OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ??? (was RE: A simple guy with a simple problem)

You are right.  He chalks it up to "bad practices". But let's look at what
he says"

Simplify to "deploy and administer":

"Ultimately, Microsoft has lowered the ticket to entry for deploying and
administering e-commerce applications. The result of that is evident: the
industry has people, with fairly limited knowledge/experience with both
security practices and OS platforms, responsible for the design,
development, deployment, and subsequent administration of Microsoft-platform
based online applications.... This is not a Microsoft-driven issue. This
issue is clearly a failure to follow Best Practices in design, deployment,
and subsequent administration of web-based applications."

Programmer does the "simple" thing (XP:  Try something) despite all efforts
to explain the reality or 
requirement of the particular application:

"Best Practices tell us that we do not put core application logic in our
ASP, ASP+, JSP, or otherwise scripting-powerful web code."

Simplify by "lowering the standard" for what turns out to be complex task,
"not a bad thing" but....:

"I think it's pretty clear that this is not Microsoft's fault. They did
their part: vulnerabilities were discovered, and they responded quickly with
patches. If Microsoft is to be held accountable, it's for lowering the
standard required to deploy and manage distributed applications. And that,
in and of itself, is not a bad thing. ... 

Again,everyone is daring to do less:

"This is quite obviously a case of lack of security administration, and
poorly designed applications."

Is it a "metaphor"?  Call it a cautionary tale on daring to do less, 
and having your customer hand your head to you.

Question for you: Do you ever get a requirement that requires all system
to return in under 3 seconds and the operational reliability to be 99.99% of
time 24/7?  Do we?  

Everyday, everytime, in every proposal.


Ekam sat.h, Vipraah bahudhaa vadanti.
Daamyata. Datta. Dayadhvam.h

-----Original Message-----
From: Simon St.Laurent [mailto:simonstl@simonstl.com]

I don't think that article says what you're claiming it says.  Security 
adminstrators doing a crappy job doesn't strike me as "the simple 
approach", and all of the conclusions read "Failure to follow Best 
Practices", not "Architects made core technology too simple".

Nor am I convinced that security examples are great metaphors for XML work.