34a Labs Splits off Commercial Side - HiSoftware founder

34alabs.com splits off commercial side - #HiSoftware #Founder teams with group from Boston to launch new venture http://tinyurl.com/n4wzyn

Pitch and Build -- Rob Yonaitis, HiSoftware Founder on new process

Hello All:

I have decided, with my partners, that in my new venture, your ideas are worth something. With this in mind we will launch a pitch and build process. This means if an advisor has an idea for a product or major feature we will.

1. Register the Pitch
2. Fly to them or fly them to Boston to hear the pitch
3. If we build the product or feature we will pay a commission for the "Idea" on every sale

Areas:

Accessibility
Privacy
Security
Q&A
Threat Modeling

more to come later... cheers - rob

This will be for partners and advisors that know what we have in development and some additional rules of course. please mail ryonaitis@gmail.com if you have any questions.

Microsoft Office SharePoint Server, Modelación de riesgos, y 34a Labs Prevent Server - Rob Yonaitis HiSoftware Founder

Introducción
En el mundo actual de los negocios es difícil encontrar una empresa que no cuente con políticas y procedimientos específicos para manejar la información privada, los datos de los empleados y la información confidencial (datos económicos, de los clientes, etc.). Estos procedimientos protegen la organización y ayudan a minimizar los riesgos. Sin embargo, no es de extrañarse que muchas organizaciones no hayan tenido en cuenta el riesgo que representa para esta información, así como para el cambio de paradigma, la migración de algunos de estos datos a Internet a través de los sitios Web, las aplicaciones Web y las herramientas de redes sociales tan comunes en el ámbito del Enterprise 2.0 (E2) y el Government 2.0 (Gov 2.0). Al igual que los Departamentos de Recursos Humanos, el Departamento de Informática debe adoptar políticas y procedimientos que se ocupen de regular un amplio rango de problemas de conformidad, que abarca desde los datos de los empleados y los clientes hasta la seguridad general y la seguridad basada en funciones. Estas políticas se presentan habitualmente a través de modelos de riesgo.

Existen muchas definiciones para Modelación de Riesgos y se encuentran disponibles muchos libros que tratan del tema. Este documento usa un modelo de riesgo “software-céntrico” y examina algunos de los vectores específicos de riesgo relacionados con la información manejada a través del Microsoft Office SharePoint Server. También presenta medidas preventivas y otros factores a tener en cuenta para crear un ambiente seguro. Nótese que este documento presentará nociones básicas y vectores de riesgo básicos para crear un debate bien fundado y promover un análisis más profundo, pero no fue creado con el propósito de ser un modelo de riesgo exhaustivo. En cambio, el lector deberá desarrollar su propio modelo para que se ajuste a su implementación.

Los participantes
Es importante que utilice un alcance lo más limitado posible en el momento de delimitar el objetivo central del modelo de riesgo. Este documento observará tres objetivos similares y un tanto asociados, que pueden ser usados por separado o juntos como una sola unidad.
El conjunto objetivo será específicamente Microsoft Windows SharePoint Services, SharePoint Server 2007 y SharePoint Server Publishing Sites.

A los efectos de este documento, el vector de riesgo será el contenido conforme en general, incluyendo –pero no limitado a– todo el contenido creado o ingresado en el sistema. Los autores de los ataques serán los usuarios del sistema (intencionalmente o no) y los sistemas automáticos designados para atacar SharePoint Server. Este documento no explica cómo manejar otras extensiones, archivos HTML o filtros simples de palabras, que se pueden tratar fácilmente con el Microsoft ForeFront™ Server: http://www.microsoft.com/forefront/en/us/default.aspx. Además, este documento no analiza los virus u otros riesgos específicos de la plataforma, sino que se ocupa de la interfaz y el contenido.

El participante que se encargará de manejar el contenido que se discutirá a continuación es el 34a Labs Prevent Server. Esta solución proporciona validación de conformidad con: accesibilidad, privacidad, seguridad de las operaciones, filtro de malas palabras, suite de pruebas para datos de contabilidad, sitios inapropiados, filtro de teclado extendido y suite de pruebas personalizada.

Definición de los vectores de riesgo básicos
SharePoint se ha convertido en un elemento de misión crítica para las empresas y las organizaciones gubernamentales, y se ha vuelto esencial para Enterprise 2.0 y Government 2.0. SharePoint no solo se puede utilizar para administrar el contenido, sino también para proporcionar una interfaz de usuario a la información de misión crítica manejada con SharePoint u otras aplicaciones aparte de ésta. Teniendo esto en cuenta, se deben tomar medidas para proteger la integridad de la solución y para defenderla contra los ataques intencionales. Los administradores de sistemas deben actuar como escudos contra los virus y los archivos malignos, mientras que el personal de Recursos Humanos y de Política Informática debe proteger el medio de errores de conformidad, riesgos y descuidos.

Cada uno de los elementos de conformidad enumerados en la sección anterior tiene un vector de riesgo específico a tener en cuenta. Este documento define las ubicaciones posibles de los objetivos. Un vector de riesgo crítico que se debe tener en cuenta es la “intención” de la solución. Como SharePoint es una herramienta de colaboración, tiene sentido que un agresor ataque los puntos de colaboración:

· Bibliotecas de documentos
· Blogs
· Wikis
· Sitios de trabajo en grupo
· Sitios de publicación
· Y cualquier otra colaboración, reunión, empresa o sitio de publicación que se pueda implementar

La perspectiva de la accesibilidad
La accesibilidad al sistema y al contenido no es un ataque, no obstante representa un riesgo. En principio, el contenido no accesible puede representa un riesgo legal para la organización. Por otro lado, una persona que no consiga acceder a la información dado su carácter de inaccesible, puede intentar obtenerla de alguna otra forma, y esto puede convertirse en un nuevo riesgo ya que es posible que esa persona acceda a la información furtivamente por una puerta trasera del sistema. Algunos de los vectores de riesgo básicos a tener en cuenta son:

1. El agregado de un documento no accesible a la biblioteca de documentos
2. Los cambios a un Template (plantilla) que no es accesible
3. El contenido no accesible agregado por el usuario

La perspectiva de la privacidad

Los problemas de privacidad pueden representar un ataque o no. Algunos de los vectores de riesgo básicos a tener en cuenta son:

1. El ingreso en un blog (por parte de un usuario) de datos personales de uno o más empleados como respuesta a un posteo, que puede causar daños a la empresa al violar la política de privacidad.
2. El agregado (por parte de un usuario) de documentos de Recursos Humanos, como contratos o salarios, a un almacén de documentos sin protección
3. La creación de un template (plantilla) para un sitio de publicación sin contar con la información de privacidad necesaria

La perspectiva de la seguridad de las operaciones
Puede ser un ataque o no. Algunos de los vectores de riesgo básicos a tener en cuenta son:

1. El ingreso en un blog (por parte de un usuario) de información personal acerca de la ubicación de uno o más oficiales o de datos personales no relacionados
2. El agregado de documentos que incluyen los movimientos de las tropas
3. La creación de un wiki por parte de un usuario que contenga información de una determinada arma que le gusta

Soluciones
Implemente una solución proactiva que prevenga el ingreso de datos malignos y no malignos en el sistema. Desde el momento en que se ingresa contenido con problemas de conformidad en el sistema, éste ya se encuentra en riesgo. 34a Labs Prevent es más que una solución de seguimiento, es una solución proactiva. Tiene un enfoque completamente diferente que le permite a usted evitar los problemas de conformidad antes de que ocurran. Al ser un servicio Web para empresas de alto rendimiento, 34a Labs Prevent se combina con el sistema de gestión del contenido para enviar resultados inmediatos al sistema. Los resultados abarcan diferentes parámetros: Aprobado, Reprobado, Validar, Mensaje y Desviar. Los mensajes y el desvío los controlan los administradores para evitar efectivamente que los datos problemáticos sean importados al almacén de documentos o publicados en él. Con 34a Labs Prevent también es posible limpiar los datos y luego publicarlos.

Prevención en vez de seguimiento
En el pasado, hacer un seguimiento del contenido y reparar los errores después de que se habían cometido tenía razón de ser dado el alto porcentaje de datos estáticos en Internet. Hoy en día, Internet cuenta con una combinación amplia de escenarios de gestión de contenido, microblogging, E2, Gov 2.0. Existen incontables tipos de medios sociales. Para cuando haya encontrado el problema con una solución post-producción, el riesgo ya estará presente y probablemente ya habrá sido reproducido en distintos servidores. Es por eso que el seguimiento estático no sirve.


Soluciones confiables basadas en estándares

Cuando se trabaja con soluciones de seguridad, es importante tener en cuenta que una solución no resuelve todos los problemas, por eso la solución debe estar basada en estándares. 34a Labs Prevent está basada en estándares. Conduce cada prueba por medio de servicios web para empresas que han sido evaluados con pruebas de carga que comprueban el funcionamiento con un determinado número de usuarios concurrentes en ambientes empresariales simulados; almacena los datos en una base de datos construida especialmente para optimizar su velocidad; utiliza EARL para niveles de toma de decisiones reales al momento de comprobar los resultados: http://www.w3.org/WAI/intro/earl.php; desarrolla y prueba las soluciones usando los mejores métodos de ingeniería estructural y garantía de calidad extendida. Todas estas características evidencian la fiabilidad de esta solución. Nuestro objetivo es que el usuario piense que 34a Labs Prevent es como la “electricidad”: es algo que siempre está fluyendo, pero que nunca debemos tocar.


Resumen

Este documento proporcionó un análisis introductorio del SharePoint Server y de la creación, a través de él, de un Vector de riesgo para las organizacines. Los aspectos básicos de la modelación de riesgos fueron examinados teniendo en cuenta ataques específicos a grupos de conformidad específicos. Para poder manejar la conformidad efectivamente con SharePoint debe pensar en los términos y las prácticas de la modelación de riesgos en relación con el software informático. Hacer un seguimiento del contenido que ya se encuentra expuesto no previene los riesgos. De hecho, el seguimiento solo le permite darse cuenta de que ya se encuentra en una situación comprometida. 34a Labs Prevent Server lo puede ayudar a prevenir los riesgos de forma proactiva y a defenderse de ellos. También es posible que desee realizar una evaluación de la seguridad en relación con la conformidad. Para más información, diríjase al sitio web de 34a Labs: http://www.34alabs.com/

Términos técnicos
Modelo de riesgo: Si bien existen múltiples definiciones para este término, a efectos de este trabajo, se refiere a la seguridad informática, en la que el diseñador del software de aplicación se preocupa por la seguridad y los problemas de conformidad relacionados con los riesgos de conformidad o sistema.

Vector de riesgo: Es la ruta que una persona o una herramienta puede utilizar para atacar el objetivo especificado en el modelo de riesgo.

Acrónimos
E2 – Enterprise 2.0, nueva tecnologías para administrar las operaciones dentro de una empresa
Gov 2.0 – Government 2.0, nueva tecnologías para administrar las operaciones del gobierno

DOWNLOAD
http://www.yonaitis.com/preventesp.pdf

AKS Consulting Services and TIPS by HiSoftware Founder

Need Help with setting up AKS or Solutions based on AKS into your WSS or MOSS environment. Feel free to send me a mail ryonaitis@gmail.com - There are gotchas that you need to be concerned with and many enhancements that I have completed on this open source code in the last 30 days. If you just have questions feel free to ask, if you need some services please feel free to ask about these from http://34alabs.com as well.

UK In August

Heading to the UK in August to discuss a11y for WSS

HiSoftware Founder Contemplates Compliance in a e20 & Gov 2.0 world

Hello All:

Do e20 and Gov 2.0 Compliance anomalies related to social networking lead to a Paradigm Shift for Compliance vendors? For example: information dissemination speeds are so quick and multi threaded that standard compliance scans are no longer enough to avoid risk. Frankly, I think there is a need, in the Computer Security Software-Centric threat modeling process, to add compliance as a Threat vector. I have authored a paper that discusses this for Microsoft Office SharePoint Server. You can download it from the 34a Labs Link Below.

http://www.34alabs.com/MOSSandThreatModeling-Yonaitis.pdf

Cheers,
Rob

HiSoftware Founder to go to Rome and Munich to Discuss 34a Labs Prevent and Prevent for SharePoint

At the end of the week I will be headed to Rome and then to Munich at the beginning of the week to discuss 34a Labs, our open source solutions and a new server and rich developer suite of tools and web services codenamed 34a Labs Prevent.

34a Labs Prevent allows you to manage your brand and other items that may cause risk or exposure in Windows SharePoint Services, SharePoint, and SharePoint Publishing Sites. The Prevent Server can also be used with other editors or content management systems. Mitigate risk by preventing violations from occurring. Regardless of the content, you can control and protect your data depending on browser, location, corporate policy, viewer age and more.

34a Labs Prevent deals with data elements versus monitoring or scanning pages. Once content with compliance issues is published in your environment, the threat exists. 34a Labs Prevent is not a monitoring solution; it takes an entirely different approach, allowing you to stop compliance issues before they occur. As a high performance enterprise Web service, Prevent integrates with the content management system to provide immediate results back to the system. Results can have several parameters: Pass, Fail, Validate, Message, and Route. The messaging and routing is controlled by administrators to fully prevent the offending data from being published or imported into the document store, or it can clean the data and publish it.

In the past, monitoring content and repairing it "after the fact" made some sense because of the high percentage of static data on the Web. However the Web today is a broad combination of content management scenarios, Micro Blogging, E2, Gov 2.0. There are almost endless forms of Social Media. By the time you find a problem with a post production monitoring solution the threat has already released into the wild, and has likely been reproduced on several servers as well. Static Monitoring does not work.

I was talking with a stake holder in the EU and they asked a few questions:

I already use Forefront Security for SharePoint can I use 34a Labs Prevent for SharePoint?
Yes, in fact 34a Labs Prevent augments what is available in Microsoft Forefront Security. It provides minimal overlap surrounding keywords while providing extensive extension to inline capabilities.

I already have a Monitoring System do I need 34a Labs Prevent?
As stated above monitoring is important but when you consider content in an organizational Compliance/Security Threat Vector analysis, it is clear that 34a Labs Prevent is needed either in place of or at a minimum to augment any other type of static or scheduled monitoring.

More questions and answers can be found at the preview web page:
http://www.34alabs.com/products.htm

What can 34a Labs Prevent detect, cleanse, and/or block?
34a Labs Prevent provides an extensible rules engine allowing it to essentially prevent anything you want it to, however, there is a extensive set of built in test suites from which you can start. These include but are not limited to:

• Accessibility
• Privacy
• Operational Security*
• Profanity Filtering
• Accounting data test suite
• Inappropriate Sites
• Extended Keyword Filtering
  

* The default Operational Security Suite provides base rule definitions. Individual agencies implement their own rules using the 34a Labs Prevent rule builder interface

In the coming weeks I will also be doing a couple webinars to demonstrate the solution to more organizations.

For those of you that want a look at this new and exciting (developer speak for fun enterprise tools) solution here is the schedule: The product will be introduced in Europe in mid-July and a limited preview will be available in the beginning of August. The release candidate will be shipping publicly in mid-August

feel free to mail me at ryonaitis@34alabs.com if you have any questions

http://www.34alabs.com/products.htm more information

cheers,
rob

RT: HiSoftware aRTE users should review this

#HiSoftware #aRTE Users should review http://tinyurl.com/nfl6bt immediately to determine if the version they have is impacted.

Monitoring the National Vunerability Database at NIST

Hello All:

Just a quick post here on the importance of monitoring the National Vulnerability Database at NIST, sponsored by the DHS National Cyber Security Division/US-CERT. http://web.nvd.nist.gov/view/vuln/detail?execution=e1s1

As developers we need to understand we are developing on or for platforms and we must keep an inventory of these and all third party components that we use in our applications and then monitor the list for security vulnerabilities.

From a customer support perspective we need to make customers aware of our security practices that are followed as part of our engineering process and as part of ongoing maintenance.

This is very simple and essential. If you do not have security practices and procedures you need to develop them and bring up these concerns with your leadership.

Cheers
Rob

HiSoftware Founder Commentary

One should remember when Starting a company to be prepared to defend it from people looking to take credit for things that they did not do or did not fund.

Overriding PublishingPageEX Comment Published

Hello All:

I had a good question on a blog post that asked what references a developer uses when coming up with code like the: http://yonaitis.blogspot.com/2009/06/new-post-preventing-compliance-errors.html. As this is a good question I posted a couple of comments and references on the post:

• "In Response to a comment yes this is nothing new and just an extension of the MOSS API, predated by the SDK of course other posts:RT @ryonaitis: Oldie but Good Description of how to embed Compliance into WCM http://tinyurl.com/lrywgg #SharePoint #waldek
• and a much older and great post from 2007Great Blog Post on Adding Functionality to #SharePoint PublishingPageLayoutEX http://tinyurl.com/nv7ug6 , MSDN Examples are great"

What is perhaps more important is why look there!

Items to think of:

• What API's are available on MSDN as generic MS Examples:
  http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.publishing.aspx
  This SDK Doc alone give you all the code to do what is needed
• What blog posts are available
• Are there any online examples or pointers Use google or bing!

So Search Google or Bing and see what other people are doing, maybe a PowerPoint or slide will show you which API to use! The blog posts that I mentioned add a specific amount of help here as it gives you a starting place to start your SDK Example Code Search. In all cases use both MSDN, CodePlex, and other Blogs to create any compliance solution you want for SharePoint!

Cheers,
rob

Repost: HiSoftware Founder Posts Understanding Accessibility HTML Versions

RT @ryonaitis HiSoftware Founder posts Understanding #Accessibility 2nd Edition (HTML Version and Download) http://tinyurl.com/mzrqoc

Popular Understanding Accessibility Guide now available for immediate download, no registration required.

Engineering Related REPOST: HiSoftware Founder: New Post on Importance of Many Voices

When thinking about the HiSoftware family from the inception until the time I stepped down as Chairman of the Board and CEO, there is one unique trait that held true-Many Voices. By many voices I mean that everyone had the right to question and everyone who was hired was likely to have comments and/or a voice to add to the discussion, (view previous post on up-hiring).

For Example, unless QA approved the release a product could not be released. This meant that if there was a defect that they did not like then the product could not be released. This decision could be discussed and deliberated but there were no closed door meetings where decisions to just release the product in spite of quality issues were made behind anyone’s back, (please view my comment on why QA and Engineering process is important).

Features, new features did happen but they were never one-offs. If enough customers, generally three enterprise customers or ten non-enterprise customers requested something new we would schedule a feature meeting. We would have to understand the impact on: product, QA, Installation, Sales, Services, Documentation and how this all played into the current schedule. If everyone agreed that it could be done without impacting the product or company vision negatively then it was built. Once again notice the importance of the engineering process and quality assurance

Some environments do not allow people to point out defects or to shove them under the desk; in the HiSoftware at that time, I wanted people to point out defects. We used to have bug bashes before the release of products where we had pizza and sodas and the person who found the most defects got a prize like a Borders gift certificate or a day off on a Friday or Monday. The excitement to find defects was beyond imaginable and I should note that there was a complete pride in the product shared by all employees.

I actually remember having employees come in to tell me that I needed to do things differently, to be a better CEO and then give me a list of why and how. I listened, respected the opinion and had some coffee with the person making the suggestions and got back to work! You cannot believe the pride that people have in their company when their voices are heard and opinions are valued! Of course there are down sides with everything but an open door policy where all voices are heard is essential to great companies!

From features to quality assurance I have discussed why many voices matter, but I don’t want to forget the frontline, technical support. This is on many occasions where the “rubber meets the road”. To empower the employees-we gave all the players including sales, anyone who dealt with the product or customer service, access to the support database and mailing lists. We did this because the voices of the customers needed to be heard. The individual in charge of customer support served as the customer advocate and they also had the ability to hold up the release of a product until they felt it was ready to go to the customer.

Lastly, could you imagine writing documentation without being privy to the support database or customer advocates or engineers? The task is very difficult, as you will not know what to correct in your writing or what errata to add. In many cases the documentation lead to changes in usage patterns or workflows.

So to summarize some key points on the importance of many voices of product development:

• All people dealing with the product or customers should have access to the support database
• The person in charge of customer support should have “stop ship” authority
• The person in charge of QA should have “stop ship” authority
• The person in charge of engineering should have “stop ship” authority
• There should be a process on how new features are added
• All employees should have the right to point out what they consider miss- management as a matter of policy
• A open door policy should literally and figuratively be instituted
• Beyond just allowing multiple opinions, leadership should also act on the same opinions.

Have a great Sunday and don’t forget to check out another one of my books, Understanding Accessibility at http://www.understandingaccessibility.com/

HiSoftware founder Streamlines Book Distribution

Today, Understanding Accessibility, Second Edition, published by 34a Labs was published. Now companies can get redistribution rights for their organization simply by requesting it by sending a mail to ryonaitis@34alabs.com. A version of the book in PDF will be embedded with your permission for reprint, if you want the Word or HTML Formats they are available also. Turn around time on requests is 24 hours.

http://www.understandingaccessibility.com/

HiSoftware Founder Publishes new Edition of his book Understanding Accessibility 2nd Edition

Today, under the domain of http://www.understandingaccessibility.com/ HiSoftware founder publishes a new edition of Understanding Accessibility and Announces a Third Edition that will be forthcoming on August 1, 2009. The Substantial difference coming on August 1 is complete coverage of WCAG 2.0 and other technologies. As more information becomes available it will be published on the understandingaccessibility.com website.

Working on 34a Labs Accessibility Workshop for SharePoint

Hello All:

OK, What is 3aWs? 3aWS is a new open source project that I have started working on in my spare time. It deals with some basic requirements for Compliance while delivering the content via WSS v3, SharePoint 2007 and 2007 WCM Scenarios.

There are several main parts to the solution.

1. Extensions for MS AKS that is tested, extended and supportable in an Enterprise Environment :

• XHTML/HTML Compliance
• WEB Parts (OPEN Source)
• Style Sheets
• Master Page Handler
• Compliance Handler

2. TTS Tools for Captioning and Transcription development as a Media Control or as an Open Source Desktop Application

3. Understanding Accessibility Updates covering WCAG 2.0 - Complete tutorial and Workshop for each potential error with guidance and more.

The complete kit will be built and tested on litware with a Litware Demo Image Install. More then just a set of tools it is hoped that this open source extension will be delivered and expanded on by the community. More information will be coming from the 34aLabs website. 34aLabs is being built as an open source repository for products and solutions initiated by Robert B. Yonaitis. http://34alabs.com/

Cheers
Rob