At CA World last year I was given a deep dive into CA Clarity PPM, one of CA’s flagship products. Clarity has been selling like umbrellas on a rainy day, and it is still rolling up new customers despite the recession and the ruthless scything of IT budgets. That makes it an interesting product. There aren’t many areas where software spend is still rising at a double digit rate of growth.

What Is Clarity?

Clarity is PPM software, where the PPM stands for Project Portfolio Management. Consider the situation in any typical IT Department. At a given point in time there will be multiple projects in progress, all of which will bring change to the IT facility over time. Some will involve the building of new systems in-house, some may involve the implementation of package software and some may involve adding services via “the cloud.” And that’s if we only consider new software applications. There may be other projects going on that involve, say, virtualization of servers in the data center, and maybe desktop virtualization, and perhaps the implementation of asset management software and so on. All of these activities impact the IT environment over time and if they are going to be managed without creating unacceptable levels of disruption in the future they need to be managed as  a portfolio of projects.

PPM is the collective management of multiple projects and it involves:

• Project Management: You need to manage each individual project, of course, but also any dependencies between projects.
• Demand Management: This is about managing the demand for all IT resources, both from usual  requests and further demand (or the lack of it) that will arise in the future as part of on-going projects.
• Resource Management: This is the opposite side of the coin to demand management. It about managing resource capacity and allocation
• Portfolio Governance: This is the overall governance of the project portfolio; setting and enforcing rules of behavior, precedence, audit and so on.

That may or may not sound straight forward, but the activities surrounding PPM are rarely straight forward. The truth is that most PPM activity in a typical organization is poorly automated. Usually the automation is a loose alliance of Microsoft Project, email and a bizarre gathering of spreadsheets dreamed up by different people at different times desperately trying to stay in step. There’s no real coherence or ordered workflow to the system (if you can call it a system) and governance is a nightmare.

That’s the main reason why PPM is selling: IT has become too complex to manage with a patchwork of spreadsheets threaded together by email.

Clarity: Beyond The Boundaries of IT

The main reason why Clarity is the PPM leader is that the software is so flexible and configurable. All PPM vendors make claims in this area, but Clarity has it nailed. You can define and extend your data in just about any way imaginable. You can construct workflows with ease and you can add interfaces to any other software that you need to link to. Clarity has been constructed with a flexible architecture and a host of configuration options. In reality it is not so much a PPM product as a PPM platform.

Consequently, Clarity is being deployed to manage projects (and resources and demand) in many areas outside IT; in marketing departments, or in product R&D, or publishing. Clarity’s expansion into such area has  happened primarily “by contagion.” Executives have seen Clarity applied to IT and are applying it elsewhere as a consequence.

And CA itself has been doing what Clarity customers have been doing. It’s GRC Manager product (where GRC stands for Governance, Risk and Compliance) is built on Clarity.

Clarity and SaaS

Given Clarity’s popularity, it isn’t surprising that CA chose to deliver Clarity as its first Software as a Service (SaaS) offering. It was pretty much guaranteed a level of success because it was on a healthy growth curve. Nevertheless the level of take-up of the SaaS service has surprised CA. It launched the Clarity SaaS service just over 9 months ago and it now has thousands of SaaS seats with dramatic levels of growth quarter over quarter and customers from every area of the globe.

Aside from the fact that the SaaS service can be implemented rapidly (in a matter of days) compared with an in-house installation, the primary advantage of the SaaS offering is that the costs come out of operating expenditure. Given that capital budgets have been shredded in most organizations, SaaS may be the only route available to adopting new product. Even when that is not the case, CA is discovering that many potential customers prefer to travel via this route when they discover it is available.

If you listened to Caleb Sima, HP’s CTO for Application Security at HP’s recent TSG Analyst Summit, you’d have to give a negative answer. Caleb gave one of those presentations that has a technical audience dropping its jaws. That’s the normal response when you see a door that should be locked tight that’s swinging wide open.

Caleb gave a demo of the use an HP utility that HP is currently giving away. The utility is caused SWFScan, and (if you want to get a copy, click here.) Here’s what the software does:

• It decompiles applications that have been built with Adobe Flash platform, directly extracting the  ActionScript code and presenting it in a readable for.
• It statically analyzes the code and highlights the security flaws it finds.
• It offers solutions to the security holes it finds.

In summary, it is an auditing tool for auditing Flash-based Rich Internet Applications (RIAs.) What it reveals is, one one hand disturbing, but on the other just what you’d expect.

The Dawn of the RIA

If you don’t know what an RIA is, it’s an application that splits itself between the client (desktop) and the server. Technically, it frees developers from the straight-jacket of the browser, allowing them to build applications with any kind of look and feel they please. Applications like, for example, Twhirl (a Twitter reader) work this way. So does iTunes. You don’t think of iTunes as a browser-based app.

There are now a whole host of development tools and technologies that can develop software in this style. They include:  ActiveX, Flash, Javascript, Adobe Air, Flex, Silverlight, Ruby on Rails, Prototype, Dojo, Google Gears, Xforms, Nexaweb, XAML, Aptama, Appcelerator, JavaFX and OpenLaszlo – to mention but a few. There’s nothing inherently insecure about such development tools, it’s simply a matter of how you use them – as Caleb demonstrated in no uncertain terms.

In his demo he went to Google and did a search that threw up references to pages of flash applications (.swf files). He then picked a few pages from the first 10 pages Google threw up, and decompiled some of the .swf files. He didn’t have any problems finding examples of security flaws:

Here’s what he was easily able to demonstrate:

• Flash Actionscript code that has logon details and passwords embedded in it (probably left there by the programmer for testing purposes).
• Flash Actionscript code that took you directly to pages that you were only supposed to be able to access after having gone through an authenticated login (effectively this means that you could simply skip the login.)
• Flash Actionscript code that had SQL embedded in it (effectively this provides an opportunity for SQL injection – so you could, for example, wipe a whole data base, if you wanted to inject a little SQL.)

It wasn’t surprising that Caleb could find examples, but it was sobering that he could find them among the first 10 results that Google threw up. He claimed that finding such vulnerabilities was not a challenge.

The Nature of the Problem

The nature of the problem is that developers simply do not know or even think about IT Security when they code the applications. They were never particularly aware of the issues when they coded ecommerce apps to run in browsers and their knowledge has not improved much. It isn’t hard to avoid security problems like the ones described. But you have to understand the issues when you write the programs.

As you would expect, it take a lot more effort to remove the security flaws once you’ve designed or written them in, than it does to avoid them. So there’s good reason to self-educate here. Most of the principles are obvious. It is particularly the case that you should make it impossible to inject code at any point in a dialog betw2een client and server.

Naturally, it will help if HP and other companies create software like HP’s SWFScan. Right now, HP only has a decompiler for Flash, but it is doing product research in this area at the moment focusing on Ajax, Flax Silverlight and Java. Other companies should join in on the effort. the RIA world is already upon us and it’d be nice if it was more secure that it currently is.

The phishermen are getting sophisticated, and hence, I guess, more dangerous. I found some phish bait in my in-tray this morning.

Subject: Postal Tracking #KKPI901699BT8CR
From: United Parcel Service of America <bphagan @phillipsenvironmental.com>

Hello!

We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.  .
Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America

Attached was a file named: UPS_SERV867612.exe (a virus, I’m sure – although as I use a Mac it’s couldn’t get executed.) But also the following text file was attached:

August 21, 2008

ROBIN BLOOR
22214 OBAN DRIVE
SPICEWOOD, TX  78669

Account No. 18211-7547-4

Dear FedEx Customer:

Thank you for choosing FedEx to service your domestic and international transportation needs.

This is to confirm your Credit Card transaction of today, Thursday, August 21, 2008. Your confirmation number for this transaction is 876176893. The last four digits of your Credit card number are 0223 and your expiration date is 04/2010. Your card will be debited for $44.14. This amount will be applied against the following invoices:

Invoice No.          Date          Age          Inv. Amt          Amt. Due
8-211-75474       03/07/2008       167             44.14             44.14

If you have any questions or concerns regarding this transaction, please contact me.

Sincerely,
Cathy Leheny
U.S. Collections
(800)506-7580

What impresses me about this attempted phishing expedition is that the text file is actually genuine. I have no idea how the phishermen got hold of it, but it is a direct copy of a message that was sent to me by Fedex last year.  I therefore have to be impressed – at least a little.

There are several things that give this attempt at phishing/virus infection away:

• It claims to be from UPS but attaches a message from Fedex.
• The email actual email is from: phillipsenvironmental.com a site that doesn’t appear to exist (although it may exist as a genuine email server that has been hijacked by a hacker.) and not from either UPS or Fedex.
• The email message is poorly punctuated. There’s a floating period and no porper sign off.
• Why would UPS or Fedex send me an executable?

Nevertheless I have to be impressed:

I dont believe this email was created manually. It had to be an automated attack. Hence someone has laid their hands on a large number of valid messages from package companies, along with email addresses and has automated the production of emails like this. It would have been quite convincing (and much harder to spot) if the email had pretended to come from Fedex. I’m suspect that in some cases the text will match the pretended sender and that some people will run the exe file to see what happens.

A Note About Password Selection

On another subject entirely, but still on the topic of IT security, a survey by Cyber-Ark found that 14% of computer users select sequential letters or numbers (e.g. 1234, QWERTY, ABCD, etc.) for their passwords, while 16% use their first names. Another tendency is to use names of TV shows or pop singers or profanities. Other relatively common choices include: password, letmein, yes, no, idontcare, whatever (but not etc.)

The following list is a list of the top ten passwords gathered from 3 sources, MySpace, Singles.org and phpbb (the open source bulletin board).

1. 123456
2. password
3. phpbb
4. qwerty
5. 12345
6. jesus
7. 12345678
8. 1234
9. abc123
10. letmein

I’ve come across password cracking software that had a list of 30,000 words it would try before resorting to a brute force (try everything) approach to guessing a password. It may be though that the best way to find out someone’s password is to ask them. A few years ago, a reporter in London stood at a train station asking people what the passwords they used at work were. Around 60% told him (although some may have lied to him.)

Just because the train wreck hasn’t happened, doesn’t mean it going to. Back in the late 1990s the TV industry pondered predictions that the Internet would eat the TV industry and spit out the bones. There were a number of things the Internet was going to consume.

It included all media:

• Newspapers and magazines
• The music industry
• Television  and video products

So let’s examine the decline of newspapers and magazines and see what it tells us about the destiny of TV. There are ten steps to the decline and fall of old media:

1. The emergence of a new mode of distribution. In the case of newspapers, this was news web sites and news aggregators, and later, blogs. You go to an aggregator like, say, Newsvine or Google News or Reddit, to read headlines and select the news or news analysis you want. You read the articles one by one at a variety of other web sites. The “newspaper” no longer exists.
2. Enhancement of the new mode of distribution. Initially dial-up was a gating factor to consumer use of the Internet. The Internet was not “always on.” Eventually broadband changed this removing a mild bottleneck problem in respect of news sites and aggregators. Money poured in to drive up bandwidth (although not always profitably.)
3. The emergence of “a new profession”. Journalists and bloggers are different beasts. Many bloggers are not journalists, have never been journalists and may never become journalists. They are a new profession that is more along the lines of a columnist. Some are amateur and some surprisingly talented. The barriers to entry into “providing copy” have reduced to almost zero. Anyone can try to become a blogger.
4. The emergence of a new packaging of the unit product. Sites such as specialist news sources and blogs sprang up and they packaged the news differently. They do not necessarily publish daily or even regularly. They focus on one area of the news, say the news about soccer or science or whatever. They are more like magazines, but they do not get read like magazines, because 90% of the readership comes through search engines or aggregator sites.
5. The emergence of a new business model and market. The business model for both the aggregators and the providers is based on advertising and affiliation. There is no pay-per item method of monetization. It’s a tough business to survive in.
6. The emergence of disruptive business models. Severe disruption to newspaper revenues comes from Craig’s List, which does nothing but adverts and charges nothing for most of them. It has scooped up the lion’s share of the small ads business, much to the detriment of local newspapers.
7. The decline of the old packaging. The old packaging of the unit product is no longer expected or experienced. By cherry-picking what to read from various web sites, the Internet news reader accepts sources from different countries (with different rules of spelling and different punctuation). There is no house style or standard length to articles, or standard typography or look and feel. The reader accepts that.
8. The decline of the old mode of distribution. Over 50% of Americans use the web as their primary source of news. This has led to people ceasing to buy the “dead tree” version of the news. This decline has a consequence. The simple fact is that there are economies of scale in distributing the dead-tree-news. As the scale declines this mode of distribution becomes unsustainable and eventually the newspaper dies. That’s what happening in the US now, with one or two newspapers living on as web sites.
9. The gradual defection of talent to the new profession. Journalists have become bloggers either officially or unofficially, depending on circumstance. Some journalists are indeed very good writers and hence they realize that they need to plow their own furrow.
10. The decline of the old business model and market. Newspapers and magazines now need a web presence as a matter of necessity. But with the passage of time they run into the problem that their normal mode of business and economic structure simply doesn’t fit a web operation. They are over-staffed and the cost base is too high.

Now let’s consider these same ten steps in respect of TV and video.

In Boston this week as a guest of HP at the annual HP Industry Analyst Summit: It’s clear that the cloud is dominating HP’s collective mind in a way that surprises me. HP has never “got religion” before in the way that, for example IBM “got religion” about “On Demand.” But it has now, and it’s no bad thing. HP is rapidly becoming cloud-centric and not just in a marketing way. HP sees the cloud as a huge opportunity.

The Backdrop

It’s a changed world. HP is now the largest IT vendor on the planet and if you strip away its PC business and its printer business then it looks a bit like IBM. On the server side of the business it is kicking butt. It has been increasing its market share in x86 servers, non-x86 servers, storage and blades. It is #1 in all of these markets except for non-x86 servers and in the blades market it is embarrassing the competition having taken a 57% market share.

Following the acquisition of EDS, HP is now #2 in the world of outsourcing/consultancy, behind IBM Global Services, but ahead of Accenture (#3) and CSC (#4). While many commentators were negative about the EDS acquisition, I suspected it would work well (see HP and EDS: A Marriage of Convenience) and it has, thanks in part to a great deal of synergy. The merging of HP’s TSG consultancy business with EDS produced a joint footprint of 96% of the Fortune 1000, effectively doubling the presence of both parties in the large corporations. EDS had always avoided putting much server business HP’s or IBM’s way (why feed the competition) so now there’s an EDS dividend for the HP server business, mostly at the expense of Dell. On the other side of the line EDS is winning dramatically more competitive bids than before the acquisition, for example, in Europe EDS competitive wins are up from about 10% to 60%.

HP is more challenged in the software area, where it’s portfolio is relatively small (compared to IBM or CA) although it is still accounts for $2 billion in revenue. It is still digesting Opsware and no doubt there will be other acquisitions to beef up the portfolio. It misses a crucial element imho, in that it has no identity management and has to partner to deliver what is a foundational component of both service management and security.

The whole HP ensemble of services, software & iron maybe significantly less than IBM’s equivalent revenues, but it’s a much bigger foot print that it once was. Imho, IBM and HP now define the business model that is appropriate for corporate computing.

The Cloud On The Horizon

HP is embracing “the cloud” with enthusiasm. There’s a good reason for this, beyond the fact that the cloud has become the burning IT issue of the day. HP has been deeply involved in building the data centers for many of the social network companies whose primary demand is scalability and thus it has a very deep understanding of scalability in a variety of must-scale environments. Being the supplier of iron to Internet cloud operations is already a business line for HP.

At the other end of the cloud spectrum, we have traditional outsourcing, where EDS built its empire. The merger of HP’s TSG with EDS has created a consultancy division which is pretty much cloud ready in respect of large corporate contracts. So HP will span both the IT user and cloud provider market. What is not yet clear and what HP doesn’t appear to have decided yet, is whether HP will provide any services from the cloud itself.

I expect that it will in time, but right now it just isn’t a priority.