The November NCC-AIIM Seminar
delivered a broad spectrum of
educational material.
Laying the Cornerstone: Web Services
Wayne Beekman, cofounder
Information Concepts, Inc.
http://www.infoconcepts.com/
Mr. Beekman began by defining a “Web
service as a container of business
logic which can be invoked
independent of platform or
location.” In the past, applications
were separate entities; only limited
integration was possible and only
then with extensive software
“plumbing.” With Web services,
objects can directly interact.
Web services are language
independent, platform independent,
and device independent. WS-I.ORG was
formed to promote Web services
interoperability across platforms,
applications, and programming
languages. Mr. Beekman joked how
once the lawyers got involved the
engineers got serious about
interoperability.
Mr. Beekman showed Gartner’s Web
services hype cycle (How cynical has
our industry become that analysts
offer hype cycles?). The cycle
starts with a technology trigger,
climbing to the start of media
infatuation, slightly sloping down
to media distraction, climbing again
to the peak of inflated
expectations, collapsing down to the
trough of disillusionment, and
climbing the slope of enlightenment
until the plateau of productivity is
reached.
Mr. Beekman described the process of
ordering DSL service, an “example of
a transaction we have all suffered
through in the past few years.” The
customer service application
identifies a person as a customer,
the appropriate modem is selected,
and installation is dispatched. In
our current economy, each of these
functions is handled by a different
company. Mr. Beekman illustrated how
Web services could be used to make
all the systems work together: build
a Web service “shim” on top of each
stove pipe, all applications
interacting and available to
external
computers. He went on to speak at
length on how increased use of
mobile applications would increase
the requirement for web services.
He reminded the audience that value
is in business logic and data, not
in the application. Mr. Beekman
stressed the importance os selecting
the right project for Web services.
Break business into transactions.
Business folks and technical folks
describe same transaction in
different terms. Projects should
build Web service shims around
existing legacy applications, use
Web services to add new
functionality and begin to decouple
hardwire system interfaces.
THE PLATFORM WARS, .NET
VS J2EE
Brian G. Lyons
Number 6 Software
http://www.numbersix.com/
Lyons began by saying he had almost
said “lets not say platform wars,
can’t we all get along.” He defined
a platform as a standard around
which a system can be developed. He
illustrated the strengths and
weaknesses of each platform by
examining cases where companies had
switched systems.
Switchers are usually in the process
of an upgrade. Those who switch from
.Net to J2EE are usually concerned
with security. System stability may
also be a consideration. Those who
switched from J2EE to .Net usually
do so for ease of use, and sometimes
also to consolidate vendors.
Note - this is an important warning
to small system integrators to form
partnerships with those you share
customers with. Blaming the other
vendor, the other application, gives
customers a huge incentive to go
with a single provider so there is
only one company to call when things
go wrong. Do not put them in that
position.
Lyons concluded that users were well
advised to go with their industry
standard. In those industries where
.Net is dominant, you should
probably go with .Net and likewise
with J2EE. That way you are assured
of finding the application software
and support you require.
XML METADATA
Owen Ambur
Co-Chair XML Community of Practice
http://colab.cim3.net/cgi-bin/wiki.pl?WikiHomePage
Owen Ambur asked to share his
presentation with “someone who
actually knows something about it”,
Michael C. Daconta of the Dept. of
Homeland Security.
Ambur explained the difference
between records and non-records.
Records have authenticity,
reliability, integrity and usability
(ISO 115489). Databases are not
good record-keeping systems because
they lack integrity: every database
has an administrator, insiders have
motives, and manipulation of data is
built into databases.
Ambur asked if the IT system which
you are spending the taxpayers money
on does not create “records”, which
of those four attributes do you
intend to ignore?
He emphasized the importance of
trust and pointed out that in the
Bureau of Indian Affairs litigation,
neither complainant nor judge trusted
the Bureau of Indian Affairs.
Michael C. Daconta
Metadata Program Manager, Dept. of
Homeland Security
Mr. Daconta described the XML
profile of the Federal Enterprise
Architecture Data Reference Model (FEA
DRM). It defines the categorization,
exchange, and structure of data.
The current terrorist data reference
model is mostly in XML. Daconta
suggested that sharing information
should be done in a “frying” mode
(message should not be tightly
coupled to web service).
Daconta pointed out that RSS is not
information exchange, it is
publishing.
SECURITY VULNERABILITIES
Stuart Moore
http://www.securitytracker.com/
Security vulnerabilities have soared
since 2000. Most vulnerabilities
occur within application software,
with far fewer on in operating
systems and hardware. Of the
vendors, Microsoft has the most
vulnerabilities, by a three to one
margin (though Moore stressed this
does not mean Microsoft software is
worse than others). Gnu has the
fewest vulnerabilities. Microsoft IE
leads product vulnerabilities, with
Oracle Database reporting the
fewest.
Buffer overflow and input validation
errors are by far the most common
security vulnerabilities. Moore said
SecurityTracker does not count bad
design as a security vulnerability.
It was long assumed that the public
disclosure of a vulnerability
triggered attacks, but oddly enough
most attacks occur after the
announcement of a patch.
Mitre is maintaining a standardized
list of common vulnerabilities and
exposures (http://cve.mitre.org/).
PROTECTING PRIVACY ON THE
WEB
Mary Ellen Condon,
SRA International
Protecting privacy requires that
privacy considerations be integrated
into business processes. A privacy
impact assessment should be part of
the requirements process. We are
starting to see more privacy
requirements in Request for
Proposals. Privacy protection
inspires trust and increases citizen
cooperation.
IDENTITY THEFT
James Kasprzak
National Defense University
Kasprzak characterized the current
debate over identity theft as the
“perfect storm” of technological
change, citizen perception and
criminal activity. Throughout his
presentation Kasprzak stressed the
connection between privacy and
identity security.
He talked about his own experience
of ID theft. He noticed that for
eighteen months a mysterious 37¢ had
been added to his VISA bill. It
turned out that someone in Eastern
Europe had a scam where he was
charging 37¢ on millions of VISA
cards. VISA knew but took no action.
Kasprzak’s response was to change to
MasterCard. (This is an excellent
example of how poor security and
poor customer service can combine to
create a public relations disaster.
The Identity Theft expert at the
National Defense University is
telling every audience he talks to
that VISA does not take security
seriously.)
ID theft generally does not begin
electronically. Usually it involves
the theft of a wallet or
unauthorized access to social
security number,
credit report, resume, or similar
document. The victim can experience
difficulty conducting banking or
other commercial transactions. The
thief can commit crimes in the
victim's name.
In the current environment, network
insecurities, interception of
information (sniffing), interception
of wireless information,
inadvertent receipt, and weak
security all contribute to identity
theft.
Kasprzak suggested that technical
solutions include IPv6 internet
privacy, change of pirorities at
Microsoft, a national ID card with
chip, and encryption. Consumers can
report ID theft to the Federal Trade
Commission,
http://www.consumer.gov/idtheft/.
Kasprzak was not enthusiastic about
biometric solutions, pointing out
that a woman’s retina changes when
she is pregnant.
He concluded by saying that
information technology is constantly
affecting citizens and that, if you
are a system designer, you are the
guardian of privacy.
