David S. Read

Given my role as an enterprise architect, I’ve had the opportunity to work with many different business leaders, each focused on leveraging IT to drive improved efficiencies, lower costs, increase quality, and broaden market share throughout their businesses.  The improvements might involve any subset of data, processes, business rules, infrastructure, software, hardware, etc.  A common thread is that each project seeks to make the corporation smarter through the use of information technology.

As I’ve placed these separate projects into a common context of my own, I’ve concluded that the long term goal of leveraging information technology must be for it to support cognitive processes.  I don’t mean that the computers will think for us, rather that IT solutions must work together to allow a business to learn, corporately.

The individual tools that we utilize each play a part.  However, we tend to utilize them in a manner that focuses on isolated and directed operation rather than incorporating them into an overall learning loop.  In other words, we install tools that we direct without asking them to help us find better directions to give.

Let me start with a definition: similar to thinking beings, a cognitive corporation™ leverages a feedback loop of information and experiences to inform future processes and rules.  Fundamentally, learning is a process and it involves taking known facts and experiences and combining them to create new hypothesis which are tested in order to derive new facts, processes and rules.  Unfortunately, we don’t often leverage our enterprise applications in this way.

We have many tools available to us in the enterprise IT realm.  These include database management systems, business process management environments, rule engines, reporting tools, content management applications, data analytics tools, complex event processing environments, enterprise service buses, and ETL tools.  Individually, these components are used to solve specific, predefined issues with the operation of a business.  However, this is not an optimal way to leverage them.

If we consider that these tools mimic aspects of an intelligent being, then we need to leverage them in a fashion that manifests the cognitive capability in preference to simply deploying a point-solution.  This involves thinking about the tools somewhat differently.

(more…)

I was participating in a code review today and was reminded by a senior architect, who started working as an intern for me years ago, of a testing technique I had used with one of his first programs.  He had been assigned to create a basic web application that collected some data from a user and wrote it to a database.  He came into my office, announced it was done and proudly showed it to me.  I walked over to the keyboard, entered a bunch of junk and got a segmentation fault in response.

Although I didn’t have a name for it, that was a standard technique I used when evaluating applications.  After all, the tried and true paths, expected inputs and easy errors will be tested early and often as the developer exercises the application using the basic use cases.  As Boris Beizer said, “The high-probability paths are always tested if only to demonstrate that the system works properly.” (Beizer, Boris. Software Testing Techniques. Boston, MA: Thomson Computer Press, 1990: 76.)

It is unexpected input that is useful when looking to find untested paths through the code. If someone shows me an application for evaluation the last thing I need to worry about is using it in an expected fashion, everyone else will do that.  In fact, I default to entering data outside the specification when looking at a new application.  I don’t know that my team always appreciates the approach.  They’d probably like to see the application work at least once while I’m in the room.

These days there is a formal name for testing of this type, fuzzing.  A few years ago I preferred calling it “gorilla testing” since I liked the mental picture of beating on the application. (Remember the American Tourister luggage ad in the 1970s?)  But alas, it appears that fuzzing has become the accepted term.

Fuzzing involves passing input that breaks the expected input “rules”.  Those rules could come from some formal requirements, such as a RFC, or informal requirements, such as the set of parameters accepted by an application.  Fuzzing tools can use formal standards, extracted patterns and even randomly generated inputs to test an application’s resilience against unexpected or illegal input.

(more…)

(or Upgrading to Android and Windows 7)

The holidays are usually a time I can use to catch-up on some extra reading or research.  This year I had two major infrastructure changes that occupied my time.  I moved from my Blackberry Storm to an HTC Incredible and from my old Gateway M680 with Windows XP to a Dell Vostro 3700 running Windows 7.  It has been a bumpy couple of weeks getting my virtual life back in order.

Before getting into some of the details of the experiences, I’ll summarize by saying that both upgrades were worth the learning curve and associated frustration.  The Incredible’s hardware and the Android OS are orders-of-magnitude beyond the Storm in terms of usability, reliability, and functionality.  On my computer, Windows 7 (64-bit professional version) provides a clean and efficient environment.  The compatibility with 32-bit applications has worked flawlessly so far.

The phone journey…

I ordered the Incredible with the intention of switching over to it during the week before Christmas.  I would be off from work that week so any issues with email and calendar wouldn’t pose much risk.  However Verizon had other plans.  A day after the Incredible arrived they shut off my Storm.  This meant I had to get the Incredible going immediately.  This was during a week that I was traveling to Alabama and Vermont so I needed my cell phone working reliably.

I was pleasantly surprised at how quickly I was fully operational with the basic services (phone, email and calendar).  Blue Slate uses Google as our hosted email service so its ease of integration with the Android environment isn’t a surprise.  The phone setup process through Verizon has changed since I got my Storm several years ago.  Making on-line changes to my services is now simple.  I quickly expanded my data plan so that I could use the 3G Mobile feature of the Incredible while at the client’s site.  No issues at all!

My main disappointment with the Incredible is its battery life. With my Storm I could go days without recharging.  Now I have to recharge my phone every night.  I’ve gone through the “kill the app” phase and found that process doesn’t really help.  I use WiFi as much as possible since that is supposed to save battery life over using the cell connection to access email and internet services.  I keep the screen dimmed and turn off location services when they are not needed.

On the bright side, the variety of applications, including a nice SSH tool makes the phone amazingly versatile.  I don’t have to fire up my computer to check on a batch job or fix a basic database problem on our Linux servers.  The GPS services surpass my Magellan’s capabilities so I have one less device to carry with me on trips.

All in all I’m very pleased with my move to the Incredible.  I probably would have considered the iPhone but really prefer Verizon’s coverage.  This phone should serve me well for my 2-year contract.

The computer journey…

My new Dell arrived several weeks before Christmas.  I put off doing anything with it, knowing that the process of moving my virtual life, installed and configured over the course of 4 years on my trusty Gateway laptop, would be onerous.  I’m glad I waited.  Although the Dell is a great machine, the process of getting products installed (or obtaining newer versions) and getting files and configurations in place took several days.

(more…)

I attended my first semantic web conference this week, the Semantic Web Summit (East) held in Boston.  The focus of the event was how businesses can leverage semantic technologies.  I was interested in what people were actually doing with the technology.  The one and a half days of presentations were informative and diverse.

Our host was Mills Davis, a name that I have encountered frequently during my exploration of the semantic web.  He did a great job of keeping the sessions running on time as well as engaging the audience.  The presentations were generally crisp and clear.  In some cases the speaker presented a product that utilizes semantic concepts, describing its role in the value chain.  In other cases we heard about challenges solved with semantic technologies.

My major takeaways were: 1) semantic technologies work and are being applied to a broad spectrum of problems and 2) the potential business applications of these technologies are vast and ripe for creative minds to explore.  This all bodes well for people delving into semantic technologies since there is an infrastructure of tools and techniques available upon which to build while permitting broad opportunities to benefit from leveraging them.

As a CTO with 20+ years focused on business environments, including application development, enterprise application integration, data warehousing, and business intelligence I identified most closely with the sessions geared around intra-business and B2B uses of semantic technology.  There were other sessions looking a B2C which were well done but not applicable to the world in which I find myself currently working.

Talks by Dennis Wisnosky and Mike Dunn were particularly focused on the business value that can be achieved through the use of semantic technologies.  Further, they helped to define basic best practices that they apply to such projects.  Dennis in particular gave specific information around his processes and architecture while talking about the enormous value that his team achieved.

Heartening to me was the fact that these best practices, processes and architectures are not significantly different than those used with other enterprise system endeavors.  So we don’t need to retool all our understanding of good project management practices and infrastructure design, we just need to internalize where semantic technology best fits into the technology stack.

(more…)

Actors often enjoy the challenge of a role that requires two completely different personas to be presented.  Jekyll and Hyde, Peter Pan’s Captain Hook and Mr. Darling as well as The Prince and the Pauper all give an actor the chance to play two different people within the same role.  In the case of CIOs, they are cast in a role that has a similar theme, requiring two very different mindsets.

For the CIO, this duality is described in a variety of ways.  Sometimes the CIO’s job requirements are discussed as internally and externally focused.  In other cases people separate the responsibilities into infrastructure and business.

Regardless of how the aspects are expressed, there is an understanding that the CIO provides leadership in two different realms. One realm is focused on keeping equipment operating, minimizing maintenance costs, achieving SLAs and allowing the business to derive value from IT investments.  The other realm focuses on business strategy and seeks to derive new functionality in support of improved productivity, customer service, profitability and other corporate measures.

By analogy, the first realm keeps the power flowing while the second creates new devices to plug in and do work.

One could argue that a rethinking of corporate structure might help simplify this situation.  After all, we don’t charge the CFO with maintaining the infrastructure around financial systems, including file cabinets, door locks and computer hardware.  Why should a person charged with exploiting computers for the benefit of the corporation also be charged with the maintenance of the computer hardware and software? Couldn’t the latter responsibility be provided by an operations group, similar to the handling of most utilities?

(more…)

Welcome, October. There is a chill in the air here in the Northeast and visions of goblins, witches and ghosts are beginning to appear in front yards and on rooftops around the area. Although most of us associate these ideas with the paranormal, those same visions and chill serve to remind us to be ever vigilant when it comes to computer-based threats. So what better time of year to turn our attention to on-line phantoms such as viruses, worms and trojans?

The National Cyber Security Alliance chose October as National Cybersecurity Awareness Month (NSCAM). Their website contains a lot of useful materials for businesses, educators and parents. This is a great resource to use as the basis for informing your company, family and self about on-line risks and effective practices for protecting yourself and others from on-line threats.

A core tenet of the alliance’s message is to “Get Involved” and my company, Blue Slate Solutions, is doing just that. Why should we get involved? Like many aspects of life, we are either part of the solution or part of the problem. Users of the Internet who do not understand on-line risks and fail to proactively protect themselves from being victims of cyberattacks become part of the problem.

(more…)

My last two days at JavaOne 2010 included some interesting sessions as well as spending some time in the pavilion.  I’ll mention a few of the session topics that I found interesting as well as some of the products that I intend to check out.

I attended a session on creating a web architecture focused on high-performance with low-bandwidth.  The speaker was tasked with designing a web-based framework for the government of Ethiopia.  He discussed the challenges that are presented by that country’s infrastructure – consider network speed on the order of 5Kbps between sites.  He also had to work with an IT group that, although educated and intelligent, did not have a lot of depth beyond working with an Oracle database’s features.

His solution allows developers to create fully functional web applications that keep exchanged payloads under 10K.  Although I understand the logic of the approach in this case, I’m not sure the technique would be practical in situations without such severe bandwidth and skill set limitations.

A basic theme during his talk was to keep the data and logic tightly co-located.  In his case it is all located in the database (PL/SQL) but he agreed that it could all be in the application tier (e.g. NoSQL).  I’m not convinced that this is a good approach to creating maintainable high-volume applications.  It could be that the domain of business applications and business verticals in which I often find myself differ from the use cases that are common to developers promoting the removal of tiers from the stack (whether removing the DB server or the mid-tier logic server).

One part of his approach with which I absolutely concur is to push processing onto the client. The use of the client’s CPU seems common sense to me.  The work is around balancing that with security and bandwidth.  However, it can be done and I believe we will continue to find more effective ways to leverage all that computer power.

I also enjoyed a presentation on moving data between a data center and the cloud to perform heavy and intermittent processing.  The presenters did a great job of describing their trials and successes with leveraging the cloud to perform computationally expensive processing on transient data (e.g. they copy the data up each time they run the process rather than pay to store their data).  They also provided a lot of interesting information regarding options, advantages and challenges when leveraging the cloud (Amazon EC2 in this case).

(more…)

For years we’ve been hearing about the importance of Enterprise Architecture (EA) frameworks.  The messages from a variety of sources such as Zachman, TOGAF, HL7 and others is that businesses have to do an incredible amount of planning, documenting, discussing, benchmarking, evaluation, (feel free to insert more up-front work here) before they will have a good basis to implement their IT infrastructure. Once implemented all the documentation must be maintained, updated, verified, expanded, improved, (once again, insert more ongoing documentation management work here).  Oh, by the way, your company may want some actual IT work aligned with its core operations to be accomplished as part of all this investment. I don’t believe such a dependency is covered well in any of the EA material.

I have always struggled with these EA frameworks.  Their overhead seems completely unreasonable. I agree that planning the IT infrastructure is necessary.  This is no different than planning any sort of infrastructure.  Where I get uncomfortable is in the incredible depth and precision these frameworks want to utilize.  IT infrastructures do not have the complete inflexibility of buildings or roads.  Computer systems have a malleability that allows them to be adapted over time, particularly if the adjustments are in line with the core design.

Before anyone concludes that I do not believe in having a defined IT architecture let me assure you that I consistently advocate having a well-planned and documented IT architecture to support the enterprise.  A happenstance of randomly chosen and deployed technologies and integrations is inefficient and expensive.  I just believe that such planning and documentation do not need to be anywhere near as heavyweight as the classical EA frameworks suggest.

So you can imagine, based on this brief background, that I was not particularly surprised when the Zachman lawsuit and subsequent response from Stan Locke (Metadata Systems Software) failed to stop EA progress within Blue Slate or any of our clients.  I’m not interested in rehashing what a variety of blogs have already discussed regarding the lawsuit.  My interest is simply that there may be more vapor in the value of these large frameworks than their purveyors would suggest.

(more…)

SQL Injection is commonly given as a  root cause when news sites report about stolen data. Here are a few recent headlines for articles describing data loss related to SQL injection: Hackers steal customer data by accessing supermarket database¹, Hacker swipes details of 4m Pirate Bay users², and Mass Web Attack Hits Wall Street Journal, Jerusalem Post³. I understand that SQL injection is prevalent; I just don’t understand why developers continue to write code that offers this avenue to attackers.

From my point of view SQL injection is very well understood and has been for many years. There is no excuse for a programmer to create code that allows for such an attack to succeed. For me this issue falls squarely on the shoulders of people writing applications. If you do not understand the mechanics of SQL injection and don’t know how to effectively prevent it then you shouldn’t be writing software.

The mechanics of SQL injection are very simple. If input from outside an application is incorporated into a SQL statement as literal text, a potential SQL injection vulnerability is created. Specifically, if a parameter value is retrieved from user input and appended into a SQL statement which is then passed on to the RDBMS, the parameter’s value can be set by an attacker to alter the meaning of the original SQL statement.

Note that this attack is not difficult to engineer, complicated to execute or a risk only with web-based applications. There are tools to quickly locate and attack vulnerable applications. Also note that using encrypted channels (e.g. HTTPS) does nothing to prevent this attack. The issue is not related to encrypting the data in transit, rather, it is about keeping the untrusted data away from the backend RDMBS’ interpretation environment.

Here is a simple example of how SQL injection works. Assume we have an application that accepts a last name which will be used to search a database for contact information. The program takes the input, stores it in a variable called lastName, and creates a query:

String sql = "select * from contact_info where lname = '" + lastName + "'";

Now, if an attacker tries the input of: ‘ or 1=1 or ’2′=’

It will create a SQL statement of:

select * from contact_info where lname = '' or 1=1 or '2'=''

This is a legal SQL statement and will retrieve all the rows from the contact_info table. This might expose a lot of data or possibly crash the environment (a denial of service attack). In any case, using other SQL keywords, particularly UNION, the attacker can now explore the database, including other tables and schemas.

(more…)

As a way to work with semantic web concepts, including asserting triples, seeing the resulting inferences and also leveraging SPARQL, I have needed a GUI.  In this post I’ll describe a very basic tool that I have created and released that allows a user to interact with a semantic model.

My objectives for this first GUI were basic:

1. Support input of a set of triples in any format that Jena supports (e.g. REF/XML, N3, N-Triples and Turtle)
2. See the inferences that result for a set of assertions
3. Create a tree view of the ontology
4. Make it easy to use SPARQL queries with the model
5. Allow the resulting model to be written to a file, again using any format supported by Jena

Here are some screen shots of the application.  Explanations of the tabs are then provided.

The program provides each feature in a very basic way.  On the Assertions tab a text area is used for entering assertions.  The user may also load a text file containing assertions using the File|Open menu item.  Once the assertions are entered, a button is enabled that allows the reasoner to process the assertions.  The reasoner level is controlled by the user from a drop down.

(more…)