...to improve solutions, and it sure pays to pay attention. Who is more open when it comes to identity solutions: Google or Microsoft? Who woulda thunk it? Eric Norlin:
Microsoft's Live ID *is* the old Passport — with a few key changes. Kim Cameron's work around the identity metasystem has driven the concept of InfoCards (now called CardSpace) deep inside of Microsoft. In essence, Kim's idea is that there is a "metasystem" which utilizes WS-Trust to translate tokens, so that all identity systems can interact with each other.Of extreme importance is the fact that Windows Live ID will support WS-Trust, WS-Federation, CardSpace and ADFS (active directory federation server). This means that A) Windows Live ID can interact with other identity metasystem implementations (Open Source versions, for example); B) that your corporate active directory environment can be federated into Windows Live ID; and C) the closed system that was Passport has now effectively been transformed into an open (standards-based) and transparent system that is Live ID.
Contrast all of this with Google's announcement: create Google account, store user information at Google, get authentication from Google — are we sensing a trend? While Microsoft is now making it easy to interact with other (competing) identity systems, Google is making it nearly impossible. All of which leads one to ask - why?
I honestly believe that Microsoft is ahead of Google on this one for a very simple reason: Passport taught Microsoft some very painful, first-hand lessons. Passport forced Microsoft (over a period of years) to re-examine their fundamental approach to identity. Further, it forced them to figure out how to monetize the idea of identity applications — and not simply the aggregation of identity itself. Conversely, Google's business is now built on the aggregation of identity data, and they have yet to walk the painful Passport path.
Will the market force Google to learn the same lesson? I don't know. On the other hand, one company is clearly advancing the cause of "identity 2.0", "web 2.0", "Net 2.0" — call it what you will — and that company is Microsoft. The other company is deepening the silo and building the walled garden — and that is *so* late 90s.
This reminded me of the OWASP panel at AppSec Europe. The debate was chaired by Johan Peeters was on whether or not companies should/could adopt Microsoft's Secure Development lifecycle. What was interesting was the response was no, but not for the reason you might expect:
Microsoft Under Attack
Not by angry customers suing for damages after security breaches, or by governments breaking up monopolies, but by open source developers and security professionals accusing them of being obsessed by security. Microsoft is a company we love to hate. In particular, the security of Microsoft products has been the target of fierce criticism. However, in the last few years, Microsoft has made a concerted effort to improve the security of their products. The Windows Security Push was launched in 2002 in the run up to the release of Windows Server 2003. At that time, the seeds of the Security Development Lifecycle (SDL) were sown. This process has since been refined by many more security pushes. I had the pleasure to moderate a panel discussion "Should companies be emulating Microsoft’s Security Development Lifecycle?" on Tuesday at the OWASP Europe conference in Leuven.
...OWASP's motivation for organizing the panel discussion was the announcement of the release of an OWASP process guide: CLASP (Comprehensive Lightweight Application Security Process) was donated by Secure Software to OWASP for distribution and further elaboration. Pravir will lead the OWASP CLASP project.
CLASP addresses the same problem space as Microsoft's SDL. Would it not have been simpler to just adopt the SDL? According to Pravir, the distinguishing feature of CLASP is the opportunity to tailor the process to the needs of the organization. SDL is seen as too heavyweight. Alex Lucas points out the irony of the SDL description fitting into a book of fewer than 300 pages, while the supposedly more lightweight CLASP requires around 600. However, Pravir stresses that the SDL is too rigorous for small organizations who may not be able to afford to work to the same exacting security standards that Microsoft is currently setting. This statement seemed to be endorsed by a significant number of the audience.
...
Alex emphasizes the importance of security awareness, and beyond awareness, openness and willingness to discuss security problems.
In closing Johan poses an interesting question:
Has Open Source lost the security edge and is it now being superseeded by the products and practices Microsoft is introducing?
Competition is good for everyone, Microsoft and other large vendors have made some major improvements over standard issue open source security. Hopefully, open source will catch up in these areas and make improvements in the security space and the industry as a whole will rev ahead again. However, are we maybe seeing an achilles heel in open source where some security stuff is not seen as plain fun enough to work on and/or interfering with features developers would rather work on? I know of several widely used open source security package maintainers who struggle to get any help to develop security features for the systems...
Bah!
Re: Microsoft security push
Don't you think that it is about time they got serious? Good for them. It is especially refreshing to see that the influence of some of their famous security people is being felt - finally, after all these years. Some of those people have track records of building proveably secure, state of the art systems. It is about time that they started listening to them.
Re Maybe security is not fun?
For most, it is not. For one thing, it is hard to get right and it takes a lot of work, dedication, and discipline. All things that open source could stand to learn.
For one thing, the apparent open source idea that people can merely whip up things in their basement without regard to requirements and long-established ways of doing things has to die.
Open source has to learn to develop trustworthy implementations that are proveably secure. That means, among other things, complete control over the SDLC and the complete methodology that this requires - heavy-weight as that may be.
Open source has to learn some basics. They are not complicated. They are simply hard to get right because they take discipline and dedication to it that open source has lacked in the past.
While there is hope, by in large, interest in proveably secure and trustworthy code, applications, and systems remains to be seen. Until open source is serious enough to do security by design and to use the methodologies that are required, there won't be any security.
Though security can be fun, it is pretty hard work for people who are used to coding up ther latest wet dream and trying to foist that on the world as the right way to do things.
Posted by: Curmudgeon | July 11, 2006 at 09:24 AM