An Insider’s View on Product Management

July 30, 2009

The importance of being first to market

Or is it? In the wake of the excess of the late ‘90s where in the name of market shares acquisition colossal amount of money were spent, one can seriously doubt it. What happened to the like of, and the infamous Webvan?

As always the truth is not as simple. Being first usually confer a serious advantage to companies but also brings its share of problems. The whole intent to be the first mover in a new market segment is to capitalize on the lack of competition to capture mind shares and market shares.

Position your brand in customers’ minds

From a marketing point of view, this is a unique opportunity to establish your brand as the dominating player in a new field. Who has the best cola? Coca-cola. Who has the best car rental services? Hertz. And so on. By building customer loyalty early on with great customer service and establishing a superb reputation, a savvy product manager has the opportunity to strengthen his brand and create a formidable barrier to entry for potential competition.

However there are risks as well in being a pioneer. The market may not be established yet, and prospects may reject your value proposition because it does not match conventional assumptions. Therefore a lot of the marketing budget will go into educating the prospects and having a few –not too formidable- competitors can help you create the market place. Other typical issues include having miscalculated the target audience or the pricing might be incorrect. Finally distribution channels might be inexistent and will need to be created from the ground up.

Establish product leadership

From a product point of view you get a chance to set the standard and be seen as the market reference and thoughts leader. By setting the bar high enough and emphasizing your unique approach and technology, product manager can slow down competition and force them to play catch up with you.

Similarly, being first market mover and first to come with a product induce risks. Competition can capitalize on your customers’ feedback and mistake to improve your product. By the time they start developing their solution they typically have a much better understanding of the problems and needs in the market . Furthermore developing new technologies is expensive and a lot of trial and errors go in the process. By observing your attempts, mistakes and success, competition can innovate in a must cheaper and most effective way. They might even hire some of your experienced staff away or reverse engineer your solution to benefit from your inventions.

Apple’s Newton, a market failure

Apple with the Newton is a perfect example of a first market mover that was not able to capitalize on their ground breaking device. Apple was able to capture public imagination with the first version of “PDA” and basically invented a new market segment. However the product was not technically fit, too bulky, and was targeted to the wrong audience with a price tag too high. Apple had a chance to fix all this, but they were too slow in the process and the quality issues start catching up with them. A few years later, PALM that benefited from Apple mistakes and experience – and their own experience building the Zoomer with Casio- revolutionized the PDA with a cheaper, smaller and simpler solution appealing to a broader set of users.

Weigh pros and cons

Thus, product managers should carefully weigh the pros and cons in being the first mover in new markets. This is a strategy that with proper management and marketing can result into long terms advantages but that also involves a fair amount of risks.

July 6, 2009

Short term success is not a strategy

Filed under: Business Strategy,Product Management — Gregory @ 11:11 am
Tags: , , ,

In today business environment, executives are nervous. Sales are plummeting, prospects are uncertain and deals get delayed. Regardless of the unpredictable nature of the business cycle, shareholders, investors and owners make the management team accountable for any slowdown in business. The executives are under enormous pressure to deliver quarter after quarter and some of the pressure is often relayed to the product team.

Don’t succumb to external pressure

However despite external pressures, short term focus is not a business strategy. Good product managers know that valuable and successful products don’t get built in one day; it takes time. A few setbacks or bad quarters along the way are immaterial as long as the product is getting closer to the final vision.

Microsoft is the archetype for long term strategy and planning. When entering new markets they willingly accept to be simple contenders and recognize that short term opportunities are poor. However as long as their strategy is solid and the opportunity real, they will keep investing. They have been very successful with this approach during their corporate history. It all started with Windows.

A short history of Windows
Originally, Microsoft announced Windows in 1983 but the development was delayed multiple times. When Windows 1.0 was finally released in 1985, the industry was laughing. The product was poorly designed as a pure extension of MS-DOS and particularly. Even if some of the underlying concepts had a lot of merits nobody seemed to notice – running multiple applications concurrently and use a mouse device to control the interface.

Windows 1.02 years later, Windows 2.0 was launched and added some innovations that are now common in modern OS: windows overlay and resizing, keyboard shortcuts for navigation, etc… But adoption was still poor. Finally in 1990, 7 years after the first announcement for Windows, Microsoft revealed Windows 3.0 … and the industry stopped laughing. The product was a complete overhaul of the previous versions, with advanced graphics and better usability. The product proved a huge commercial success with 10 millions licenses sold and established one of the most dominant franchises in the computers history.

Obviously Microsoft did not pick the easiest road and most companies could not have afforded to throw money for so long to unsuccessful projects. However you have to admire the conviction and discipline of Bill Gates who kept investing for 7 years in his long term vision despite so many setbacks.

Long term strategy is not a luxury

Some will argue that short-term results have become a matter of survival for many companies and long term planning is a luxury they can’t afford. However this reasoning is flawed. If a company is so ill, this is typically because a lot of bad decisions were made. Why bad decisions were made? Because management was only focused on short term prospects and gains not on long term strategy. If you are already in a hole, you need to stop digging. For example the big box electronics retailer Circuit City filed for bankruptcy protection in November 2008. One year before the company was already in a lot of trouble and a long term strategy to compete against Best Buy and Walmart was badly needed. Despite those obvious problems, management decided instead to focus on short term issues and laid off 3400 of its most highly paid and experienced employees. This certainly offered a short term relieve to their finance but eventually backfired and only accelerated their demise.

Keep your end goal in mind

The same than when running a marathon, you don’t plan your race as a succession of sprints, a product strategy should be focusing on long term vision and commitment. This is the duty of product managers to maintain a steady direction for the product and avoid getting distracted by short term opportunities and issues.

June 28, 2009

Is your software respectful of users?

Filed under: Product Design,Product Management — Gregory @ 8:50 am
Tags: ,

The software industry stopped long ago counting how many horrific design interactions and incomprehensible user interfaces have been released. To some, it may seem that there is some black magic involved in releasing quality software – you never know what you are going to get. After all engineering claims it is working and marketing got all the features they asked for: “What’s the problem boss? It has all the features you requested. You can’t find out how to save a file? Check out page 734 line 24 of the manual.”

No wonder people get frustrated in using computers and software. They get discouraged, they get angry and sometimes they even get violent. This poor guy cannot take it anymore.

Why bad software?

Nobody is intentionally writing software that sucks, but designing good software is difficult. There are a lot of different of reasons and it could be the subject of an entire book, here are a few:

  • Engineers are often left in charge, but they are developers not designers. Coding is hard enough and is taking all their attention
  • Unreasonable deadlines. Can you guess what is sacrificed first: user experience or features?
  • Not understanding the audience. Who are they? How much complexity can they handle? What do they need?

Fortunately, there are a few principles a product manager can follow to make products more pleasant and less alienating. A good starting point is to show some respect to users. Would you hang out with people that don’t respect you? Probably not. Similarly, people expect software to be helpful, friendly and gentle. They don’t want to be abused by them.

Show some respect

Put yourself in users shoes. He is going to judge the software the same way he would for his friends:

  1. Are you doing something without telling me? What are all those icons on my desktop and this new search bar in the navigator? I haven’t asked for those …
  2. Don’t tell me about your problems. I don’t care why you crashed or how bad your code is. Either you work or you don’t, don’t expect me to fix you, I am not a doctor.
  3. Why are you so confusing? You never do things the same way and use all those weird languages.How am I supposed to tell you what I want?
  4. Why so much information? Just get to the point. I don’t need to know most of what you are telling me. Can I turn off all this noise?
  5. Are you inciting me to make mistake? Why do you put this delete button next to the create button? Do you want to check how accurate my clicks are?
  6. Do you think I am stupid? Why do you always ask for confirmation? I don’t want to repeat myself.
  7. Why are you making everything so difficult? I simply want to upload this picture and share it with my friends. I don’t want to compress it, change the format, modify the colors, etc… you can take care of that for me.
  8. Why can’t I change my mind? Yes I know I told you to delete that file, but I want it back now. So what?
  9. Don’t you know me better by now? Why do you keep asking the same things? We have been working together for the last 6 months but you still don’t seem to know a thing about me.
  10. Why are you so bad looking? This UI is so ugly, it is embarrassing. Do I need to keep looking at it every day?
  11. You are not alone. Are you sucking all resources for yourself? You must learn how to coexist with others.

Don’t make your customers feel frustrated and angry. Ship software that is respectful of them.

June 20, 2009

Measure this, measure that

Filed under: Product Management — Gregory @ 11:02 pm
Tags: , ,

Making decisions is arguably the most important responsibility for managers and executives. Their decisions are expected to be rational, methodical and are often backed up by a flurry of statistics and other numbers.

After all, statistics and numbers are an important part of the decision making process. They are hard facts that help to quickly identify issues, spot opportunities and measure progress. They are quantifiable value that can be acted on. In contrast, abstract ideas and strategy are much more difficult to assess and to debate: they are less tangible.  Thus, managers tend to put a lot emphasis on numbers and metrics. But they often forget that it’s only a small part of the story and that those numbers cannot always be trusted.

Statistics can be manufactured

The first problem with statistics, is that they are easy to manipulate. In the matter the US government is a master con artist. Their favorite statistics: unemployment and inflation – also called CPI (core price index). It seems they always come up in the “acceptable range” or as expected month after month, no matter if reality seems different. In fact, Uncle Sam has a clear vested interest in understating those numbers. But curiously media and experts typically accept government readings at face value and rarely challenge the methodologies applied.

Indeed many government payments like social security, and bonds interests are directly indexed to the CPI – lower CPI translated into lower payments. Furthermore CPI is also used to calculate GDP, so lower CPI also means higher GDP, which makes the economy look better than it is.

How do they do that? There are plenty of websites explaining the mechanics behind CPI and all the changes over the years. But suffice it to say that CPI exclude energy costs and food costs because those are judged too volatile – no matter how high gas and milk prices can go. It also exclude housing price because housing is considered an investment. But most pernicious is the concept of hedonic adjustments: if the “quality of goods” changes, their price is accordingly adjusted. For example, let say you bought a standard computer for $1000 last year, and you buy a new standard computer for the same price this year. You would think the price has stayed the same. No so fast… Since the computer you got this year is faster, has more memory, etc… than last year, the CPI price will reflect this increase in quality. In that case it actually means the inflation price for the computer went down… (I wonder if they take into account that last year computer had Windows XP and this year it comes up with Vista. How would that compute for a change in quality? ).

Joke aside, the point is numbers can and are tweaked to support somebody point – sometime it’s not even conscious. The governments is doing it all the time, but they are not the only one – ask Jeffrey Skilling, CEO of now defunct Enron or check how the banks got us into the current recession.

Imaginary correlations

Even if we could work with reliable and accurate numbers, the trouble is they are often meaningless. People like to point out to imaginary correlation and justify why those number matters with… you guess what, other numbers. There is no better example than the stock market that is highly subjected to random fluctuations. Traders, desperate to find some explanations to the chaos, dutifully analyze stock data, chart prices and other metrics in the hope of finding the magic formula behind stock moves. However their feverish researches sometimes get misplaced and correlations are found in unexpected places. A famous example, is the Super Bowl indicator that according to investopedia is: “An indicator based on the belief that a Super Bowl win for a team from the old AFL (AFC division) foretells a decline in the stock market for the coming year, and that a win for a team from the old NFL (NFC division) means the stock market will be up for the year.” They go on by adding “Chalk it up to coincidence, but this indicator has been surprisingly accurate (around 85% correct) over the past years. Even so, you probably shouldn’t bet the farm on it.“

Well at least they invite to caution. Is the number accurate? Probably. Is that relevant? Be your own judge.

It’s not about what you know, it’s about what you don’t know

So you gathered some good statistics, verified their accuracy and feel comfortable that those numbers are relevant to your situation. Well the dilemma is: it’s not what you know that is going to hurt you, it’s what you don’t know. When presented with numbers, those are often taken out of context and even if accurate they can be the proverbial tree hiding the forest.

In the 2006 excellent film satire “Thank You for Smoking” inspired by the novel of Christopher Buckley, Nick Naylor the main character and spokesman for the Academy of Tobacco Studies, a tobacco lobby, has the following interview during the movie:

Senator Ortolan Finistirre: And what, so far, has the Academy concluded in their investigation into the effects of tobacco?

Nick Naylor: Well, many things actually. Just the other day they uncovered evidence that smoking can offset Parkinson’s disease.”

Of course in this situation everybody knows cigarettes are harmful. Even if the tobacco industry is able to prove smoking has some unexpected health benefits, people are unlikely to get convinced by a few deceptive studies. However in other situations, especially in the business world, the context is not always as clear. As a result naive managers can take decisions based on a few isolated statistics, without understanding the complete picture.

No substitute for experience and intuition

Numbers can be fascinating. They inspire comfort and confidence and contain some mystical value. However when accepted as absolute truth they can also be misleading and even plain dangerous for making decisions. A bit of caution is highly advised. Numbers are just a tool, a good starting point for reflection. They are not substitutes for experience, careful analysis and intuition.

In the famous words of Einstein: “Not everything that can be counted counts, and not everything that counts can be counted.”

June 14, 2009

Developers, developers, developers, developers

It’s all about developers, developers, developers and developers. Steve Balmer put it better than anybody during his memorable performance where he was jumping around on stage or recently at MIX08.

What’s at stake?

Don’t get fooled by Steve Balmer, there is more to it than just a dance. Indeed any platform is only as good as the applications running on it. There is hardly anything new to this. You can build the most intuitive, powerful, robust and scalable platform in the world. It means nothing until you get applications that can take advantage of those capabilities and bring value to the end-users.

The demise of NeXT Computer

The best example is the raise and demise of NeXT Computer. When NeXT released its first computer in 1989, the operating system was second to none. It was crushing the competition and dwarfed Apple and Microsoft offerings. The OS was brilliant, robust and was swarming with innovations way ahead of his time. The hardware? Powerful, slick and stylish. In 3 words: a dream machine… As for marketing, the charismatic Steve Jobs was wowing crowds at conferences around the world. What could possibly go wrong?

Well, everybody was in awe but nobody would buy it. Granted the hardware was expensive at $6000 for a box but that should not stop people to pay if they see value in it. People pay for Mac even if they are twice more expensive than PCs because they judge it’s worth it. In fact the major issue for NeXT was really the lack of applications – NeXT never bothered to attract developers until it was already too late and some industry insiders even touted them as arrogant. They thought developers would come on their own, but they never did. As a result the public never bought the machines because it could not do anything useful for them and the company died from lack of applications.

Steve Jobs won’t get caught twice

Since then, Apple’s CEO has learned his lesson. The iPhone success can be attributed to its operating system, its well designed hardware, and the marketing genius of the Cupertino’s giant. However Steve Jobs, this time is well aware that Apple supremacy can be ephemeral and smart phones are an excellent base for distributing applications. To get more market shares and consolidate their position Apple needed to provide the most value-add above any other phones. Indeed in July 2008, Apple launched the App Store program to sell third-party applications for iPhone and iTouch. The store has been successful beyond expectations – they reached last winter their first Billion applications download in less than a year. Naturally, the competition has finally woken up and is trying to catch up. Nokia, Research in Motion, Palm, Google and Microsoft have all launched or announced their own version of the store.

The war is raging

If we look around us, the war for developers is raging and is all but limited to the mobile market – it’s all over the internet and has never been as intense. Companies small and big are exposing Open APIs, providing SDKs and creating developer communities. Indeed, the stakes are colossal for those who want to control the technologies of tomorrow:

  • Cloud supremacy: Microsoft Azur, Google App Engine, Amazon EC2 or somebody else?
  • Social Media dominance:  Facebook and its 50,000 applications or MySpace, Open Social, and others?
  • Rich Interface Application (RIA) control: Microsoft Silverlight, Adobe Flash, Sun FlashFX or will developers stick with AJAX?

Make developers a priority

Undeniably today more than ever, third-party developers have become strategic assets for companies. Thus, product managers should prioritize developer programs in their business strategy (when adequate for their product line). Yet, such requirements are too often discarded because not contributing directly to the bottom line – it’s well known that developers are cheap and don’t pay. In consequence companies are running the risk of missing incredible opportunities or to get caught unguarded as competition has already made its move.

June 6, 2009

Freemium, the new way to riches?

In our current age of free internet and globalization, people have come to expect to pay less to get more. Technology and products become cheaper days after days.  Companies like Google that gives everything for free, and cheap manufacturing from China are strongly contributing to this trend. A good way for astute product managers to capitalize on this trend is to consider a“Freemium” business model to distribute their products. The word “Freemium” comes from a combination of “free” and “premium” and was first coined by venture capitalist Fred Wilson in 2006 after a suggestion from Jarid Lukin. The model is hardly new. The idea is to attract a large number of users by offering basic services for free, and then charge a premium for custom or advanced features.

A popular model

For example LinkedIn let you register your profiles and browse their database for free. However if you want to directly send messages to anybody or want to access advanced search, you will need to upgrade your account.

Similarly Pandora, the internet radio, broadcast your favorite music free of charge. But if you want to enjoy higher streaming quality and advanced features you need to opt for their premium package.

The Freemium model is also very popular in the gaming industry. Games might give you access to a few level for free, but encourage players to purchase additional equipments or extra levels.

Finally Facebook has been recently experimenting with micropayments strategies and offers virtual gifts you can share with your friends but not at a virtual price.

Is Freemium right for you?

If so many high profile companies are following a Freemium strategy, should you also consider this business model for your own products? The model has merits and deserves consideration as a monetization and marketing strategy. It is well adapted to the web consumer market and can dramatically reduce customer cost acquisitions, while still generating incomes by converting user to premium offering. However beyond the buzz, as any other business models it might not be appropriate for your company. Let’s review how it applies to a few situations.

Consumer market

In the social network space, Freemium is a necessity – not a choice. Indeed companies want to drive adoption and the best way to drive adoption is to give services for free. The core value provided by companies like LinkedIn or Facebook is directly tied to the numbers of people registered on their site – more people use it, more people will join. Unfortunately social media companies have a tendency to completely ignore the monetization aspect and only focus on increasing their user base. Not surprisingly, stronghold names such as Facebook and Twitter have notoriously struggled to generate incomes – to they discharge they claim they are still focusing on growth not profits.

Another example in the consumer market is the gaming industry. Product managers are betting on player emotional involvement and on the addictive nature of the games. Once a player is hooked into the game and gets emotionally involved, he is much more likely to turn into a regular paying user. In a recent Meetup about “Monetizing Web 2.0”, Kevin Xu CEO of explained that emotions are critical to games success. Sadly, he then went on to tell how his team discovered that players will spend a lot of more money when they hate other players, than if they are simply in love or leaving in harmony… Welcome to our beautiful world!

Enterprise market

Finally in the enterprise market “Freemium” business models have not proven as successful so far. Since the target market is generally smaller and easier to reach, strong adoption and reduced marketing spending don’t always justify the loss in potential revenue.

However Freemium can still be useful as a disruptive user model, to undercut the competition or simply because it can be the best way to get people try your product and love it. In that case, the idea is still to give away something for free for adoption and then get paid on something else.

Redhat for example virtually offer their operating for free – anybody can get Fedora for free- but they charge for support. Other commercial companies leveraging open source solution have been often following this model because they know enterprises the way they are structured need to purchase appropriate support before deploying applications.

However the danger for Redhat as others is to give up too much for free so people have no incentives to upgrade. If people don’t upgrade but still enjoy your service you may be leaving a lot of money on the table.

Pay attention to your brand

Another issue is to weaken the strength of your brand. Indeed after you position part of your product for free, customers will naturally expect the rest to come for cheap. Furthermore, even if you are ok with a low pricing tag for your product, you still need to pass a second hurdle because in people mind there is a huge gap between “free” and “almost free”. Once a customer gets used to not pay for a service it will difficult to convert him into a paying customer. Some startups seem to have taken noticed. E.g crazyegg –a web analytic solution- and zendesk – an helpdesk solution- have been offering their product at a very low entry price but not free.

An alternative strategy to neutralize negative customer perception is to clearly separate what is free from what is not. A perfect example is the mobile industry: a cell phone is very different than a calling plan. People will take for granted a good deal for the phone but are expecting high prices for the calling plan – even if they don’t like it.


To conclude Freemium is a valuable weapon in a product manager arsenal that is aligned with macro economic trends. However if the approach can be very valuable to serve broad consumer markets, product managers should proceed with more caution in the enterprise market.

May 17, 2009

Brand Hijacking

Filed under: Marketing,Social Media — Gregory @ 11:05 am
Tags: , ,

Social network like Facebook, MySpace and Twitter have opened a new area of opportunities for companies to promote their brand and manage their online presence. But they are also created a new source of challenges for companies to control and protect themselves in this inherently anonymous world.

Beginning of this year, 2 Dominos employees released a video on YouTube where they were blowing snot on pizzas at Dominos store. They are now facing felony charges. Last year, a person named “Janet” registered an account “ExxonMobilCorp” on Twitter and started answering questions on behalf of the company. In 2008 again, JC Penney became the latest victim of unofficial advertising – a video ads depicting fake sex was unleashed in the blogosphere.
The hijacking trend is not slowing down and represents a real danger for brands and corporations. Identity control will remain an issue on the web. Despite the fact that most social media sites provides strict terms and conditions to prevent impersonation, the temptation is too high and the copyright infringements prove difficult to enforce.

Consequently, companies should have an appropriate online strategy, monitor regularly their presence in the social media world and be ready to respond quickly to any “brandjacking” attempt. A preemptive action would be to register your company name across social media sites. This is especially efficient on sites like Twitter and YouTube where the username becomes the identity of the poster.

So now that you got warned, don’t get caught unaware!

May 10, 2009

Top 10 most annoying business expressions

Filed under: Product Management — Gregory @ 12:59 am
Tags: ,

The business world is addicted to buzzwords. They are everywhere around us – we can’t avoid them, no way to escape. Senior management is certainly the most to blame. Here is a compilation of my top ten most annoying business expressions:

1. Think outside the box. Easily at the top of my list. This is so “in the box” thinking.

2. At the end of the day. At the end of the day… it’s time to go to home.

3. Customer-Centric. Is that not what a business is all about?

4. Strategic planning. Planning alone must not sound impressive enough.

5. Pendulum has swung too far. This must be one of the fundamental laws of business.

6. Exceed customer expectations. The customer is definetely making a come back.

7. Foreseeable future. And, how far would that be?

8. Move things forward. What is it exactly that you have in mind?

9. Bleeding-edge. “Cutting-edge” does not cut it anymore.

10. Bandwidth. As “I don’t have the bandwidth to work on this”. My advice: better to leave “bandwidth” to network operators.

Anything else you would like to add to the list?

May 2, 2009

Should you listen to your customers?

Filed under: Business Strategy,Product Management — Gregory @ 8:18 pm
Tags: ,

Ford Model T There is a trend in today’s business to get closer to customers and let them directly influence product roadmap and features. Indeed, with the democratization of open communication and the internet, customer feedback programs are growing in popularity. Those programs are sometimes referred to as crowdsourcing and are adopted by high profile companies such as Dell IdeaStorm , Starbucks MyStarbucksIdeas and SalesForce IdeasExchange. Consequently, customers’ wishes, hopes and desires are getting added into products roadmaps with less and less scrutiny. After all, users should be the best judges for product enhancements. Without a doubt, incorporating customer suggestions into existing products is a proven approach to bring in incremental improvements and ensure customers retention. In fact, within the software industry, agile development methodologies have became all the rage in recent years and rely on the promise of constant customer feedbacks and iterative enhancements.

However companies should resist the temptation of taking this idea too far. Product managers must be careful not to confuse customer suggestions and feedback with the underlying bigger problem they are trying to solve. As Henry Ford famously put it: “If I had asked people what they wanted, they would have said a faster horse”. Similarly, did anyone asked for the light bulb before Thomas Edison invented it? What about Sony’s Walkman? Keeping ahead of the competition and bringing to market the next relevant product take imagination and creativity. By solely focusing on present customers’ issues and existing solutions, companies unconsciously hinder their capacity to innovate, pay less attention to external industry trends and become more vulnerable to competition.

For companies, the key to a sustainable business strategy is not only to understand what customers want today and enhance existing product lines, but also to realize the limitations of this approach and encourage investments in longer term innovations.

April 26, 2009

On OAuth vulnerability and open standards

Filed under: Product Management,Technology — Gregory @ 7:51 pm
Tags: , , ,

OAuth is the protocol of choices for delegating authorization access in the Open APIs world. As a user it allows me to share private resources stored on one site with another site without having to hand out my username and password. The protocol is commonly supported by companies like MySpace, Google, Yahoo and Twitter on their Open APIs. Last week, a vulnerability was discovered in the OAuth protocol. The identified security threat is known as a session fixation attack. You can find more details about the attack’s specificities in Eran Hammer-Lahav’s excellent post. The Oauth community reacted quickly and did a fantastic job in handling the situation. It was an impressive display of individuals, small and big companies working together for solving the issue. Among the heroes, Eran masterfully coordinated the community’s response; Twitter generously accepted to shut down its OAuth service, and take the blame from its users’ base to avoid suspicions. Google, Yahoo and others offered time and resources to help solving the problem… The story is better told in Marshall Kirkpatrick’s blog.

On the other hand, the incident also showcased the difficulties in managing serious incidents for open standards. When the vulnerability was first identified and acknowledged, there were no procedures in place to alert the community and manage the issue. OAuth’s website contains a list of companies that have implemented the protocol, but this list is incomplete and does not contain contact information. Consequently, the initial alert sent by email missed numerous companies; some companies were not listed or contacts information were incorrect. Similarly there were no designated leaders to drive the community response. Fortunately Erin stepped up to the task and others followed suit.

A related issue for open standards, is the lack of enterprise vendors’ support. Traditional software vendors -Microsoft, IBM, Oracle…- do not offer commercial implementations for OAuth and do not contribute to the specification. An enterprise software architect who wants to add OAuth support, does not have many options and often ends up directly reusing the open source libraries developed by the community, even if his team misses security knowledge and training to use the libraries properly. As a result there are almost as many OAuth powered services as there are -slightly- different implementations of the protocol. This raises some valid security concerns… By contrast, an enterprise willing to support other trust protocols such as SAML and WS-Trust can rely on structured standard organizations and a variety of vendors. In case of incidents, the enterprise can also be assured that processes are in place to cope with the situation and that communication channels are properly defined.

In conclusion, because of OAuth members’ dedications, the incident of last week ended up as a great and inspiring story. However this episode also outlined some of the weaknesses and sometimes relative immaturity of open standards. OAuth clearly suffers from a lack of processes to respond to urgent situations, as well as a lack of support from recognized software vendors. Those vendors are primordial to bring legitimacy to standards protocols and to define proper governance processes in case of incidents. Until governance and maturity issues are addressed, OAuth will have trouble to prosper and get adopted beyond the Web 2.0 crowd… and enterprises should be careful, before jumping too fast on the bandwagon.

Next Page »

Create a free website or blog at