MQSeries.net :: View topic

T.Rob · Posted: Sat Dec 17, 2016 3:41 am Post subject:

A few of us with deep MQ security interest created a group in the RFE community called, appropriately enough, MQ Security. If this interests you, you can find it here:
https://www.ibm.com/developerworks/rfe/execute?use_case=groupLanding&GROUP_ID=1949

So far we have gone through all the open RFEs and added security-relevant ones to the group watch list. Anyone can join and doing so gives you access to browse, download and subscribe (by email and RSS) to the watchlist. We also created several categories and are in the process of assigning them to the various RFEs. These allow us to group the RFEs by the product to which they refer (i.e. AMS, MFT, MQ, etc.), by the function they perform (authentication, authorization), etc.

The RFE community offers private forums for groups. Ours is not created yet as that requires a request, but I hope to have it active soon. We haven't articulated a specific mission for the group yet, other than that it coalesced around a growing concern over the direction and quality of security features in MQ. Perhaps when the forum is active we can articulate better what it is we'd like to do but I think those of us working on it so far would agree that influencing the product's security features from a deep security perspective is among the goals. Staying on track with Secure By Default is probably another. Assisting in any way possible with the fixing/replacement of CONNAUTH is probably in there too.

In one of the initial discussions I was asked why the EAP is not a better forum for this activity. The primary reason is that many of the SMEs with the deepest MQ security skill work at companies not participating in the EAP. My company consists of exactly one employee and I was able to convince the boss to apply for the EAP so we will have some representation there. But as most of the field expertise is outside the EAP, any organized discussion and RFE curation from that group must take place outside as well. This does not short-circuit the existing mechanisms for early collaboration with IBM, but rather addresses a deficiency in the EAP structure that is common to all crowdsourcing: the underlying assumption of crowdsourcing that the crowd in aggregate will always possess the required skill and availability works best near the top of the Bell Curve. Where niche skills and subjects are concerned, crowdsourcing fails. MQ Security is one such niche skill.

This is also not intended to exclude anyone. In fact, moving the discussions from email to a forum if pretty much the definition of inclusive. If you are thinking "I consider myself among that population of deeply skilled MQ Security SME's" the you should also consider yourself invited to join. The group is set to auto-accept membership requests and is also public.

Another question I received was why not use a forum in IMWUC, MQSeries.net, or dWorks? These are existing and thriving communities and it's a valid question. IBM's RFE community is the best vehicle for collaboration on product development because RFE back-end mechanisms are integrated into IBM's development teams. I don't know to what degree but I do know that integration from other communities into the lab == 0 and integration from the RFE community to the lab > 0. This is the first RFE group out there for MQ as far as I can tell so I don't think we've been using it to its potential and there's no case to host elsewhere until we at least try it out.

I will announce when the community is live. The group and watchlist are live now at:
https://www.ibm.com/developerworks/rfe/execute?use_case=groupLanding&GROUP_ID=1949
_________________
-- T.Rob
Voice/SMS 704-443-TROB (8762)
https://t-rob.net
https://linkedin.com/in/tdotrob
@tdotrob on Twitter