Sunday, March 23, 2008

Passportgate: what would you do about it?

The current Passportgate scandal in the US involving the unauthorized access to the passport files of the three presidential candidates got me thinking about information security in enterprise applications particularly records and content management systems.

Ensuring information security requires a multidimensional approach based on technology, process, policy, and governance. Technology alone is not the answer. However, since this is a technology-oriented blog, I will focus only on the state of the art in securing Java EE applications particularly in the open source space.

From a technology standpoint, I see at least four potential issues: authentication, authorization/access control, audit trail, and business process.

Spring Security (formally Acegi) has demonstrated its strength for both authentication and authorization in Spring-based portal and content/record management applications. Spring AOP (Aspect-Oriented Programming) provides an elegant and simple solution for audit trails in such systems.

JBoss jBPM is a robust BPM engine that meets the requirements for workflow and enterprise business process orchestration between applications, services, and people.

The eXtensible Access Control Markup Language (XACML) is an OASIS standard for specifying access control policies in XML. XACML is not currently widely used in content/record management systems. One explanation is that XACML has been designed to provide access control for new services such as web services in service-oriented architectures (SOA). XACML would be challenging to use for document-level security in content repositories that have a hierarchical structure (e.g. JSR 170/283 repository model) and demand sophisticated caching for scalable and rapid access to massive amounts of content.

However, my favorite XML database (eXist) has an elegant implementation of XACML for controlling access to resources such as XQuery modules and Java methods, proving once again that Open Source is ahead in terms of innovation in the software industry.

Tuesday, March 4, 2008

Boeing 787 Flight Control Software and Composite Fuselage Tested

Randy Tinseth, Boeing Commercial Airplanes vice-president for marketing announced on his blog that Boeing chief pilot Mike Carriker and 787 systems director Mike Sinnett successfully tested the flight-control Blockpoint 8 software code in the 787 engineering flight simulator. He wrote:
During the test, Mike and Mike demonstrated most of the operational procedures required by a flight crew - pushback and engine start at Sea-Tac airport near Seattle, taxi and takeoff, climb, cruise, simulated engine failure, descent, approach, single-engine go-around, landing, taxi and arrival at the gate at the Portland, Oregon airport.

Boeing also performed a serie of test on the composite fuselage of the B787 including "limit load", "ultimate load", and beyond 2.5 times the normal force of gravity (2.5 G). According to a Boeing press release dated 02/28/2008:
Testers observed audible indications of damage as the test progressed but the piece did not reach the level of destruction that had been anticipated.

This is a significant development because last September, Boeing announced the delay of the maiden flight of the first 787 due to flight control software issues, fastener shortage, and supply chain bottleneck. Also last year, a former Boeing engineer went public with concerns about the survivability of the 787 composite structure in case of a crash.

The maiden flight has been postponed again to June this year. First delivery to launch customer All Nippon Airways is scheduled for early 2009.

UPDATE: On April 9, 2008, Boeing has announced that 787 maiden flight has been postponed to the 4th quarter of 2008 and the first delivery for the 3rd quarter of 2009.

Speaking about the 787 globally distributed aircraft manufacturing model in an internal memo send to Boeing employees on April 21, 2008, (and obtained by the Seattle Times) Boeing CEO Jim McNerney noted:
I expect we’ll modify our approach somewhat on future programs—possibly drawing the lines in different places with regard to what we ask our partners to do, but also sharpening our tools for overseeing overall supply chain activities.