Congratulations to:

Apptix

Hughes

Merkle

Sourcefire

EM7 at the Merkle NOC

And we must point out that Hughes topped the Maryland Technology Fast 50 list with an astounding growth rate of 138,762% over the past 5 years! Wow, it would be tough for any company in the world to beat that growth rate, but all kudos must go to Hughes and this incredible achievement. I’m sure we’ll see them on the National Technology Fast 500 list coming out soon.

Now I would like to say that without ScienceLogic and EM7 much of this would not have been possible, but of course that statement would be an incredible stretch. What I can say is that our product and our technology has had a profound impact on the operational efficiency for HughesNet, so perhaps you can give us, using a basketball analogy, 12 assists in the game.

Interesting to note, several other award winners are in the midst of product evaluations as we speak. I think that EM7 Meta-Appliances are a strategic weapon within each of these businesses to leverage our technology in interesting ways which create huge organizational value and operational efficiencies.

So to all those companies who have won this year… a BIG congratulations from the bottom of my heart. For our existing customers who made the list this year… keep working hard so you can make it again next year. For ScienceLogic, stay tuned in: We were not quite big enough to make the list last year, however I am very excited about our growth in 2008 and am quietly confident that you will see us on the Virginia Fast 50 list next year!

OnAir was chosen for A380 service, with the initial rollout--especially for international flights--using the 64 Kbps Inmarsat satellite offering, which is too paltry for anything but limited text communication. When the recently launched Pacific satellite is active--which may take up to a year--OnAir and Qantas can upgrade to the luxurious nearly 500 Kbps per channel service.

The head of OnAir is pushing some mighty serious horsehockey, however, when he says as quoted by Flightglobal that he "is confident that once the full service is up and running, passengers will be able to access the Internet 'in exactly the same way as they can on the ground.'" That may be the case in terms of access, but not in terms of cost. The cost will be enormously high unless OnAir has a magic deal with Inmarsat that's previously undisclosed. I suspect a per MB charge will be in effect that will discourage much use. Calls and texting could be carried over the same system, of course.

Qantas plans to continue to work with Aeromobile for domestic service, with calls and texting available, on their Boeing 767-300s and Airbus A330-200s, Flightglobal reports. Aeromobile has plans to launch a full Internet service later this year using cached and live content. [link via Fabio Zambelli]

Howard Schmidt, who was once the CSO of Microsoft, knows a thing or two about vendors shipping insecure software.  He offers this advice relating to his iPhone, “Just because a piece of software was distributed through Apple’s App Store, don’t assume that it is vulnerability free.”  I think that sums up the problem pretty well.  Customers assume the software they are getting is vulnerability free until it is proved otherwise.

If it’s distributed by the Apple Store it is coming from a trusted brand. “It must be secure”, many think.  The same thinking is used by people who install social networking applets and give them access to their personal data.  Someone, somewhere is taking care of the software security so I don’t have to.  It must be the platform provider, the store, some industry body, my antivirus provider, or maybe even the government.

You can see how this thinking pervades the consumer space because there are regulatory bodies governing all other aspects of safety and security in our personal lives.  I’m safe in a plane or car because the government is looking out for me with standards and testing requirements.  I am safe in the mall parking lot because the men in the white SUV are patrolling.

This thinking also pervaded the b2b space.  I talk to companies which are outsourcing critical applications to offshore development companies and they assume that security testing is taking place as part of the development process.  I ask them if they have made security quality part of the requirements of the project and they say no.  Then I ask them what evidence does the offshore developer provide to demonstrate they have a certain level of security quality in the software they are producing and they tell me they have never asked.

I can tell you what would happen if they did ask because I have also spoken with the offshore developers.  They have no evidence.  Their concern is getting the software functionality done on time and on budget. They consider fixing security vulnerabilities, once discovered, rework which the customer pays for.  So not only are they not looking for vulnerabilities and relying on the customer to find them, they are charging the customer to fix the problems.  The customer has to this date accepted this model.

The same goes for commercial off the shelf software and open source.  Surely the developers writing the software are trained in secure software engineering.  Surely commercial software companies are using 3rd parties to test their software just like the banks have the big 4 audit their accounting or auto manufacturers submit to testing by the NHTSA. And of course open source has “many eyes” reviewing the code for security defects and informing the developers.  The customer has accepted a model where this is almost never true.

But times are changing and it is partially due to the availability of software that can automate the process of looking for security vulnerabilities. David Rice, the author of “Geekanomics: The Real Cost of Insecure Software” was interviewed recently by Drazin Drazic his Beast or Buddha blog.  He said the trend is toward a future of secure software and automated security analysis is one of the sparks:

BorB: I recently wrote in a post that little is changing. We are not learning from the lessons of the past. There are few, if any new technologies that exist today, that we have great faith and trust in as being secure now, and expecting them to continue to be secure in the future. Any solutions to even basic security issues need a starting point and a significant change to current thinking, and even then, it will takes years to see the impacts of this. What are your thoughts on this? Are we seeing anything at present to make us more confident of the future?

DR: It is true that it takes years to see the positive impacts of a change of mindset. And we are in the unfortunate position of repeating many old lessons.

At base, human history is a collection of exhaustive, expensive, and protracted engagements; only the relentless survive and have a chance at succeeding (notice no guarantee here). Confronting some of our most complex problems like highway safety, nuclear proliferation, or insecure software is painful, difficult, complicated, and troublesome. Human endeavors of any significance are like this. But we must do it. The inertia of culture and status quo is difficult to overcome, but overcome it we can; otherwise, we would not have the better parts of the world we enjoy today.

I believe the technology space is no different. We are just a little dazed and bewildered by all the changes technology has introduced so quickly and on such a grand scale. For every change we react to, another two or three rapidly appear.

I do see sparks of hope emerging. In the United States some members of government are beginning to understand the problem and are willing to start discussing how to approach insecure software from a policy perspective. On the technology front, companies like Ounce, Fortify, and Veracode are beginning to give software buyers an automated method of evaluating assurance levels of software. While not complete in and of themselves, these solutions are, as I stated, “sparks” that can help us progress down paths that were once not easily open to us.

As for the larger issue of cyber security, which software assurance is only a part of, society has a lot of adjusting to do. The Internet is a new environment for many still, and many more to come. There is a learning curve that must be confronted. It took the United States almost 80 years to develop the highway system we know and enjoy today. Nearly $400 billion was spent on this endeavor with hundreds of thousands of lives lost. As this shows, learning how to govern and navigate a new environment is expensive. Failing to learn even more so.

Independent, automated, and repeatable software security testing is an essential component of a safe and secure online environment.  Without it we are stuck with the assumption of vendors perfoming software security as our imaginary security blanket that allows us to operate in the current online world.

Howard Schmidt, who was once the CSO of Microsoft, knows a thing or two about vendors shipping insecure software. He offers this advice relating to his iPhone, “Just because a piece of software was distributed through Apple’s App Store, don’t assume that it is vulnerability free.” I think that sums up the problem pretty well. Customers assume the software they are getting is vulnerability free until it is proved otherwise.

If it’s distributed by the Apple Store it is coming from a trusted brand. “It must be secure”, many think. The same thinking is used by people who install social networking applets and give them access to their personal data. Someone, somewhere is taking care of the software security so I don’t have to. It must be the platform provider, the store, some industry body, my antivirus provider, or maybe even the government.

You can see how this thinking pervades the consumer space because there are regulatory bodies governing all other aspects of safety and security in our personal lives. I’m safe in a plane or car because the government is looking out for me with standards and testing requirements. I am safe in the mall parking lot because the men in the white SUV are patrolling.

This thinking also pervaded the b2b space. I talk to companies which are outsourcing critical applications to offshore development companies and they assume that security testing is taking place as part of the development process. I ask them if they have made security quality part of the requirements of the project and they say no. Then I ask them what evidence does the offshore developer provide to demonstrate they have a certain level of security quality in the software they are producing and they tell me they have never asked.

I can tell you what would happen if they did ask because I have also spoken with the offshore developers. They have no evidence. Their concern is getting the software functionality done on time and on budget. They consider fixing security vulnerabilities, once discovered, rework which the customer pays for. So not only are they not looking for vulnerabilities and relying on the customer to find them, they are charging the customer to fix the problems. The customer has to this date accepted this model.

The same goes for commercial off the shelf software and open source. Surely the developers writing the software are trained in secure software engineering. Surely commercial software companies are using 3rd parties to test their software just like the banks have the big 4 audit their accounting or auto manufacturers submit to testing by the NHTSA. And of course open source has “many eyes” reviewing the code for security defects and informing the developers. The customer has accepted a model where this is almost never true.

But times are changing and it is partially due to the availability of software that can automate the process of looking for security vulnerabilities. David Rice, the author of “Geekanomics: The Real Cost of Insecure Software” was interviewed recently by Drazin Drazic his Beast or Buddha blog. He said the trend is toward a future of secure software and automated security analysis is one of the sparks:

BorB: I recently wrote in a post that little is changing. We are not learning from the lessons of the past. There are few, if any new technologies that exist today, that we have great faith and trust in as being secure now, and expecting them to continue to be secure in the future. Any solutions to even basic security issues need a starting point and a significant change to current thinking, and even then, it will takes years to see the impacts of this. What are your thoughts on this? Are we seeing anything at present to make us more confident of the future?

DR: It is true that it takes years to see the positive impacts of a change of mindset. And we are in the unfortunate position of repeating many old lessons.

At base, human history is a collection of exhaustive, expensive, and protracted engagements; only the relentless survive and have a chance at succeeding (notice no guarantee here). Confronting some of our most complex problems like highway safety, nuclear proliferation, or insecure software is painful, difficult, complicated, and troublesome. Human endeavors of any significance are like this. But we must do it. The inertia of culture and status quo is difficult to overcome, but overcome it we can; otherwise, we would not have the better parts of the world we enjoy today.

I believe the technology space is no different. We are just a little dazed and bewildered by all the changes technology has introduced so quickly and on such a grand scale. For every change we react to, another two or three rapidly appear.

I do see sparks of hope emerging. In the United States some members of government are beginning to understand the problem and are willing to start discussing how to approach insecure software from a policy perspective. On the technology front, companies like Ounce, Fortify, and Veracode are beginning to give software buyers an automated method of evaluating assurance levels of software. While not complete in and of themselves, these solutions are, as I stated, “sparks” that can help us progress down paths that were once not easily open to us.

As for the larger issue of cyber security, which software assurance is only a part of, society has a lot of adjusting to do. The Internet is a new environment for many still, and many more to come. There is a learning curve that must be confronted. It took the United States almost 80 years to develop the highway system we know and enjoy today. Nearly $400 billion was spent on this endeavor with hundreds of thousands of lives lost. As this shows, learning how to govern and navigate a new environment is expensive. Failing to learn even more so.

Independent, automated, and repeatable software security testing is an essential component of a safe and secure online environment. Without it we are stuck with the assumption of vendors perfoming software security as our imaginary security blanket that allows us to operate in the current online world.

A couple of notes from the first day’s  keynote address “IT Operations Management Scenarios: Trends, Directions and Market Landscape” by Donna Scott – VP and Distinguished Analyst at Gartner Research.

Donna: Today customers are looking for 100% availability for their externally facing business systems. Five 9’s are no longer enough. They expect IT to deliver the right services at the right cost with the right service levels.

My aside: How many of you are like me? When I listen to analysts or read the research, part of me is always asking – how applicable is this to me now? How rooted is what they are saying in the practical day-to-day operations that our customers need help with now? Well, how short-sighted of me.

Donna: “Best-in-class organizations manage through the day-to-day turbulence of change but also keep an eye on the long-term nirvana of IT operations management.” And that creating a continuous optimization culture is necessary to improve over time – this needs to be baked into the corporate IT culture. Food for thought for all of us.

Interesting quick polls of the audience – some results were surprising; some were funny; and some were validating.

I. What are the Top 3 pressures on IT Infrastructure and Operations Management:

1) 24 x7 availability: 82%

2) Business continuity and disaster recovery: 70%

3) Cost reduction and/or cost management: 67%

On a personal note – supporting/deploying SOA came in at the bottom of this poll. Enough said.

II. What grade would you give the IT Infrastructure and Operations Management vendors?

A 1%

B 14%

C 49%

D 17%

F 4%

Last year – the average grade ended up being C- so the grade went up slightly this year.

III. What IT Infrastructure and Operations Management vendor are you most confident in to help achieve “ERP for IT”? (Dave will cover this topic later this week.)

HP 20%

IBM 16%

BMC 16%

CA 4% (lingering bad rep?)

Microsoft 8%

Oracle 4%

EMC 4%

Other 5%

And the winner was “NONE OF THE ABOVE” with 23% of the responses.

ShareThis

Interesting interview with the CEO of Trend, Eva Chen at PC World on the Barracuda patent infringement suit that Trend has brought. A couple of things are pretty clear reading Chen's responses to the questions:

1. This law suit is being fought as much in the court of public opinion as it is in the courts of law.  For that Dean and the Barracuda crew deserve credit. They have done a good job of making this a Trend versus open source community suit.  From Chen's answer it seems Trend was taken totally by surprise by Barracuda's aggressive PR and their ability to turn elements of the open source community against Trend.  The pity for Trend is that Chen actually does make clear the difference between just Clam AV being a virus scanner and the way Barracuda uses Clam AV as part of the gateway. If they would stick to that and not about who makes money from it, they might be able to get the open source community to leave this one alone.

2. In Trend's view this is not about open source  but about money.  I think Chen shoots Trend in the foot with this argument.  She seems to say that because Barracuda is a for profit company that is why they are suing them. If ClamAV was making money, they would sue them too is dangling metaphor there. Here is what Chen says, "But we were not suing ClamAV. Barracuda is a for-profit company. They are taking ClamAV, putting it on their gateway and making money out of it. It's not free software that we are suing, it's Barracuda." So it is all about the money than. If ClamAV was making money Trend would sue them too?

3. After already suing and winning against IBM, McAfee and most of all Fortinet, Trend is very confident that their patent is the real deal in a court of law. If the Xie brothers couldn't find anything to throw this out, they are not worried about the likes of Dean Drako.  But as I said, while litigating this Trend is taking black eyes and body shots in the public opinion arena every day.

4. The last thing they want is to get Sourcefire involved in this suit.  You can't tell me that at this stage of the game Chen would not know if they have cut a deal with Sourcefire or not, the owners of ClamAV. Yet she plays as if she never even heard of them and would have to ask her lawyers. I suspect this is because they think that Sourcefire has more open source "chops" than Barracuda and this would turn this thing into a PR disaster for Trend.  It could be this same reason that played apart (I think is the big reason) in Barracuda bidding for Sourcefire.

In any event it will be interesting to see how PR and public opinion play in the eventual outcome of this suit.

Interesting interview with the CEO of Trend, Eva Chen at PC World on the Barracuda patent infringement suit that Trend has brought. A couple of things are pretty clear reading Chen's responses to the questions:

1. This law suit is being fought as much in the court of public opinion as it is in the courts of law.  For that Dean and the Barracuda crew deserve credit. They have done a good job of making this a Trend versus open source community suit.  From Chen's answer it seems Trend was taken totally by surprise by Barracuda's aggressive PR and their ability to turn elements of the open source community against Trend.  The pity for Trend is that Chen actually does make clear the difference between just Clam AV being a virus scanner and the way Barracuda uses Clam AV as part of the gateway. If they would stick to that and not about who makes money from it, they might be able to get the open source community to leave this one alone.

2. In Trend's view this is not about open source  but about money.  I think Chen shoots Trend in the foot with this argument.  She seems to say that because Barracuda is a for profit company that is why they are suing them. If ClamAV was making money, they would sue them too is dangling metaphor there. Here is what Chen says, "But we were not suing ClamAV. Barracuda is a for-profit company. They are taking ClamAV, putting it on their gateway and making money out of it. It's not free software that we are suing, it's Barracuda." So it is all about the money than. If ClamAV was making money Trend would sue them too?

3. After already suing and winning against IBM, McAfee and most of all Fortinet, Trend is very confident that their patent is the real deal in a court of law. If the Xie brothers couldn't find anything to throw this out, they are not worried about the likes of Dean Drako.  But as I said, while litigating this Trend is taking black eyes and body shots in the public opinion arena every day.

4. The last thing they want is to get Sourcefire involved in this suit.  You can't tell me that at this stage of the game Chen would not know if they have cut a deal with Sourcefire or not, the owners of ClamAV. Yet she plays as if she never even heard of them and would have to ask her lawyers. I suspect this is because they think that Sourcefire has more open source "chops" than Barracuda and this would turn this thing into a PR disaster for Trend.  It could be this same reason that played apart (I think is the big reason) in Barracuda bidding for Sourcefire.

In any event it will be interesting to see how PR and public opinion play in the eventual outcome of this suit.