James McGovern follow up his 2007 prediction list with an open source industry analysis guide, James' list includes things like pricing models and coverage areas (this is important because some firms are seriously deep in certain areas but weak in others), and
"Which vendors include security analysis into their research of non-security oriented products"
My ask on this wrt security is twofold
1) Assess the support for security protocols and standards. If you are assessing ESBs, for example, do they support SAML, WS-Security, WS-Trust, and friends? How are they supported?
Again this should be straightforward for analysts to quantify and it is important just like knowing whether you have side impact air bags in a car.
2) Assess the strength of the security implementation in the product. Brian Snow said "we break implementations, not standards"
This is much more difficult to quantify, but in the security space at least, it would be helpful if people started moving in this direction. Asking, for example, what independent third parties have vetted this system? Again quoting Brian Snow this is akin to having the Palestinians audit the Israeli implementation.
In my experience standard software analysis does #1 at a surface level. Some security analysts do a reasonable job at #1, but most (any?) do not do #2 in any depth. Bring on the crash test dummies.
I am hoping to focus on the industry analysts who cover the ECM space first as the bar is incredibly low.
I would challenge all security oriented bloggers to stop talking about security in general and specifically start talking about it in context of products that enterprises use.
Raise the security discussion to the level that non-technical folks can practice MANAGEMENT BY MAGAZINE.
Maybe your next blog entry can be a call to action of others within the security profession in this regard.
Posted by: James | December 16, 2006 at 08:59 AM