Saturday, December 18, 2010

The start of a journey

My blog has given me a lot of opportunities in 2010.
Posts about OpenID resulted in presenting my thoughts on the risks of OpenID at the European e-ID Interoperability Conference, which inspired me to go to Colorado (USA) to follow the Cloud Identity Summit.
Here I saw a presentation that would change my ideas on access management on the web.
Eve Maler presented a protocol in development, UMA (User Manged Access), empowering a user to flexibly apply the necessary security and privacy controls to their data residing on any number of Hosts and to introduce those hosts dynamically to a user-chosen Authorization Manager. Moreover, UMA supports requesters in gaining authorized access to such data.
Knowing OpenID and OAuth, I thought, IMFO, this could be a breakthrough in Access Management, and offered my experience as a tester.
A few months (and some very busy nights :-) ) later this resulted into Conformance Plan Test Materials of the UMA Core Protocol.
Something I couldn't have made possible without the help of my fellow UMAnitarians, especially Eve and Maciej.

2010 was not the end of my journey, 2011 will all be about finetuning the test materials and using it in testing the quality of the UMA-protocol for implementations .

It won't be easy, but I live by one motto: Who dares wins!

Wednesday, September 29, 2010

From SaaS to identity and security: a perspective of the last 2 years

Two years ago I started this blog to express my thoughts about SaaS aka Software As A Service, a 'new' style of software deployment.
In these blogs I dealt with a lot of things, from methods to test them (Model based Testing) to security and IAM (Identity and Access Management)
For everyone who now thinks 'Oh, Cordny is going to stop his blog', I have to disappoint them.
The fun is just beginning. While posting on this blog I got more and more interested in IAM and security of web-applications and through reading, studying, discussing and following great conferences (EEMA, Cloud Identity Summit) I learned more and more.

So, for me this blogpost is a milestone I achieved and I'm grateful for the people who challenged and helped me through the last years on gaining knowledge in SaaS, testing, IAM and SOA.

The next year I will give more detailed posts about my thoughts about IAM, SaaS, Testing and SOA.
I hope you will like it!


Sunday, August 8, 2010

Cloud Identity Summit: no more passwords!!

About 2,5 weeks ago I was at the Cloud Identity Summit in Keystone, Colorado.
I went here to gain more knowledge about today's identity management solutions in the cloud.
I met wonderful people, had interesting discussions and in 3 days I learned a lot about identity in the cloud.
I can tell a lot about my days at this conference, but I can summarize it with one sentence: get rid of the passwords.
How to really do this is still an academic question, but the people I met on the Summit are eager to solve this problem.
Perhaps I can help them test their solutions and together we can make it happen.
We'll see at the next Summit.

Sunday, June 6, 2010

Can your system work with mine? A case of interoperabilty and open standards

SaaS-applications (apps) are developed and distributed rapidly on the internet (the cloud) these days and companies want to integrate these SaaS-applications. Just look at this Salesforce-site.
A SaaS-application can be tested for different reasons: functionality, performance, security etc.
For integration of SaaS-apps a test should be done.
Yeah nice Cordny, interoperability tests, what's new??
Well, this post is not only about interoperability, but also about open standards which are at the moment a big item in the cloud (SaaS is a part of this)-community and the digital (politics)agenda.
Both interoperability and open standards have a similar goal (provide exchange between systems). With respect to software, interoperability is used to describe the capability of different programs to exchange data via a common set of exchange formats, to read and write the same file formats, and to use the same protocols.
For Open Standards, according to Microsoft, an open standard is publicly available, and developed, approved and maintained via a collaborative and consensus driven process. But it applies both parties should be part of this process. At my PC Microsoft itself still can't open a ODF-document.
But there are protocols which are also open standards. One of them is SAML2.0, which you know, if you already have read my blog,is an open standard for authentication and authorization exchange.
And yes, Microsoft can deal with this protocol, see here.

However, both SAML2.0 and Microsoft (with AFDS 2.0) are evolving, so interoperability tests still have to be done. Especially because SAML2.0 is very flexible. Can Microsoft keep up?

Wednesday, April 21, 2010

Google SSO hacked?

Yesterday I read a disturbing post on one of my favorite security-blogs.
It covers a New York Times Article reporting that Google’s password system (Gaia) was compromised during a targeted attack last December (see also this post)

This zdnet-post summarizes all the posts I made about phishing, SSO and SaaS and exemplifies my argument of not taking SaaS and SSO too lightly for security reasons.
The New York Times Article said the hack started with an IM message to a Google employee in China who was using Microsoft (ahaa!) MSN Messenger:

By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.

People are still wondering how the 'poisoned' web site did his 'evil' job (own quote!).
Some think it was done by using a Trojan horse and ínstall these in the global Google data centres, but this is too difficult because of detection.
Others think it was done by having access to the source code in the software repository. For hackers that's the real jackpot!

People, this was not a impulsive attack, but a 'planned' one.
Also, if you know that other companies (Adobe, Juniper) were having similar Cyberattacks, this cyberattack can't be just be seen as lucky.

Cyber-Criminals (just plain crooks if you ask me) are trying to get the intellectual property from the companies they attack and this damages the companies ,the clients and the general adoption of the cloud.
Security breaches will ever be there,we all(!) just have to be wary of them and try to diminish or eliminate the risks.

PS: One other thing, this post explains the vulnerability in Microsoft MSN Messenger and that Microsoft will deal with it

Monday, April 12, 2010

Open standards and the cloud

With every client I work for, I start to look for interesting subjects that client is involved with.
As a software testconsultant I had a lot of different clients the last six years, so you can imagine the diversity of areas I've seen.

For me one of the most interesting areas is the financial services area. Not because of the arithmetics (still not my cup of tea), but because of the innovative way these services try to adapt to the changing financial environment.
I started to see this in the beginning of internet banking and at the moment I see financial services woven into social networks like Hyves, web 2.0 as you may call it.

Very interesting for a tester, because these financial services and social networks will form an 'in silico' ecosystem (I'm still a biologist :-)), and like a living ecosystem very intricate and therefore very susceptible to errors.
To minimize this error-proneness (Open) Standards (like XBRL) were developed to make interoperability between the systems possible and to prevent also vendor-lockin.
But even standardization does not fully minimize the errors, because using standardization in design and development is still a human job, resulting in possible errors.
And what I've seen in online financial services, things can get very messy if an XML-tag of a webservice is not well tagged.

Standardization increases interoperability, but does not mean errors can't be made.

Sunday, March 28, 2010

Cloud computing: a secure thing?

Financial services are very interested in cloud computing.
But one of their main worrries, as Phil Wainewright says in his blog is the risk of data being exposed to third parties in a multi-tenant environment.
Secure authentication by SSO or PKI is one way to avoid this.
But what happens when you have a man-in-the-browser-attack?
An MitB is a trojan, infecting a web browser and capable to modify pages, modify transaction content or insert additional transactions,invisible to both user and host application. Mechanisms such as SSL/PKI and/or Two/Three Factor Authentication are useless against it, because it works on transaction level, not authentication level!
Solution? Simple, think out of the browser, by using another channel to verify the transaction process: an automated telephone call.
So, now you have a “three-factor” defense against criminal activities exploiting your SaaS-application.
All three 'factors' have to be tested individually and also as an end-to-end-process/chain to minimize possible defects and risks.

Just a (simplified) scene in which a security tester can find himself while testing a SaaS-application for an online bank for example.

Sunday, March 21, 2010

European e-identities

Writing a blog about your favorite testobjects has its advantages.
Roger Dean, executive Director of EEMA, read my blog about testing OpenID and invited me for the EEMA-congress eID interoperability near Brussels, Belgium.
There was only 1 catch , I had to give a presentation to the attendees about the risks of OpenID.
I said to mr. Dean: 'No worries Roger, I will come to Belgium and give you the presentation'.
And so I was in Belgium for 2 days, listening to experts on e-identity, learning a lot from them, and even holding a presentation myself about my favorite subject: testing e-identities.
The European Union wants to become more united, not only physical, but also digital.
This is a challenge: country-centric computersystems have to be interoperable with each other in a secure way. That's not easy, considering the differing European languages and legislations etc.
Perhaps, OpenID will play a big role in securing the digital connections in the European Union. As long as you minimize the risks involved!
EEMA, thank you for this opportunity!