34a Laboratories Blog sites an Online voice of 34a Laboratories

4May/120

The Trust Problem with “The Cloud”

Clouds in BeakerWhile having an espresso yesterday with a colleague, we discussed the trust problem with the Cloud and whether or not people will grow to trust it much as they did with the PC or electronic documents. It was a simple conversation about how people can come to trust technology that is new. As we were speaking I felt uncomfortable and perhaps uneasy with the conversation. The conversation continued and then we changed subjects and discussed privacy and general security of document stores and content stores in general. I later had a cup of Ketepa Pride tea and sat in my library. While I was relaxing it came to me, the whole problem of trusting “The Cloud” is that there is no such thing as “the cloud” and thus you cannot compare it to trusting an electronic file versus a paper file.

Let’s take a look at the Electronic File versus Paper trust considerations.  So in the simplest form you have a file on your local drive or a file folder with a paper inside. Both are easily accessible and both have points of failure (I will keep it simple).

Electronic:

  • Hard-Drive could fail
  • Someone without permission can gain access to the file
  • You may delete the file unintentionally

Paper:

  • Could misplace or lose the file unintentionally
  • Someone without permission may get access to the file
  • May spill water on the file or some other type of medium failure

Countermeasures are easy for both types of situations and once you are comfortable with the base technology you can assign your team to provide protections for the electronic files that surpass the capabilities of the paper easily. In fact you know and trust your team and have direct accountability and monitoring. If necessary you still keep the paper but add electronic copies of it as well for easy access. This access could be on your private network or local computer. You are responsible for all standards, practices, policies and security of your information.

With this simple example it should be getting very clear what the problem is with “the Cloud” and why I was uneasy with the conversation. However, let’s take a look at the cloud. First we have to define it; Cloud computing is a marketing term/metaphor to represent a service to a community that provides one or more of the following:

  • Storage
  • Communications
  • Collaboration
  • Computing Power
  • Applications
  • Databases
  • Network(s)
  • Server(s)
  • Monitoring
  • Identity management
  • Financial Controls

Again, I am keeping it simple and keeping that in mind we can imagine one or more server rooms being managed on or off premises for one or many groups of customers, and where access can be from any connectable device. For the purpose of this post I will assume that we are talking about a cloud provider versus your company creating a private cloud. In this model your employees connect through the Internet to the cloud and complete your companies business.

Let’s take a look at points of failure and again I am keeping it simple and I will put next to each point of failure a remedy:

  • Local desktop system fails – your staff repairs the system
  • Your network fails – your staff corrects the issue
  • Your internet connection fails locally – your staff corrects the issue
  • Your internet Service provider goes down – you place a trouble call in and they attempt to fix the problem within the service agreement. (If you have a backup internet service provider great and perhaps you need to keep everything local and on “the cloud”)
  • Hard Drive fails on “the cloud” – the cloud provider has a backup and recovery plan that they manage and assure that it is followed ethically and in accordance to terms of service
  • Network Connection for Cloud service provider fails – they place service call to internet service provider and attempt to get everything back online
  • Local internet connectivity hardware fails for cloud service provider – provider works to correct issue in accordance to terms of service
  • Someone without permission gains access to your companies cloud – service provider is responsible for keeping content secure within terms of service

Let me say that I am absolutely aware that this is simplistic but this does demonstrate the problem with trust and the cloud. What you need to understand is the cloud can provide your company with a competitive edge and a new set of capabilities, but it also means that you must know your provider and the software as well as hardware that they use to deliver the service. You need to know their capabilities to the extent that you would understand your own IT staff.

In summary, it is clear, that it is not as easy as trusting new technologies. It’s the trusting of third parties with both your business success and most confidential data. This leap of faith that you must take in fully outsourcing your business and data is far more complex and risky than converting from a paper to electronic document system. From your own internet connectivity to backup, restore and governance you have to evaluate every piece of what will be “your cloud” and remember trust but verify!

Filed under: application Security, Business, Privacy No Comments
19Apr/120

Translating Accessibility Governance to Compliance for Websites and Cloud Applications

Roofing NailPeople tend to look at governance as a set of policies and processes that are in line with their company value systems, or  as a set of applicable laws or regulatory requirements  to which they are subject. These can be used to manage risk and provide an acceptable level of compliance. The simple acronym that many people use to describe this is GRC (Governance, Risk and Compliance). Unfortunately many organizations “tack on” these compliance measures as an addition to their core development efforts (Web Properties or Cloud Applications.) This often occurs because even though there is a policy in place and there are qualified Subject Matter Experts (SMEs) available, the steps are not part of the development process but are an addition to the same.

When developing a site or an application a developer works from a set of requirements, norms, and internal/external pressures and then sets off to deliver the product. After this is completed the organization may use the Quality Assurance (QA) team or external SMEs to detect issues with GRC and then set out to fix them. In the case of accessibility regulations, and to keep out of the weeds, let’s just assume the governance objective to be the Web Content Accessibility Guidelines (WCAG) 2.0. In this case, the company does not have to go far to find an expert in Accessibility (a11y).  For those of us that have worked in the GRC field, however, we know that we have now ventured down a rabbit hole from which there may be no escape. This is because we just broke the most basic rules of the development lifecycle. Let’s take a moment to look at the last statement closely.

Classic development, even with the “Agile” method, would have the developer as the responsible party for the first phase in the GRC process, Unit Testing. This developer-driven testing is simply completed at the most basic level and at a point where corrections are easy to fix at a low cost. If you can correct any issues at this stage you have just handled governance and eliminated risk. What you have developed is by default (if developed properly) in compliance.  Some organizations claim that because of Agile they do not have time to test for something like WCAG so instead they pass it off to the post-development system. This, prima facie, makes no sense because the increased development cost to address accessibility after the fact-will be a much greater drain on resources than to incorporate accessibility from the beginning.

A simple search engine query will demonstrate the problem clearly. While you can find many SMEs to help you detect errors (or to test existing systems), you will have a far greater problem finding training for your development staff. In addition the SMEs may not necessarily understand your platform or development language.  Thus even with SMEs you may still be at risk. This is a lesson that we learned long ago in the security world. Imagine developing a site or application without a security plan or checklist. It would be hard if not impossible for you to find a company that develops without a plan these days. In fact, if are hoping to have your company acquired, it is essential to be able to deliver your software security development and test plans.

If you included WCAG testing as part of QA process you would of course, via defect resolution, begin training your own development staff. This internal method, while not the best choice, will in time translate governance to compliance for your company. However, what will not be effective is the external approach because the cost will always be a determent. Now, we must define risk for our organization. Today we should recognize that by not having an A11y strategy in place we are putting our company and customers at risk.  The real question is where to begin. For those of you that have read any of my articles or technical books and guides you are no doubt used to me saying “start with education”. A11y is no different, start with education. While most companies have a team dedicated to security, it is time to have a team devoted to Accessibility.

The team should include at least one development resource, one training resource, one QA resource, and one SME. From there, adjust the numbers as you see fit and yes one person “could” fill the role in smaller organizations. This team should be responsible for building the policies that will turn governance into compliance and simply put you will be changing the QA and development processes to have a11y built-in. I should note that it is very important that your a11y SME have full knowledge of your development platform or you may find that the SME and developers do not speak the same language.  For example, consider a carpenter building a deck that uses roofing nails versus finish nails to attach the deck planks. While the deck SME knows that the roofing nails are wrong on the finish boards he has no way to communicate to the carpenter (Developer) what he must do to correct the situation. He knows that the nail does not look right and it will not function but he lacks the ability to communicate how to remedy the problem.  This will do nothing but add cost in the end and in some cases provide incomplete compliance.

Many small to medium size business (SMBs) outsource their web site or cloud application development to a third party - thus they do not have a team dedicated to developing the site or cloud properties to match GRC requirements. They must set the GRC requirements for the development firm. When doing this a company should consider the vendors capabilities. Look back to our analogy of security -you would never use an outside development company that could not provide you with a development checklist related to security and you should also ask for the same thing as related to a11y.

Translating accessibility governance to compliance is simple and cost effective if you take a standard approach and bake it into your product or solution. If you decide to tack it on after development you will be less successful and in most cases you will not achieve sustainable compliance.  There are a few things you should remember to be successful:

•Education of your development team to build accessible is a first step

A11y testing must be part of QA

SMEs MUST be able to speak the same language as the developers

If outsourcing development you must review a11y capabilities and the providers checklist followed for a11y

Success is both easy and affordable if company leadership commits to a long term plan. Next week I will cover “Translating privacy Governance to Compliance for Websites and Cloud Applications” and as always if you have questions on this post please send your questions to ryonaitis@34alabs.com .

 

Resources:

W3C, Education & Outreach Working Group (EOWG) http://www.w3.org/WAI/EO/

Web Accessibility Initiative (WAI) http://www.w3.org/WAI/

 

Filed under: Uncategorized No Comments
29Mar/120

When Agile Development Fails

Corvette C7Software development methodologies are sometimes seen as something that can only be understood by experts and are viewed as more complex than the Dead Sea scrolls. Because of this there is a tendency to accept failure and then to blame it on the methodology versus the developer or leadership. Unfortunately this tends to be the truth today in many small and large organizations. It happens not because the methodologies fail but because the developers and leadership fail. When we think of Agile we think of a process aimed toward customer satisfaction via Rapid Application Development (RAD) and delivery. The core problem that always hits this model is experience and capabilities. This is easy to comprehend if we look at it in comparison with other endeavors. Here are a few examples:

• Corvette – As a lover of fast cars and speed in general, a driver learns that there is a larger risk at higher speeds. So, if you are going around a bend in the road and you hit a rock at 130 mph versus 55 mph the results will be much different. This is because at high speeds there is much less time to react and the road is unforgiving if you do not have experience.

• Airplanes – In airplanes you do not only have speed you have many different dimensions to the issue. Complications range from hitting another plane, taking off too steeply or landing too fast and hard. Because of this there are practical test standards for all pilots to assure they can safely operate the plane that they are flying.

• Sketching – Have you ever travelled and in some public square there is a sketch artist that can sketch you in five minutes? Now this is fast but what if the sketch artist did not have the skills required to sketch that quickly?

These examples show that beyond going fast you also need the skill level and experience to successfully go fast! So let’s look at this at a high level for a minute and consider as a user of software delivered by a RAD provider you should expect in 2012, regardless of methodology.

• Description of the developer’s testing methodology
• Description of Stress testing methodology
• Statements of all security testing completed on all of their products
• Capabilities document
• Statement of standards with which their development complies (WCAG, OPSEC, HTML, and any Other)

If the company is missing one of these items you should be concerned and perhaps even think of buying your software elsewhere. What really matters here is not how big this list is and it is not. A company may argue that they do not provide this information nor follow this process as a RAD development house – claiming that they do not have time to do these steps. If they do argue this - run do not walk away from this provider. I say this because none of these are difficult or time consuming for a skilled development team. So an experienced development team can do all of these and in 2012 I would argue that it should be second nature to the team and if it is not then they should not be doing RAD. Instead they need to slow down before they get into an accident and get someone hurt – most likely their customer. Simply think of our example above – would you trust an inexperienced driver who just got their learners permit to drive your Corvette around a bend in the road at 130 mph? I would say no but what is shocking is that companies are doing the equivalent every day as related to software development. The number one reason people give to explain why they accept this is because they need to get the product to market or need the product in house under a short time frame. These are good reasons and I agree that sometimes you have no choice but to go at 130 MPH in your software development vehicle – however the one thing that people seem to forget is that you need someone qualified to both develop and manage the RAD process. Sorry everyone there is always a process, we develop process for everything we do – even if we do not write it down.

What can happen if you use unqualified management in the RAD endeavor? I think for this blog post I will include a short yet powerful list:

• You lose customers
• Customer satisfaction for the customers you keep decreases
• Your reputation is blemished
• Your internal Sales Force has problem selling your product
• Your Technical Services team grows dramatically to make up for the lack in quality and/or defect rich product

The above list shows what to expect as related to agile development if your development staff and leadership are not qualified to manage the same. It should be noted that while it is the development company’s responsibility to make sure that their products work on the platforms for which they are marketed, it is also the responsibility of the purchaser to make a review of the product and the company as part of the acquisition process. The easiest way to do this is to ask for a trial of the product whether it be Cloud Based, Server Based or Desktop. If a company cannot give you a trial you should probably go elsewhere. If they do not offer a free trial then you need to negotiate a no questions asked 100% money back guarantee for enterprise products as part of the purchase.

Agile development and corvettes are great things to see when they are being operated at high speeds by qualified personnel and they can represent train wrecks when the operating personnel are not qualified. Luckily for purchasers of Agile Developed products there are ways to validate the qualifications of the team and company with which are doing business.

Filed under: Uncategorized No Comments
28Feb/120

Is formal testing required when developing via the agile model?

Carpenters RuleI was in a meeting a couple weeks ago and I ended up getting into a heated discussion related to the Agile Development Methodology. The argument came around because the person I was arguing with was very clear that their company could not perform QA as they developed via the agile model. It was not a settled argument as the executive viewed Agile as a way to cut corners and save money. This is odd because anyone that follows Agile is aware that the need for a highly disciplined approach is core to the success of any development effort. It is a misnomer that the agile development methodologies do not include quality assurance in fact they require agile quality assurance efforts. Just like the development side the QA side needs to be highly disciplined and able to get to release as quick and orderly as possible.

 

A good example of this is to understand what modules of an application impact other modules when changed. For example, a FTP module is changed and a release must go out. It is important to know what was changed and in addition to developer UNIT testing QA should be able to spin up a test environment quickly and test the impacted module or modules. In many cases the QA department represent the phase of user acceptance testing when changes being made are not specifically related to a customer request.

 

In the end agile methodology can actually improve QA because it forces developers to have better defined unit testing and to actually document what unit testing was completed. This is a core part of successful development that is sadly not understood very well by all developers. White box testing does provide the best way to guarantee stability and scalability of a application.

 

In my discussion we discussed security testing and again it was stated that there is no time to do security testing as the agile methodology was being used. When I think of this I am reminded of a conference I attended. While at a CTO summit there was a speaker that talked about Strategic Acquisitions, the speaker said that if a company was being considered for acquisition that the security test plans and strategies were amongst the first things looked at and if one did not exist it raised real questions on the quality of the product and company. UAT must include security testing and this will be done by the customer in some cases and by the QA department if the customer is not performing it.

 

Testing does not have to be difficult; in fact the unit testing can be automated for modules and/or classes.  The unit testing can also be done manually. Customers who are getting products delivered of enterprise class should have questions related to Security and Scalability ready for the company providing the product. If a software developer ever says they develop in the agile methodology so there is no time for testing security or scalability I would recommend you run, not walk, away from the vendor.  If the company provides SaaS and cannot produce the Security and Scalability test plans or methodologies then you are putting yourself at risk.

 

When purchasing a product it sometimes helps to come up with a requirements document and understand how the product was developed should be at the top of your list!

 

Filed under: Uncategorized No Comments
24Dec/110

A Merry Christmas and A Note to Leaders

A Christmas Carol -Open Book

One of my favorite Christmas traditions is to watch a Christmas Carol (  read about the novella ) by Charles Dickens.  I watch this maybe three four times a year and I think it is a great novella overall.  It gives the protagonist, Ebenezer Scrooge, a mirror into his own soul. As companies operate in and through tough times, it is important that you-as company leadership- never forget about the communities in which your business exists and that there are people struggling at this time of the year. This can be the hardest time of year because the contrast can be large and it is inescapable between the people that have and those that do not.

The immediate community you need to deal with is that of your employees and you need to lead from the top. As an executive, be hands on, as a leader of the team you need to be a part of the team every day. If you find yourself in an “Ivory tower” you have work to do and maybe get started today.  Empower your employees not only at this time of year, but also all year long.  If you decorate your office at this time of the year, participate in putting up the decorations.

If you have holiday parties, and you “Should” be having a holiday party, develop a corporate culture of giving and helping the local community, this should be your second concern. Help your community by donating time or taking up collections for local food banks. If you do not have a holiday party tradition-start with this and immediately arrange a holiday party.

Most companies find their next concern to be customers and this links to product and product quality. If you have created your product only for love of money than you have a problem that needs to be dealt with immediately. While suitability to task is the customer’s responsibility you as a leader have the responsibility to be honest with your customers and insure that all of your products work as advertised.

Remember leaders, nothing good can come from something bad and outward overt or hidden lies.  Ensure your products work and that your sales team is always unambiguous when describing product or service. Never ever put an employee in a position where they have to choose between keeping their job and lying to a customer. Leading from the top matters here because if you as the executive do not take care of your customers it will stain your company and in the end it will harm you as well.

You next concern should be with your competitors, compete fairly and fairly does not mean that it can be argued that you may be right by law, instead you should be right.  Here some areas to be concerned with:

  • Never infringe on a competitors trademark
  • Never infringe on a competitors copyright
  • Never lie about a competitor’s product or service
  • And more, think about it and involve other executives to develop strategies together to focus on your products or services and quality versus being negative

When you lead you set the tone and the tone should be competing with quality and ethics versus bad behavior.

As a leader you get to set the culture of your company.  The culture is essential to your success. Here are a few tips that you might find valuable:

  • Make it possible for every employee to be proud of their company and position, make sure everyone contributes to the companies and each other’s success
  • Have an ethics clause in employee handbooks and contracts. From the top make it clear that ethical behavior matters when dealing with each other or customers
  • Create internal community outreach efforts
  • Create and live by your company mission statement and make it pervasive, make sure everyone understands why you are in business and why it matters

The holidays always provide a time for us to reflect on the things for which we are grateful and as leaders we can reflect on our own behavior and goals. We should set lofty goals and then work hard to exceed them. However, if we cannot complete our goals within our company ethics and belief systems breaking the same is not acceptable.

One last note on this Christmas Eve, to those that outsource product development or support,  ask yourself a few questions about outsourcing outside of the USA:

  • Do I outsource with the sole goal of paying less for labor or taxes?
  • Do I outsource because environmental regulations are more favorable in a different country?
  • Does the country I outsource to have equivalent workers’ rights equal to my own countries and or companies beliefs?

If you answered yes to any of these questions you need to rethink your decision to outsource and most likely cease your outsourcing. Remember nothing good can come from unethical behavior or actions, money is not everything and if you cause harm to get your money it is something that will follow you in life.

To be a Leader and to telecommute does not work. Think to yourself, how many great leaders you know inspired you via email. When I think of leadership via remote I think of how it would be to read about a place online but never go to the same place. Can you know something without experiencing it? Yes, while it is possible to do so it is also true that you will never make it your own without personal experience. Creating a company culture remotely just does not work. Your leadership team needs to be in the office and performing their duty of leading and driving your companies vision. Quality of employees and quality of products and/or services are a direct reflection of leadership.

It is never too late to change your organization and it is not hard, it is just a matter of writing down what you need to accomplish as part of your plan and then moving forward with a step-by-step execution of that plan. Remember leaders need to be with their team to lead and one should lead by example.  As a leader I can rifle through a list of leaders that have molded me and together what we accomplished. While I have been successful as a leader, it is important to note, I have never defined success as the size of my paycheck. I have always defined my success on the accomplishments of my teams and the positive impact that we have had on our community and or space in which we did business.  Every person on your team will enjoy this holiday in their own way and what you can do for them now and every day of the year is to give them a position in an ethical company of which they are proud. Your best advocates will always be your employees.

I would like to end this post by wishing everyone a wonderful holiday and a happy new year.

- Rob Yonaitis

Filed under: Uncategorized No Comments
2Aug/110

Perhaps the world’s worse Airline Rewards program

Le Bris' flying machine

When it comes to flying commercial I love United Airlines, in my opinion they have the best loyalty program in the airline industry. What they do is offer you benefits related to using their product. This concept is not new and the benefit to their company is clear. Having customers that will talk positively about your product or services and of course actually buy those products is of course the goal.  Having been in in the software and services industry myself for over twenty years, I also know an unfocused upon fact; not everyone will tell you when they are unhappy with your product.

For over a decade I have also looked deeply at the accessibility question: Why do so many companies seem to not care about building accessible products or marketing materials? On a recent trip to Bogota, Colombia, to discuss worldwide accessibility efforts, I was hit by a serious and I think irrefutable fact. Accessibility is being sold by most companies, in the form of a customer loyalty program, let us compare.

 

First, an airline says if you “get to gold” you will have the benefit of extra legroom and your first bag free or that you will always get your first choice meal in business class if you reach the highest level of their frequent flyer program. On the other hand if you do not do so, you can still buy extra legroom and you may or may not have to pay for a bag and you might not get your meal of choice. In general they are saying if you achieve a certain level of status you pay less and enjoy more. The take away here is perhaps a soft threat to frequent flyers stating they can avoid all the fees and have all the benefits if they just fly one airline.

 

Next, a company that specializes in Accessibility solutions has the same twist. They say if you do not build accessible you may get sued or be subject to some other action. In the early days of Accessibility consulting I remember a company that used to threaten to sue companies in order to gain their business. Regardless of the hard threats you were told that besides not getting sued accessibility was the right thing to do.  So, the sales pitch in this case is basically the same except one focuses on positive and one focuses on negative. We should all remember sales 101, negative is not the best way to sell.

 

In addition to this there is the problem of product definition. The plane and in-flight services you receive as a frequent flyer are clearly defined while with Accessibility the sales pitch starts with a more subtle innuendo to the customer” you have no idea what needs to be done so you need to pay me as an expert.” This is perhaps the most troubling. Highly educated engineers are being told that accessibility is so complex that even if they buy the product they will need to buy the services perhaps for an eternity, as accessibility is just too complex for the everyday person to grasp and there are no standards.  When confronted with the no standards question the accessibility provider says it is just too complex.  We can find clear instructions online and standards for so many things on the web but not for accessibility. Is accessibility intentionally ambiguous?

 

In the end if the customer is not satisfied with a loyalty program they simply fly with a different carrier or ignore all loyalty programs and just fly with the cheapest ticket.  When it comes to accessibility they just do not “fly”. This fact is heartbreaking as it hurts so many people and we need to identify who is to blame. If we go with the high road here we blame the process and not the people.  The overall rejection of building a standard and going with ambiguous guidelines is the reason in my opinion. Could you imagine saying to a builder of a handicap ramps that it can be done any number of ways and the only way to do it properly is to hire an expert or do you expect that your builder can read and understand the requirements and guidelines, I assume you would want the latter? Could you imagine planning and designing a restaurant with a seating area of 130 in the new building and not having anyone tell you how many wheelchair locations are required? Instead you are told that you will need to hire and keep a consultant on a yearly retainer to ensure accessibility of your restaurant, as this may change at any moment, or again do you expect an unambiguous guideline. As a community we need to push for information that is clear and unambiguous as related to education and guidelines.  For software and web accessibility to go further it needs to steal a page from the construction industry and make its guidelines or a new standard is unambiguous by design. This needs to be done even if a few companies are not contemplated or covered because of changing technology and or bleeding edge technology.

 

The cold hard truth is that we are not educating well on accessibility because the guidelines are not unambiguous. Our community tends to treat anecdotal evidence as research proofs and this is not a good or productive thing. Learning from the airlines and their sales tactics is something we should do as a community and the first thing we need to do is look at southwest. Bags fly free here, and while they may shout at other airlines you never hear them focus on a competitor by name. The reason is this makes it a positive sale. However, in accessibility there is much infighting, competitors slander other competitors or products, and there is more than the occasional shake down if you want some press for your product and this is bad. Why is it bad you may ask? The answer is we are not selling free airline bags and we don’t even live up to the negative sale that is offered.

 

I always believe it is best to focus on what you do well rather than to criticize a competitor. By highlighting your strengths and the features of your solutions, you draw attention to your competitor’s weaknesses, without being negative. One approach I have I really like for is to create a chart of features and capabilities listing the best things that you do with a column for each of your products and one left blank.  When a customer asks you how your products or services compare-provide them with the chart of what you do and the space for them to compare to the competitors. By doing this you are educating your prospect and being positive.

 

Perhaps the most important thing is rewards. In accessibility, if we are being positive, we tell people what good things they can achieve, how if they do not do this they are losing customers because they are not focusing of accessibility, and then we show them the disability statistics.  Impressive until they ask if we do something for deaf people and we have to look at them and say we have no solution but we include them in the numbers. If we assume our customer is smart, they look at these numbers and see that it includes a plethora of disabilities but your product or service does not address these issues. Because of this the accessibility company looks like a liar that plays fast and loose with numbers and the customer walks away.

 

In addition there is the paradox of the sales statement in this case:
  1. Tell the customer that they need to support the minority because of the size of their disposable income
  2. Then tell the customer that your focus is on serving people with disabilities, as it is the right thing and there is money to be made in doing the right thing
  3. You then tell your customer that you have no captioning solutions but isn’t it the right thing and did you not leave a lot of disposable income on the table.
Given all of this it seems that accessibility vendors that use the “subscribe to this belief” and “get this reward” do not practice what they preach in their sales arguments. In fact they may be the worse Airline Rewards Program available, or at least in that model. In my next post I will give my thoughts on what needs to change to get wider acceptance of products to the market using techniques not laced with fear, uncertainty, doubt and other threats. I will also cover how it is good to make money at it and why we need NGO’s to be formed to complete this task.

 

Ciao,
Rob
Filed under: Uncategorized No Comments
26Jul/110

IGF 2011 Kenya – A Timely Event

igf kenya logoRecently it seems that the world is on fire and the internet seems to be at the center. The examples are all around us; people  are creating new governments due to social media, governments are censuring social media or blocking Facebook,  and a flash mob robbery in Georgetown was incited over the internet where recently the IGF USA meeting was held also.

You may ask, what is the importance of the IGF 2011 in Kenya? With the world changing so  quickly it is important that key stakeholders discuss the changes and potential outcomes. This year’s meeting has a proposed main theme, 'Internet as a catalyst for change: access, development, freedoms and innovation'. Didn't I just say timely!  You can read more about this conference at http://igf.or.ke/index.php?option=com_content&view=article&id=21:joomla-facts&catid=30:the-community&Itemid=37 .

When I consider my professional tasks and how different outcomes can be advanced through both my consulting and product development initiatives, I consider this meeting as one of the most important that I attend yearly. For those of you that cannot make it to Kenya please do consider remote participation, more information about the remote participation can be found here: http://www.intgovforum.org/cms/remote-participation-2011.

The internet is a catalyst for change. Those of us that work with it and help to shape it, via technology and policy, should take an active role in its future.  The recent IGF-USA meeting stressed to the USA members that getting involved matters, I agree. To many times we see the world changing and we say we cannot impact it. My experience says that this is just not true. If you have the time you should participate and if you have questions or ideas that you think should be raised and you cannot attend why not let me know by email.  You can reach me at  ryonaitis@34alabs.com. I will report back from Kenya how your thoughts were received. I will also be blogging daily from the event.

My best,

Rob Yonaitis
Filed under: Uncategorized No Comments
25Jul/110

Should your CTO have an Engineering Degree?

Diego_Suarez_Antsiranana_urban_public_primary_school (EPP)_Madagascar

Someone recently asked me if technical decisions should be made by a technical person, where a technical person means someone who was trained in an engineering discipline (with a Engineering Degree). They were looking for a CTO-type or at least a product lead. I was troubled a bit by this question because there seemed to be a quick answer and while simplicity is desired in engineering it is rarely sufficient  in building an effective team.  The question itself seemed wrong based on my own experience. To me it did not seem to be properly phrased to solicit the information they were seeking for the following reasons:

  • A degree is no guarantee that someone is qualified
  • A degree is no guarantee that a person can make decisions based on company success versus personal needs

With all of this in mind, I quickly built a list (in my head) of the most technically savvy people I know in the world. When it was complete I knew the answer to the question immediately. However, being me I could not answer the question directly because there really is no correct answer. The real world people that I thought of had degrees in Engineering, English, Arts and some had no degree at all but they were all brilliant and any one of them could fill a CTO role for me. Why? This was the question I had to answer, why was the answer not what was expected and how could I rephrase the question back to the person who had inquired? My reply was simple, ‘Did you mean to ask, if a person is making technical decisions should they be qualified to do so?” and if the response was ‘yes’ then my answer was “Yes” to the new question.

While a degree helps us learn the basic tricks and tools of the trade there is no guaranteeing that this information will transfer to the real world. There is a certain type of dedication required to be successful in any field and that is precisely what one should look for in hiring rather than the piece of paper. Every time I look at degree or certificate requirements I think of the movie “Tommy Boy” and the guarantee skit: http://www.youtube.com/watch?v=vVm1K_emzIA (Careful Language-I think it uses the S*** word once) with Chris Farley http://en.wikipedia.org/wiki/Chris_Farley

In closing, what you need in a CTO is not a degree,  as that is not a quality which indicates the person can do the job. Instead to compete in today's market, what you need is a track record, experience, and someone who has a "can do” versus "it cannot be done" attitude.  My final answer to the question was: ‘As an executive that is qualified to do the position you are hiring for simply hire someone qualified and someone better than yourself possible, the degree is just noise’

 

Cheers,

Rob Yonaitis

Filed under: Business No Comments
28Jun/110

The browser padlock – Is it meaningless?

Viking Age lockMore than once, in the past months, I have found myself in the undesirable position of having to replace a credit card for fraud or having my bank send me a new card because their data was compromised. Their data included my personally identifiable information (PII).  Considering this, and my online practices, I found it necessary to evaluate my behavior when going to a website. While I was sure I had nothing to do with a banks' system being compromised, I had to ask if my behavior might have led to identity theft or fraud that was used against me and my account. In my review of this data I found that while I was not at fault I had not considered if sites were secure enough before using them.  I found that I relied on simple information, the browser padlock, which was about as meaningful as a screen door lock, to determine if a site I was using was safe and secure. Considering this I have decided to make changes. But before I get into the changes let me describe the problem a bit more.

As an online culture it becomes important for us to protect our privacy related information from many sources of data leaks. The areas of concern are personally identifiable information, from here on out I will refer to this as PII.  PII is information that can be used to identify you and perhaps your location in some way. A simple non exhaustive list would be; full name, ID or driver license number, passport number, vehicle registration, face, handwriting, credit card numbers, social security number, mother’s maiden name, mother’s middle name, age, gender, race, job position, employer, criminal record. In fact PII is any information that can be used to identify you.

You may want to review:  the "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)". By NIST.

Now, let’s return to the title of this article regarding the browser padlock and whether or not it is meaningless in the situations that I discussed above.  I would have to answer that no it is not meaningless, but in fact is dangerous as it creates a false sense of security. The browser padlock makes us lax on where and how we enter information. This is especially true when you consider the willingness that we have to enter PII into web based applications in situations where we know nothing about the company, their security practices or the quality of the application. What are some of the things that companies should be doing to protect their consumers? Here is a list that web developers need to consider:

1. The company privacy policy/statement should be in the websites user interface and it should be in the design area of the global footer. While from an application perspective this may not be very important, from the perspective of ‘Do I have a warm and fuzzy regarding the website’ it is huge. If a website does not have this I recommend going away and fast. But please note that having a statement does not mean that your information is safe!

2. Forms are of course a main concern with PII and not just forms but form elements and any other sort of user input. To the user these items are also not always present and to the application developer not trained in security they are often overlooked. Here is a shortlist of some of the elements that matter:

  • Input
  • TextArea
  • Select
  • Buttons
  • Datalist
  • Keygen

By themselves, these items are not inherently bad, but it is how they are used that can be bad. Again they are not always visible to the site visitor and they may be stylized to appear like anything but a form. So there are some form rules that developers and site visitors need to be aware of. First, a form should not use the get method, as a developer you should not use this method as related to PII, Authentication, etc…it is not necessary. Remember HTTPS does not provide an acceptable level of PII protection to the visitor in this case (Logs, History, and so on). In addition to the obvious issues with having PII in the URL it is important to never trust the user input. We do this every day, when we set patterns for completing a phone number but for some reason many developers do not find it necessary to prevent malicious user input. When we use textareas, inputs or any way to enter or display data as developers we must validate the input and take the extra step if available of encoding your html and using other forms of validation.  A take away here is that we need to evaluate all forms to see if they are developed and implemented in a secure manner.

3. Cookies, there are many types of cookies; session cookies, authentication cookies, third party cookies and so on. With regards to security and privacy a web site/application, to be safe, should use secure cookies for any cookie that exposes security or privacy information and they should also prevent mixed content.  Even with this precaution there can still be dangers to PII and other user account information. A take away here is that we need to evaluate all cookies to see if they are developed and implemented in a secure manner.

4. Mixed Content is an issue for many reasons with the first being, what it means to the site visitor. Most site visitors have no idea what it means and to keep it simple here it means content that is received via https and http and in many cases a user has the choice of whether or not they want to display the same. One of the problems with this can again be the developer of the web application and/or a lack of a content security policy in the development team. From Cross Site Scripting (XSS) to “spear fishing” and a lot in-between, the impact of mixed content can be huge because again the lock provides a false sense of security. A take away here is a company needs to develop a content security policy.

You may notice at this point I have not provided any information on scanning or reviewing PII on pages yet and that may seem a bit odd, but I think by the end you will agree that it is not. The reason this is not odd is that there are a couple truths that need to be mentioned about your PII. First, if the site you are visiting does not use basic application security your PII is not safe on the site.  Second, if it is obvious that the site you are visiting does not have a policy on content security then all the scanning in the world for data leaks is meaningless. When a company considers a Privacy Scanner, like the ConPraxis Privacy Server (http://34alabs.com/conpraxis.htm), to proactively check to see if their visitors data is safe they also need to look to security factors before random and near meaningless scans for a SSN number and more.

So what can a site visitor do along the same terms as the company who purchased a privacy scanner?  The sad answer is “not much today”.  This is because the items listed above require that the site visitor be able to identify the security issues listed above, understand the context and then make a decision to go forward or leave the site. Personally, I find that I never do this and I know how to. So what do we do when we either do not have the time or the knowledge to review a website application?

When trying to solve a technical problem I always lean toward education and in this case education seems to be a perfect solution. In the next week or so 34a Laboratories will make available a free and online version of the ConPraxis Privacy Server that will be suitable for both developers and every day web trotters. It will allow you to enter a URL and see how it validates against a list of well-known web site security threats and security context threats and privacy/data leak issues. It will be a one page at a time tester used for educational purposes.  Its intention is to educate not to inoculate, so please do read the reports, learn and take an active part in protecting your PII and Online Identity.

An API will also be available to help you tie these validation checks into Visual Studio, Rad Studio and more. This will allow developers to perform a quick scan of their application from their IDE. Developers also need to consider their content security policy and tools like the ConPraxis Privacy Server and its plug-ins to different development and content environments are a good first step toward both developing and enacting policy.

We have all seen, and not read, a forty page privacy policy notice from our banks or cloud application providers. That may make sense if we trust the provider and we understand they are selling our PII to partners. However, when it comes to being willing to allow someone to steal our information we need to think twice, by educating ourselves on what the browser padlock really means and the security context of the items that appear in the browser chrome we will be safer.

So to state the obvious, I will repeat my previous answer, “No the browser padlock is not meaningless, but in fact is dangerous as it creates a false sense of security “, by educating ourselves, both developers and web trotters we can better protect everyone’s PII. Remember, in the end the browser padlock merely defines how information is being transmitted, it does not relay information on proper application development nor does it provide information on what the web sites content security policy includes.

Cheers,

Rob Yonaitis

 

Filed under: application Security, Privacy, training No Comments
6Jun/110

What is GRC and what is required?

Euclid in Raphael's School of AthensFirst and foremost there are many things that the acronym GRC can mean, so all writers should remember the basic rule to spell out the term before heading to the acronym or short form. For this posting; governance, risk management and compliance (GRC) is what we mean by GRC. Now one should ever forget that this is merely a term and this term is commonly referred to as an umbrella for many different disciplines.As an executive you may look initially at specific risks that apply to your team or group, then you will want to understand your policy as related to that risk and finally of course you will need to determine your compliance.  This may seem simple but it is not. Let’s looks at Electronic Content Accessibility as an example.

First you will need a policy for Accessibility (a11y) and then you will need to implement the same policy, and as an executive you will need to review compliance over time to that policy. Developing and writing a policy will likely involve many stakeholders from your team. You may use internal staff and you may also use consultants and/or subject matter Experts (SMEs).  Part of writing the policy in this case requires that you define electronic content.  Even in a small to medium sized business you will find that you will have many different content types including but not limited to; documents, compressed files, HTML, plain text and more. You may find that you use different content management systems for different functions as well. So once you define the content types you can implement the authoring guidelines.

At the point of developing the guidelines you must also give the authors the tools needed to assure compliance to the same policy. They may be A11y Add-Ons for Word, Tools for PowerPoint, Captioning tools, data mining tools, web quality tools and other validators. These should all have an educational component so that instead of just indicating errors, they also define what the company policy is in regards to repair of the same errors. If you have the need for it to be compliant, then make remediation tools available. This is far from a fragmented approach; rather it is an approach that empowers individuals. In addition you will want the ability to roll up the data from different locations so that a centralized reporting server or defect tracking database can compile data and reports that can later be used to identify training needs across your organization.

The central reporting server should also be capable of active monitoring. This monitoring should be augmented by the data roll-up previously mentioned and this will be reviewable by the compliance officer. It is also important to note that the developer and author tools should be synchronized with the monitoring tool to better represent the policy. If the two sets of solutions cannot be reconciled it will produce tension within the organization.  For example; what if you use the Microsoft Word accessibility checker but your a11y Compliance Monitoring solution tests for a modified or customized policy, you monitoring solution will show errors but provide the author or developer no real guidance to use while working or authoring.

Finally, the fact that content or elements exist is not proof that it complies with your policy. Instead it is important to automate processes that users will go through and validate them at each step. For example, if you have a tool that checks for a privacy policy and the policy allows people to opt-out, your validation tool has to be able to validate that the web application passes the proper variable if someone chooses to opt-out. So a set of Quality assurance (QA) tools for GRC that do not include interaction testing may be considered somewhat incomplete. However, if your GRC developer’s tool has a Rich API you should be able to integrate it with your existing QA suite so that you can benefit from your current QA automation.  In addition make sure that testing scripts or expressions in your GRC tool are open and editable because from privacy, security and even accessibility perspectives you will need to modify test suites to match your company policies. Regardless of how you plan on testing, it is the vigilance that matters when dealing with risk management. Every day there are new hacks or Elements and your organization will need to stay on top of them.

Remember no single tool is a guarantee of success and in most cases it takes a suite of tools to have a complete solution. It is unfortunate that in GRC we cannot have a tidy answer to the problem like Euclid’s Theorem on the Infinity of Prime numbers!

Cheers,

Rob Yonaitis

 

Filed under: Uncategorized No Comments
   Older Entries »

stats

Blogroll

Recent Posts