With over 4.5 billion mobile and fixed phones out there as of November 2007, the phone represents the most ubiquitous user interface out there. As ???mashups??? on the Web let us quickly and easily access information from multiple data sources, how do we extend those mashups to the world of the phone? How do we bring the old world of voice and telephony into the new world of the Web, social networks, and social media? And how do we do that using open source tools and open standards?

If any of you will be attending, please do drop me a note as I always enjoy meeting up with people who read this blog. If you are not attending but are interested, it's not too late... you can still register at the OSCON site. Should be a great convention for those interested in open source development. The schedule is pretty amazing as it truly has a collection of some of the best folks out there in the open source world. (The convention starts on Wednesday with Monday and Tuesday being for tutorials.) I'm definitely looking forward to the event!

Technorati Tags: open source, conferences, oreilly, development, python, voicexml, ccxml, sip, portland, dan york

With over 4.5 billion mobile and fixed phones out there as of November 2007, the phone represents the most ubiquitous user interface out there. As “mashups” on the Web let us quickly and easily access information from multiple data sources, how do we extend those mashups to the world of the phone? How do we bring the old world of voice and telephony into the new world of the Web, social networks, and social media? And how do we do that using open source tools and open standards?

If any of you will be attending, please do drop me a note as I always enjoy meeting up with people who read this blog. If you are not attending but are interested, it's not too late... you can still register at the OSCON site. Should be a great convention for those interested in open source development. The schedule is pretty amazing as it truly has a collection of some of the best folks out there in the open source world. (The convention starts on Wednesday with Monday and Tuesday being for tutorials.) I'm definitely looking forward to the event!

Technorati Tags: open source, conferences, oreilly, development, python, voicexml, ccxml, sip, portland, dan york

People pretty quickly realized that plain HTML was not enough, so developers invented CGI/PERL for more dynamic sites. Once they wanted to scale and pool they built out ASP and JSP, then to deliver middle tier components they developed EJB, J2EE, and DCOM. After that there were a lot of heterogeneous systems that needed to talk to each other so SOAP and XML came along to address that. This path diverged into ultra-simple (REST) and more powerful but baroque (SOA), and finally, the user side got some love with Web 2.0 technologies. That's a heck of a lot of engineering and innovation by the software development community for plus or minus 8 years.

Now lets' check in with the developer's brethren over in information security. Well, once the web came along the information security community quickly realized that network address translation was going to be important, and further that encrypting the communication channel between the browser and the web server was also crucial. And then, they addressed all the security issues ASP, JSP, EJB, J2EE, DCOM, SOAP, XML, REST, SOA, and Web 2.0 with....umm...more of the same!

That's a pretty poor showing for innovation considering the enterprise investment into information security. Sure the software developers' have a bigger budget, but come on infosec - show some pride!

Infosec types like to throw developers under the bus for security issues, but its a collective failure. Sure developers need to learn more about secure coding, but as the table above shows - security is not keeping pace, and the gap is getting bigger.

Here is another dimension to the problem - attackers *do* evolve. The new technologies provide far greater attack surface (data, method and channels) for the attacker's to exploit and/or launch attacks from.

Because the defenses have not evolved its a simple evolutionary adaptation for attackers to go around or through the 1995 defenses. Its not about SOAP going through the firewall, its about never bothering to secure the apps and the data. Its like saying to your opponent, remember the how the Detroit Lions played defense in a certain game in 1995, we were just going to do that.

So with the software developer's latest evolution we get Mr. O'Reilly's famous Web 2.0 meme map

but where is the co-evolution in infosec? there is non. There is co-evolution in the attacker space. here is a sample web 2.0 attacker meme map

So the firewall offers great protection if your adversary is using Visio, but otherwise its mostly useless.

So we would want to see two things happen - developers start writing more high assurance code and second - infosec needs to evolve its security services to form fit to that which they are protecting. Hint - it ain't a Visio diagram.

The thing is - we are getting getter tools. Static analysis is a very powerful tool to improve your software security from a bottom up perspective and it can scale. These tools continue to get better. We are are getting better standards - WS-Security, WS-Trust, and company enable fundamentally new security architectures. And we're getting better primitives, especially in the identity space - SAML, Cardspace, and friends will one day let us live in a world where users are not typing username and password into a web browser to do online banking.

So maybe the innovation tide is turning, but there is a lot of ground to catch up, infosec about a decade behind the developers and probably close to that far behind the attackers. Its going to take something special to catch up, but is there any other way? I think a big part of catching up is putting together a realistic pragmatic blueprint to evolve your security architecture - a roadmap that addresses your people, processes, and technology. There are standards, primitives, and tools to leverage, but by themselves they are just pieces, they have to be brought together into a cohesive design. Its not an overnight thing to realize this, but the point is for infosec to *begin* the evolutionary process. Now. For real use cases. Using the security protocols, mechanisms, and skills we have available now.

The Road goes ever on and on,

Down from the door where it began.

Now far ahead the Road has gone,

And I must follow, if I can,

Pursuing it with eager feet,

Until it joins some larger way

Where many paths and errands meet.

And whither then? I cannot say.

-J.R.R. Tolkien,The Hobbit

We all know that Oracle just bought BEA.

Personally, I would have recommended Oracle to buy TIBCO instead of BEA. TIBCO has great technology and their software stack is richer and more diverse that BEA’s. TIBCO spends a lot of  development resources on their graphical user interfaces and design-time and modelling environment to make business integration very easy.  TIBCO’s stockholders, like most great companies with a long history of the same executive management and management style, would greatly benefit from the acquisition.

Citigroup’s John Reilly Walsh upgraded TIBCO (TIBX) shares to Buy from Hold based on Oracle’s purchase of BEA. John thinks TIBCO, the last real middleplayer on the block, will also be purchased, and names IBM as the most likely candidate, “but adds that SAP, Hewlett-Packard (HPQ), Oracle (ORCL), Sun Microsystems (JAVA), EMC and Cisco (CSCO) all could potentially be interested.”

If Oracle bought TIBCO, a very interesting idea, that would leave Oracle the King of Integration (KOI). I don’t think HP, EMC or Cisco would want to purchase a company that is so fundamentally different than their core business.

This begs the question if Sun would want to buy TIBCO and challenge Oracle now that Sun has purchased MySQL?

So the three most likely scenarios are:

• IBM buys TIBCO
• Sun buys TIBCO
• Oracle buys TIBCO

In my opinion, the most interesting scenario would be Sun following their purchase of MySQL with a purchase of TIBCO. This could create a strong competitor to Oracle.

On the other hand, Oracle would benefit from the purchase, if only a defensive mechanism against a Sun/MySQL/TIBCO triple-threat, and they would get great technology at the same time.

I would be surprised if IBM buys TIBCO, but if they do, this would also keep things interesting!

From a cultural perspective, the TIBCO culture and the Sun culture are the best match.   I don’t think that the SAP or  IBM cultures are very suitable for TIBCO employess.  So, if you toss in the cultural perspective, Sun, cash rich and in acquisition mode, seems the most likely candidate to buy TIBCO.