security

Old Documentum Architecture Habits are Hard to Break

5 Comments

A while back, John Kominetz wrote a nice post on The Elephant and the Blind Man. I’ve been checking John out for a while and been looking for an excuse to link to his stuff for a while, but I always get sidetracked. Aside from his fun habit to reference Douglas Adams, he has been working with Documentum for a very long time. He has developed a healthy skepticism about the product.

In his post on the Elephant, John talks about the load of Junk DNA in Documentum. As the product has evolved over the last 15 years, things have been left behind and other things that worked, haven’t evolved. My recent post on the Audit Trail has led to a couple of posts addressing both of these aspects.

Continue reading

ECM Design Patterns

4 Comments

Recently, the EMC Developer Network has started posting some “Design Patterns”. I use the term loosely to mirror their terminology. Each “pattern” is really just a quick description of the problem and two approaches to solve the problem. It is all very high level.

Before I get any further, kudos to them for actually taking the time to begin developing these “patterns”, starting last fall. There is a definite need, and their choices for the first two are ones that are encountered quite frequently, at least by myself. All I am doing here is offering some feedback, most of which I have already shared.

Continue reading

Good Patching = Secure Software?

2 Comments

I’m way behind on posts, and just about everything else. So I’m just getting ready to talk about the post Bex threw out there about security. It was a simple enough post, asking people to participate in the IOUG Oracle Security Survey. Not using any Oracle product, except for databases that I don’t really control, I wasn’t going to participate. However, there was this neat tidbit:

With easy patching, easy maintainability, stable software, and a vigilant community, security is a natural by-product.

A commenter quickly mentioned how keeping up with patches can be expensive, if for no other reason than to test and verify each application during the patch process. In my more critical deployments, we roll software updates out in releases every 6 months or so, depending on a myriad of factors. To make the cutoff for testing, the patch needs to be released 2-3 months before a release so that it can be adequately tested.

Bex replies to the comment and explains how a good patch system reflects better discipline among the development team. My experience backs this observation up. Patching a system when the development team isn’t well disciplined can lead to nightmares.

Thus, in order to achieve the the goals of secure software, its more important for developers to understand the nuances of patch management, the dangers of code branching, and the law of unintended consequences.

A few hour-long seminars on security would prevent developers from making the really stupid mistakes… however, the nasty security problems are much more subtle… and frequently you don’t notice them until your system is live.

Continue reading

When Trust Breaks Down

2 Comments

I wrote a while back on how Trust is Important. Recently, there was an incident at the State Department where the Passport records of the Presidential candidates were accessed. I think this is another opportunity to look at trust in the IT world.

Before I dive in, let me just state that I don’t know anyone involved and don’t have any connection to the incident. I don’t have any inside information and only know what I have read in the papers. I do have knowledge and experience on a project of similar scope and privacy concerns for another governmental agency. As such, I am familiar with the issues and environment involved.

Continue reading

ECM: A Working Definition for the Next Generation

2 Comments

A while back I talked about how the current definitions of Enterprise Content Management left a lot to be desired. They don’t accurately describe the reality of what ECM systems need to accomplish in today’s environment. They are also boring and lack a soul.

I have come back to this topic through multiple avenues. One is the concept of Invisible ECM from Billy and crew over at Oracle. It resonated very strongly with my previous discussions on Transparent ECM. We can debate terminology later, but what is important now is the shared concept.

A second avenue comes from my need to explain where ECM is going, ECM 2.0, in a simple and concise way. I can explain it and speak passionately on the topic. The need to get the concept out there in one breath has become more important as I talk to more people.

I have developed a proposed definition for your consideration. I would love feedback. I will approve all constructive comments for sharing, though I may not respond until a subsequent post. I’ll throw it out there and then discuss it briefly. Remember, I want this definition to have a soul.

Enterprise Content Management is the empowerment of all content within an organization. This is accomplished through the centralized management of content, allowing for people and systems to access and manage content from within any business context using platform agnostic standards.

Continue reading

Online Games and Enterprise Applications

2 Comments

James posted on this topic after watching a presentation at OWASP’s local Hartford chapter meeting last week. It was buried halfway down in the post, but it asked a great question:

Do they really think that their silly little architectures that support 500 users concurrently is somehow more challenging than implementing an architecture that supports 2 million concurrent?

It is a damn good point. The playground for these applications is different, but the same issues arise. I’ve played a few online games in my day and have seen the ups and downs of their implementations. I think I’ll throw in my opinion on two of the items for comparison, performance and security.

Continue reading

The Endless Security Cycle

4 Comments

I have been thinking about how to write this post for a while now. I have several approaches to choose from, but then I hit on the key concept. It doesn’t matter. Here is the general pattern of James’ approach to this topic.

  • James will criticize ECM security as a whole and then point to one or more issues.
  • I then attempt to explain why those key “issues” aren’t issues.
  • James will then elaborate or comment on my post in one or more follow-ups, usually explaining something that I didn’t put in my post for one or more reasons. In the case in point, I didn’t take it deep enough. While doing this, he ignores any defenses I may have made of the “issues”. He invariably bringing up other “issues” as well.

Rather than continue the cycle, and eat my time up, I’m going to post one more time on this topic and move on for now. Some disclaimers of my own:

Continue reading

Secure ECM Systems

1 Comment

In my earlier post, I called James out on his post, which was a fairly biased statement about EMC’s testing for security, or lack thereof. In my post, I pointed out that the security warning did not warrant such an attack. I tried to point out that James wasn’t necessarily wrong in his statements, just that he didn’t provide any evidence that backed them up. He criticized their proactive efforts when the source material calls for a reactive effort.

Well, James replied to me in two subsequent posts. The first post endeavored to teach me about the importance of testing for security in systems proactively. It wasn’t a lesson that I needed, having heard of the SQL Injection attack back in the 90s as a weakness in ASP applications (or at least an attack that was fairly similar). Being aware of these issues, I’ve make a point of controlling what a user can do in interfaces.

His points are valid though, so I wanted to take time to talk about them. This is my first post in a series addressing the points he brings up. So if I don’t address something now, don’t worry it’ll come.

Continue reading

Inciting Insight or Panic?

4 Comments

Normally when I read a post by James McGovern, I understand that he is trying to get under people’s skins in order to provoke a response. Some people respond to this by attempting to give the type of information that James is looking for in a post of their own. Others view it as a form of harassment and try their best to ignore it, though James just looks on that as a form of encouragement. Both reactions are perfectly fine.

I, and pretty much every blogger, are not compensated for writing our blogs, much less for responding to James. It is optional. When I blog, I do so as me, myself, and I. Not as an employee of any company or organization.

Continue reading