An Insider’s View on Product Management

April 26, 2009

On OAuth vulnerability and open standards

Filed under: Product Management,Technology — Gregory @ 7:51 pm
Tags: , , ,

OAuth is the protocol of choices for delegating authorization access in the Open APIs world. As a user it allows me to share private resources stored on one site with another site without having to hand out my username and password. The protocol is commonly supported by companies like MySpace, Google, Yahoo and Twitter on their Open APIs. Last week, a vulnerability was discovered in the OAuth protocol. The identified security threat is known as a session fixation attack. You can find more details about the attack’s specificities in Eran Hammer-Lahav’s excellent post. The Oauth community reacted quickly and did a fantastic job in handling the situation. It was an impressive display of individuals, small and big companies working together for solving the issue. Among the heroes, Eran masterfully coordinated the community’s response; Twitter generously accepted to shut down its OAuth service, and take the blame from its users’ base to avoid suspicions. Google, Yahoo and others offered time and resources to help solving the problem… The story is better told in Marshall Kirkpatrick’s blog.

On the other hand, the incident also showcased the difficulties in managing serious incidents for open standards. When the vulnerability was first identified and acknowledged, there were no procedures in place to alert the community and manage the issue. OAuth’s website contains a list of companies that have implemented the protocol, but this list is incomplete and does not contain contact information. Consequently, the initial alert sent by email missed numerous companies; some companies were not listed or contacts information were incorrect. Similarly there were no designated leaders to drive the community response. Fortunately Erin stepped up to the task and others followed suit.

A related issue for open standards, is the lack of enterprise vendors’ support. Traditional software vendors -Microsoft, IBM, Oracle…- do not offer commercial implementations for OAuth and do not contribute to the specification. An enterprise software architect who wants to add OAuth support, does not have many options and often ends up directly reusing the open source libraries developed by the community, even if his team misses security knowledge and training to use the libraries properly. As a result there are almost as many OAuth powered services as there are -slightly- different implementations of the protocol. This raises some valid security concerns… By contrast, an enterprise willing to support other trust protocols such as SAML and WS-Trust can rely on structured standard organizations and a variety of vendors. In case of incidents, the enterprise can also be assured that processes are in place to cope with the situation and that communication channels are properly defined.

In conclusion, because of OAuth members’ dedications, the incident of last week ended up as a great and inspiring story. However this episode also outlined some of the weaknesses and sometimes relative immaturity of open standards. OAuth clearly suffers from a lack of processes to respond to urgent situations, as well as a lack of support from recognized software vendors. Those vendors are primordial to bring legitimacy to standards protocols and to define proper governance processes in case of incidents. Until governance and maturity issues are addressed, OAuth will have trouble to prosper and get adopted beyond the Web 2.0 crowd… and enterprises should be careful, before jumping too fast on the bandwagon.


April 21, 2009

Embracing the cloud

Filed under: Business Strategy — Gregory @ 11:45 pm

The lure of cloud computing is getting increasingly difficult to ignore for IT organizations.  For the last 2 years, cloud’s adoption has been strong and shows no sign of slowing down. A lot more cloud platforms are now available for companies to choose from; new vendors are following suit behind Amazon’s EC2. Solutions range from behemots like Google’s App Engine and Microsoft’s Windows Azure to pure players like GoGrid and FlexiScale. Early skeptic voices are now acknowledging cloud computing has some merits. As a result, although most fortune 500 CIOs still dismiss the importance of cloud as part of their future strategy, they are getting more concerned about their datacenter efficiency. IT initiatives are popping up to build private clouds, promote servers virtualization and experiment with public clouds for new R&D projects.

However, this is still in the startups world that you will find the most fervent adopters. Here are a few reasons why the cloud is so attractive to startups:

  • Startups have typically poor visibility into their service adoption and they don’t want to incur huge upfront hardware costs. Cloud technologies give them the flexibility to scale up and down their processing capacity as their business evolve.
  • Startups need to focus on their core business and keep innovating as fast as possible. Hardware and datacenter management should not come into the way of development. If the business becomes more predictable, administrators and operators can be always brought on board later.
  • Startups can only spend limited resources and time on high availability. Cloud providers are almost certain to do a better job than a startup staff. Furthermore disaster recovery is an extremely expensive proposition. Having hardware sitting idle, waiting for an unlikely disaster scenario is not a good option. Leveraging the cloud for spawning new instances or using automatic failover is a sounder approach.
  • Finally, let’s not underestimate the buzz associated to cloud computing. If you do nothing different than your competitors but are running in the cloud, chances are that you will be the one noticed by the community.

April 16, 2009

Be wary of multi-tasking

Filed under: Product Management — Gregory @ 4:27 pm

Product management is inherently a cross department activity. Responsibilities typically range from R&D, to marketing and sales. In their daily activities, product managers are naturally required to interact with different people and juggle with numerous tasks. In this type of environment,  employers naturally encourage product managers to develop skills such as “ability to multi-tasks” and become “comfortable in a multi-tasking environment” .

However, numerous studies have shown that our brain is inefficient at switching from one activity to another, or doing multiple things at the same time. Multitasking typically translates into lower employees’ productivities, poorer work quality, and higher stress levels which can increase the frequency of serious mistakes. You think you can answer this email while talking on the phone and preparing your next meeting? Think again.

The truth is we suck at doing multiple things at once, even if we often think we can accomplish more that way. As a product manager we need to recognize those limitations and judiciously use our time. The nature of our work can easily drag us into a “multi-tasking craziness state” which would be disastrous for our mental health and our decision making abilities. In reality, a lot of activities are just noise and can be safely postponed or plainly ignored. For the rest of them, we need to resist the urge of tackling everything. A more sensitive approach is to maintain a task list, sort it regularly by priorities, and work on one task at a time. Try it. You will find out you are much more productive that way…

April 11, 2009

Open API

Filed under: Business Strategy — Gregory @ 11:35 pm
Tags: ,

Open APIs or Web APIs are playing an increasing role in companies’ web strategies. In the past Web APIs were often decried as developer’s eccentricities with no business merit. However the success of companies like Amazon, Ebay, SalesForce or Twitter has changed the general attitude and brought a lot more interest to the subject. Let’s take a look at some of the most remarkable successes. Last year, Amazon announced that its API traffic had surpassed its website traffic and the trend is accelerating:

  • Twitter  is believed to get 10 times more requests through its APIs than its website.
  • Salesforce, arguably the most successful SaaS company, has probably more than 40% of its traffic going through APIs and is aggressively promoting the AppExchange platform to attract even more developers.
  • Google surfing on the popularity of its Maps API, keeps adding new services to its already impressive list and seems to be determined to become the single biggest service provider.

Others are following suit and trying to catch on the phenomenon. We can include in the race companies like Microsoft with its mashup editor or the New York Times, that is offering through an API every articles the paper has written since 1981.

It’s becoming undeniable that the API wave promises to reshape the internet landscape with the multiplication of mashups, widgets and other 3rd party applications. Indeed APIs promote participation and collaboration of end-users and transform the web from a static place to a dynamic environment. But behind the hype of those well documented success stories, should every company adopt an API strategy? That’s what we will explore in another post.

My first post

Filed under: Product Management — Gregory @ 10:53 pm


Thank you for reading my blog. I am a product manager working in the software industry. I am passionate about identifying customers’ needs, defining market segments and developing great software. I have been in the high tech industry for the last 10 years and held different positions in the product organization.

In this blog, I will share some of my thoughts and experiences as a product manager. I will also talk about trends and changes I am seeing in the software industry.

Create a free website or blog at