Friday, August 5, 2016

Separating Features and Authorisation. Getting More Done and Improving Quality in the Middle Tier.

Application Managed Authorisation Using Dependency Injection and Interception

Introduction

This article attempts to discuss an approach to application-managed authorization that is intended to enhance the productivity of software development teams by separating and abstracting the logic for authorization in software from that for business features using dependency injection and interception

Background

Providing runtime access to functions in software depends on a successful identification of the subject attempting to gain access to an object. Subsequently, a decision is made to grant or deny access based on a myriad of variables such as group membership, time of day, history etc. A traditional, widespread approach to this is to build features, and then to go on to decorate and intersperse that code with that for security and access privilege checks. Well-established practices and mature development frameworks may make this more straightforward but essentially the development of features must precede the writing of code to “secure” those features. Both sets of activities are typically done over several iterations. Additionally, the approach for securing assets across the different tiers of the application – database, mid-tier and presentation (user interface) – varies due to the different paradigms that define the different environments. For example, runtime access to database data and operations may be secured using the database security features that rely among other things on user accounts with permissions to tables and stored procedures and functions. Nevertheless, it is often the case when a significant amount of functionality is developed in stored procedures that custom security checks can also be included in the database code. However, the focus of this discussion is the middle tier in software applications which is typically developed using high level computer languages such as C# and Java.

Some analysis

It is neither a new idea or practice to abstract business and security rules into a separate repository apart from application data and perform authorization checks against that but business logic code is still interspersed with that for security checks and must be written one after the other as is the case in traditional Role Based Access Control (RBAC) software. This happens whether the security checks are being done in stored procedures in the database or in code in the middle tier. Maintenance of those “checkpoints” thus requires someone with a good idea of the general code layout that would go from point to point making the necessary amendments.
The point being made is that the tedium of having to write business functionality and then security checks can benefit from a separation that allows both development and system build (security and other configuration) activities to run simultaneously against a common object and system model.
Some information Security professionals often say that software practitioners need to be rescued from these bad habits of “insecure” software development practices because these introduce weaknesses in systems that may only become apparent after the instance of an exploit. By implication, software developers tend to be careless with security. The reason for this could be that they tend to focus on building the cool widgets, screen layouts and other eye-candy that foster job security leaving software security as a boring afterthought. In my opinion, this arguable notion in spite of having some basis in real life experience falls short of actually being productive if it mandates no clearly actionable remedy.
One can also opine that the basis for this opinion is the typical separation of Information Security from the software development experience. Information Security’s role often becomes prominent only after software has been developed and deployed for testing when issues get thrown up. Nevertheless, one must agree intensely that the responsibility for effective security in software lies with designers and developers.  
This leads one to ask, how can security receive better attention from the onset of a software project? How can confidentiality, integrity and availability be addressed sufficiently from the beginning? Can security rules and business functionality be developed side by side in traditional languages such as Java and .NET and be somehow continuously merged together to achieve the desired result? My opinion is that someone needs to wear the information security hat right from the beginning of the software project and be involved through the entire process. This is one way better security can be achieved quickly and efficiently.
The following is an approach to the stated issue using the .NET platform, which relies on the concepts of Dependency Injection and Interception in general and specifically, object creation and abstraction of security rules.
To elaborate further, consider the scenario where a developer simply codes functionality – subject to automated unit tests and functional requirements and checks in code to a central repository without worrying about interspersing explicit role based checks inline with regular business logic. At the end of the day, you will have software that is good for a proof of concept demonstration but is hardly useable in the real world as there is no way to separate duties and enforce controls. In the same scenario, consider that another individual with information security skills codes security rules in some domain specific language against the same code and at the end of the day, the code written by the first developer runs based on the rules defined by the other. The following outlines a strategy for achieving this.
Effectively, security rules in this context are by implication, business rules and in general terms, application authorization facilitates the following scenarios:
  1. Securing access to an operation. In this scenario, the subject is either able to access the operation or not. For example, saving an expense report or retrieving the list of active projects. The operation is a method of an object. Whether it’s a CRUD (Create Retrieve Update Delete) call or one to calculate interest accrued on a fixed income security, it’s all in a method call.  The instance of restricting access to a particular set of URLs can also fall into this scenario
  2.  Setting object attributes. In this scenario, even though we would like to allow access to an operation, we may like to restrict certain parameters to a range of values based on the subject. For example, in the case of retrieving all expense reports, we may want to restrict access to just expense reports belonging to the subject (logged in user). We can achieve this by always setting the value of say, a project ID parameter to a value in the user’s profile.
In these scenarios, the gate to access a feature is opened based on the evaluation of an expression of varying complexity that has a Boolean result. For example
  1. Is the user allowed to login at this time of day?
  2.  Does the user belong to a group that is allowed to access this operation?
  3.  Is the user allowed to see all entities whether they “belong” to him/her or not?
  4.  Has the user exceeded a threshold for performing the operation within a set amount of time?
 Note that or the same system will often have a different set of rules per installation. i.e. The rules are different for each customer. Of course, two or more of these rules may be combined and be based on properties of the subject as well as those of the computing environment such as time of day, remaining disk space etc.

Suggested Approach - A Bird's Eye View

DI (dependency injection) is at the center of the strategy and it’s a way to specify dependencies in code dynamically. There’s a Wikipedia article on the topic https://en.wikipedia.org/wiki/Dependency_injection and there are a bunch of implementations out there. I will be using the Unity framework (https://msdn.microsoft.com/en-us/library/dn223671(v=pandp.30).aspx) courtesy of Microsoft’s Patterns and Practices group. Additionally, we will need to understand Interception, which is a way to inject code dynamically at runtime and is very useful for handling cross cutting concerns such as logging, validation and authorisation. (See https://msdn.microsoft.com/en-us/library/dn178467(v=pandp.30).aspx)
In a nutshell, we intend to dynamically inject code before method calls at runtime that performs authorization checks. To do this, the objects will not be created using the traditional instantiation method (e.g. Object  o = new Object() in C#) but via the DI framework. Because the code is injected, it has no way of knowing before hand what context (subject, object etc) applies so the authorization checks cannot be hard coded. Therefore, the code injected at runtime will perform authorization based on a coded set of rules that support the two (2) scenarios listed above. The format of choice can be any domain specific language of choice. e.g. xml based.
The strategy is summarized thus:
  1. Design object model for the system i.e. entities, services and interfaces should be defined. This is like defining the wsdl file for webservices before the actual implementation.
  2. Configure dependency injection for every object that requires secure access.
  3. Develop code for authorization checks to be injected and rules format as per two scenarios.
  4. Configure interception for the objects to run authorization code whenever the methods are called in code.
  5. Define security rules that are to be evaluated at runtime when method call is intercepted.
  6. At runtime, instantiate the object using dependency injection and not in-built language instantiation.
  7. While attempting to make the call, interception invokes the code for authorization checks against the defined rules.
This seems a fairly straightforward approach but as usual the devil is in the details. My own attempt at an implementation of this approach revealed the following areas requiring some planning and care.
  1. The format for defining security rules in terms of methods on objects and conditional expressions.
  2. The method for automatic DI configuration of objects.
  3. Developing the actual code which is to perform authorization checks at runtime. This needs to use a lot of reflection. (https://en.wikipedia.org/wiki/Reflection_(computer_programming).
  4. Deciding what frameworks to use for Dependency injection and Authentication.
This was an attempt to highlight the approach in broad strokes. Subsequently, I will dig deeper and provide details of an actual implementation.
The Benefits of the approach include:
  1. It can assist with easier maintenance of security and business rules for different sites/installations of the same software.
  2.  It fosters a separation of concerns, which allows different teams to focus on the different aspects of the system.
  3. It supports good programming practices such as DRY (Do not Repeat Yourself),
  4. Allows testing of system features in “totally unguarded” state on demand.
  5. The adopted security model can be easier to track and review as it is abstracted into it’s own repository and can be maintained in a more straightforward manner.
  6. Easier team management as developers can more easily handover activities to each other in event of an absence. Those working on features can see more clearly as they don’t have to worry about adding security.
  7. Supports different security models – e.g. transitive permissions: assign object permissions to a task/project and once people are assigned to that project they have the requisite permissions to the object
Nothing is without concerns and the following are some about this approach.
  1. How can the security rules be securely stored and retrieved at runtime? It would defeat the whole purpose if the rules could be easily hacked and modified after deployment. The rules can be encrypted in a file or hard coded into an assembly or dll which can itself be obfuscated.
  2. Secured objects have to be created using dependency injection framework. Without creating the objects using DI, there is no interception possible. This is because the DI framework creates a sort of proxy object that allows it to manage the lifecycle of the object and method calls.
  3.  Can this approach work for database procedures? Personally, I dislike putting business features in the database. I would rather use database queries just for data retrieval especially if some complex aggregation is required. That’s what databases are designed and optimized for, not necessarily for doing some complex xml manipulation. So database security using accounts the way it is to provide secure access to objects is fine by me. 
  4.  Security in the GUI. One might want to disable/hide buttons based on available permissions. This is still very possible leveraging on the strategy described. Security rules can be named and the access to widgets made based on the underlying Boolean condition of the security rule. 
  5. Manage Permissions Priority: If multiple permission sets are assigned are applicable to a subject, how do we handle priorities such that the effective permissions are either the most or least restrictive?
  6. The User’s profile should contain the necessary values needed to restrict parameter values: The subject’s profile must contain all the necessary information to make decisions and to set parameter values. For example, the user’s id, which will be used to query at runtime. 
  7. What is the performance impact? I plan to run performance benchmarks for this approach in coming posts. However, there is a very useful and well-maintained set of benchmarks by Daniel Palme that shows the speeds of different frameworks for the underlying DI and interception scenarios at  (http://www.palmmedia.de/blog/2011/8/30/ioc-container-benchmark-performance-comparison
  8. Process Security. What does this approach do for the security of the process? Does it create any vulnerabilities that hackers can use to hijack the process and perform malicious actions? I don’t know of any vulnerabilities that would be as a result of this approach. Having said that it doesn’t deter any efforts at further strengthening security from outside the process viz-a-viz mechanisms like Code Access Security for .NET, Using special operating system accounts, obfuscation etc.
As mentioned, I will make another post to demonstrate this in practical terms..
Thank you so much for reading and in advance for your comments.

History

August 2016 - Initial version

Thursday, August 20, 2015

Calling all Argonauts! The Death of Oil and The Dream of Nigeria’s Industrial Power.

In “The New Argonauts: Regional Advantage in a Global Economy”, Dean of School of Information at the University of California, Berkeley, AnnaLee Saxenian writes about a breed of “foreign born, technically skilled entrepreneurs who travel back and forth between Silicon Valley and their home countries” launching companies and creating new wealth and new markets using technology. For her, they are reminiscent of the argonauts who according to Greek Mythology, were led by the protagonist Jason on a perilous quest for the Golden Fleece which remains a symbol of desirable, lofty and difficult goals. The compelling narrative she delivers emphasises the value being delivered by these individuals who leverage their knowledge and experience for the benefit of the well established technology centers as well as the less technology advanced or developing countries where they originally hail from. The latter part of her book’s title i.e. “Regional advantage in a global economy” begs the question - What is Nigeria’s Regional Advantage in the Global Economy? 

Like the countries mentioned in the book, Nigeria is accustomed to the concept of the 'Brain Drain' but not so much that of 'Brain Circulation' judging by the lack of industries that are capable of surpassing local demand enough to be globally competitive. But we must focus on the problem only long enough to understand it enough to shift focus on the solution. The National Investment Promotion Council has done that and come up with a master plan called the National Industrial Revolution Plan (NIRP) which goes as far as aligning with well recognised initiatives like the Vision 2020 (Transformation Agenda). It was released in January 2014 and in my opinion is a truly laudable effort at inscribing the vision "so that those who read it will run with it".

The NIRP Release 1.0 includes a good SWOT analysis of Nigeria’s industrial landscape and outlines in quite clear terms steps to be taken to achieve industrial power. However,  it is skimpy and somewhat vague when discussing the area it refers to as ‘services’ which as contained in the document includes formal retail, haulage, call centers, shared service centres and engineering services. The wording exposes a timidity on the part of the author when it comes to addressing Nigeria’s lack of and urgent need for a enhanced technological abilities. Abilities that can only developed with training and experience and which are critical to any industrial success.

There are visionaries who believe and preach that Nigeria will be the most desirable nation on earth to live in by the stroke of midnight on Wednesday 31st December 2025 and that date is roughly 10 years from the time this article is being written. Considering the Nigerian antecedent with respect to nation building projects and the current state of affairs, that is not much time left to achieve that utopia of sorts and definitely does not leave room to dither about the issues that are to be addressed. At a time when the largest consumers of oil products are recording profound success with policies in favour of green energy, it is clear that oil will probably never fetch the price it once did. And that governments who have thrived majorly on the extraction of their natural resources like Nigeria will have to improve their methods.
Taken seriously, the vision is not laughable or unrealistic considering how naturally blessed the country is. Nigerians are some of the most talented people in the world but the management of such talents leaves much to be desired.

So we ask again - how can we create the land of our dreams in this ten (10) odd years that are left? To be more than a simple daydream, it must create positive daily actions that compound together over time to create the extraordinary and for the avoidance of doubt, will have more to do with the socioeconomic realities sustained by citizens than how good the weather is. Refusing to honour this possibility with the necessary constructive thought and attention it demands is a travesty of treasonable proportions directed not only at Nigeria but at the entire world which stands only to benefit from its realisation.

A list of prerequisite conditions for this envisioned improvement could include objectives like : 
  • Be a Financial hub and Economic Nerve Centre for the region.
  • Improved Agricultural yields and Increased Exports
  • Abundant Tourist Attractions and Robust Hospitality Industry. 
  • A Center of Technological and Scientific Innovation and Productivity.
  • Educational institutions who are actually engaged in productive thinking.
  • Policy, Market and Economic Structures and Frameworks that promote Entrepreneurship - Autonomy, Complexity and A Direct Variation of Reward with Effort.
  • The Protection of Intellectual Property Rights 
  • A Robust and Resilient Payments System
  • The Security and Safety of Lives and Property and the protection of Civil Liberties and Rights.
  • A Mature Judicial and Legislative Environment. 
Taken individually each of the outcomes expressed above is not trivial to achieve talk less of a combined realisation of most if not all of them which will be the result of a lot of good thinking and action. What is intended is to highlight the seriousness of the situation and the action it requires with particular focus on Technology in general and software development in particular.

We all must divest ourselves of any apathy towards the concept of a new, improved and united Nigeria and uncover our minds of the lethargy and inertia from years of disappointment and unanimously and conscientiously report at our different points of service on a daily basis.
The path of progress must be full of quick wins to bolster confidence and convert the recalcitrant. The end goal must be broken down into S.M.A.R.T objectives that can be pursued and attained with reasonable effort within reasonable constraints. The NIRP represents such a list of objectives but it also has to be brought to the fore of the Nation’s consciousness for every citizen to positively own their own piece of the action. One potential quick win lies in the nascent software development industry of Nigeria.

Steve Lohr writes in the New York Times about a Math major in the US who moved himself up from a $20,000 job waiting tables after graduation to one as a data scientist where his first salary was over five (5) times his previous at a web startup after taking just a three month course of computer programming and data analysis! Also mentioned is an English major who after a 24 week web programming class, now works as a software developer.

Both examples exemplify the opportunity, no the Imperative of Maximising Nigeria’s Creative bandwidth in Software Development. The combination of our current economic realities and envisioned future compel us to initiate urgent countermeasures to forestall a national emergency at worst or embarrassment at best.

In more developed countries, workers are moving to jobs in software development for greater financial benefit while here in Nigeria, the reverse is the case - people are actually avoiding coding all together to make money elsewhere in ICT via less rigorous but more rewarding pursuits. It has become easier to talk the talk and leave the work to some poor soul who has little choice by natural predisposition or unfortunate financial situation. Hence, the proliferation of firms with little actual value added but huge profits earned from exploiting the absence of a local knowledge industry. It’s easier to take the path of least resistance which offers temporary benefits at the expense of long term political and economic emancipation of the exploited. 

While it is okay for local ICT players to import technology for profit and local consumption it is unforgivable to refuse to pursue the development of local content and absolve the nation of the unrelenting burden on the nation's current account. Nigeria remains Africa’s largest telecoms market but does not have any mobile phone production plants. Selling software to the Nigerian government remains a game changer for many software vendors but none of the top 100 earning software companies of the world has a software development campus in the country.

Countries lead using technology - by placing a premium on creativity, innovation, entrepreneurship and productivity. It is laughable that Nigerian companies would consider outsourcing the development of custom software to foreign climes as a solution when these projects can be executed locally with less burdensome financial implications. I agree that in the context of individual commercial projects even outside the scope of ICT, it often makes better financial sense to outsource production, but never in this case in the long term. The government of the day must create and maintain the much needed socioeconomic infrastructure required for a conducive environment for takers to tackle the issue of creating the software needed to power the new knowledge economy. As eloquently expressed in the NIRP, "the Nigerian government must leverage its public sector spending to encourage local industry."

Recently, the president of Nigeria announced the commencement of an initiative for domestic weapons production. In his words - “We must evolve viable mechanisms for near-self-sufficiency in military equipment and logistics production complemented only by very advanced foreign technologies… The Ministry of Defence is being tasked to draw up clear and measurable outlines for development of a modest Military Industrial Complex for Nigeria”.

The announcement was made against the backdrop of the military's long drawn grapplings with insurgency but I eagerly await another similar announcement by the president to counter the currently unravelling spectacle of the nation's efforts at managing the depletion of the Nation’s foreign reserves. That is, an announcement for the development of a state of the art Software Development Industrial Complex for Nigeria which unlike a modest military complex, can be productive in far less time.

Any doubt to the verity of the foregoing sentence should be cast away as you recall the story of the waiter turned programmer and his consequent financial benefits. Consider the possibilities If Nigeria were to position its huge number of unemployed and underemployed to provide value to themselves and the nation in similar manner as the waiter did for himself. While software development is not a trivial enterprise, it can when architected properly, quickly yield benefits and minimised costs with phased rollouts of large systems. It provides ample benefits in terms of productivity by creating systems and tools that automate business functions and increase efficiency. It can be learned by anyone who can read and write just like playing a musical instrument.

The current devaluation of the Naira is a reflection of and on the true state of the economy and is not as a result of any interventions so to speak or the lack of it but the culmination of years of insufficient efforts at ramping up the ability of the nation to create actual value. Hence, at the instance of a severe loss of demand for Bonny Light in the international market and consequent diminished oil revenue, the fiscal and monetary authorities are not as eager to expend the now meagre trickle of petro-dollars  at the foreign exchange markets. 

In proportion to its productive population, Nigeria really doesn’t produce and the quicker we start to do so, the better. The propaganda trailing the re-basing exercise undertaken in 2013 is nothing but a facetious attempt at alleviating the dire urgency which the current Nigerian situation needs to command. It was particularly frustrating to be subjected to the narrative of Nigeria being the largest economy in Africa without the more instructive clause that it ranks 36th on the list of African countries by GDP per capita at Purchasing Power Parity. This means that the citizen of Nigeria - the regular person on the street - ranks 36th in the continent in terms of their ability to spend! This indeed is a far cry from the unforgivably deceptive prose of Nigeria’s economic superiority. Consider also, that the 36th position is averaged and where the lower placed elements on that distribution would lie.


Please consider also that Nigeria’s population which in 2013 was approximated at 173.6 million was more than three times that of South Africa’s 52.98 million which is ranked Africa's second largest economy.




The information presented here is clear. While Nigeria’s population is the highest of the countries shown, it’s productivity per person a.k.a GDP per capita is one of the lowest in the continent and not so much more than the smallest country of the continent - Somalia!

So, the question now is, how do we correct this and create a better place for everyone? The devil is in the details. But it can’t be done by avoiding the truth in the facts. Nigeria's argonauts will not launch into the deep to take advantage of whatever apparent advantage there is unless the climate for doing so is as risk free as possible. If the government were to float a bond to finance a technology  park - Nigeria's own silicon valley - what could be done to convince investors to buy? Governments role indeed is to start-up the the creation of an ecosystem that supports and encourages start-ups and tend and nurture them as they grow providing all that is required for healthy growth and weeding out unwanted elements that stifle progress. It's easier said than done but fortune favours the brave.

In closing, Mr. President’s stance against corruption is clear and present - the true nature of which continues to unravel in the world’s eyes. Fighting corruption is as important as it is urgent because no progress can be made until it is dealt with. However, nature abhors a vacuum and we must replace corruption with the progressive and unifying spirit of nation building so that we can learn the benefits of a noble existence working together for the common good. A failure to engage the court of  public opinion in activities that clearly show these benefits may give credence to the voices of those who suggest that the anti-graft campaign is nothing but political and personal vendetta and empower those who have made it their mission invert the minds of those who vicariously vacillate among views of endorsement or opposition. 


Wednesday, July 15, 2015

The Imperative of Maximising Nigeria’s Creative Bandwidth in Software Development

Let us paint a picture of misplaced priorities and misdirected energies. Of high sounding rhetoric dripping with the promise of positive change but devoid of empathy, sympathy or honest conviction and borne of shallow eloquence. Of a nation teetering on the brink of truly lamentable insignificance despite a heritage of opulence. Now, conjure up a convenient representation of these phrases in your mind because that is our collective reality - the state of our nation.  

“…extra-ordinary achievement is less about talent than it is about opportunity…” Malcolm Gladwell.

The foregoing quote is from the book “Outliers - The Story of Success”. And if you disagree with this summarisation, I encourage you to read it for yourself; just as you should, anyway. This challenge is issued in the same spirit as the phrase itself - with the intention to provoke deeper thought on the way we approach the never ending journey of national success. In the interest of fostering a much better narrative for our commonwealth, honest introspection and stock taking are hardly moot activities to undertake. The notion that the proliferation and growth of small and medium scale enterprises is essential to the growth of any economy is self evident as more people would be efficiently utilising available resources to produce value and reduce waste which means less unemployment and more self-reliance. But to achieve this, certain general factors must prevail. To unleash creativity, innovation and ultimately productivity, three critical ingredients are required. These are the trifecta of autonomy, complexity and a direct relationship between effort and reward. Autonomy, to allow for individualistic aspirations and ambitions to flourish, complexity to provide the adequate challenge for takers, and a direct effort-reward relationship to incentivise and provide fulfilment.

Consider for a moment, the instance that a prominent Nigerian called for the Government of Nigeria to commit itself to using locally developed software within the next three years in areas such as Human Resource Management, Accounting, Payroll, Public records, Enterprise Resource Planning and Payment Systems, etc. The immediate knee-jerk response I have seen and expect is an immediate dismissal on grounds that the technical skills required to execute such large projects do not exist within Nigeria in the necessary amounts to achieve this phantasmagoria. I am further convinced that this outcry will, to a greater degree, stem from cognate professionals, who are well versed in the weighty issues to be tackled in achieving the feat. “It is not profitable”, “It is too risky”, “There isn’t enough skill locally” are phrases I have heard or read in response to most incarnations of the aforementioned suggestion to the point that I wonder about the possibility of a conspiracy. But we should concern ourselves with the problem only long enough to understand it enough to know what the solutions must be. To be fair however, this pessimistic frame of mind has thrived because of the absence of a suitable environment that promotes economic demand for locally crafted technology. Because supply, in quantity and quality usually rises to meet demand. Most sadly, Nigerians with the inconvenience of happening upon truly noteworthy innovations do not stand a chance at seeing their ideas materialise if they stay within their native borders.

But let it be understood that any problems in the space of Nigeria’s technology industry in general and software industry in particular, must be wrestled and tackled to the ground. The promise of industrial and technological emancipation and its attendant economic benefits must find a place in our sustained state of mind begging focus on solutions in order to orchestrate or take advantage of circumstances that facilitate desired outcomes. The notion of the aforementioned government mandate on such a scale and the benefits it portends have existed in the blind spot of our Nation’s consciousness for too long. And like every trained and experienced automobile driver knows, undetected objects in one’s blind spot can be the cause of sudden mishap at any turn. To achieve technological self sufficiency, we must return to the drawing board and collectively revise our understanding and execution of the concept of the industrialisation of Nigeria. It must be remembered that we remain in exclusive possession of the talents, idiosyncrasies and opportunities to correct the issues that bedevil our country. But what are these issues? Why software? And what exactly do we stand to gain?

For the honest observer, the face of Nigeria’s future does not promptly cut an encouraging figure. Sovereign debt is on the rise as Government finances continue to dwindle. Unemployment figures remain discouraging as states are unable to pay worker’s salaries and must go cap in hand to the center. The downward pressure on the naira remains unrelenting as the apex bank struggles with the balancing act of general price levels, money supply and interest rates. If real change is not actualised soon, socioeconomic calamity on an unprecedented scale threatens. For the first time since inception, the central bank has closed both the retail and wholesale foreign exchange windows to save the naira. This begs the question, “what is different about the economy now?”
Who would have thought that so soon after a profitable regime of oil prices, things would suddenly become as bad as to warrant the downgrade of Nigeria’s credit rating by International Rating Agencies. It would certainly not be remiss to submit that some sort of turbulence threatens and we must take steps to steady ourselves.

Like a hapless kid on the playground whose playmates have all gone away with their toys and time, Nigeria now sits in the sands of economic doldrums left with the opportunity, or imperative if you will to make its own destiny. What will serve as the underpinning for its self crafted and self administered solutions? Advice from its more mature and more self sufficient playmates? Or the exertion of its powers of self determination in a judicious and alacritous manner? The words of the foremost reggae musician come to mind - “None but ourselves can free our mind”.
As the shale oil revolution propels the United States to greater energy self reliance and others like Jordan to greater developments in renewable energy, what are Nigeria’s plans to reverse the onslaught of a speedily devaluing currency and imploding economy? Both instances mentioned of successful national initiatives serve as examples of governments who not only postured but worked assiduously to positively alter the course of national life in efforts that were well beyond the ambit of any private concern.
Truth be told, Nigeria has several surviving plans and initiatives that insinuate promise but lack a critical ingredient i.e. the provision of adequate opportunity for the sufficient number of participants in technology at all levels to reach the critical mass required to truly tilt the balance in our favour from being a consumer-addict to producer-giver.  The question sticks out like a sore thumb - Why does Nigeria - the most populous black nation on earth - remain a net consumer economy expending billions of dollars of what was once a steadier stream of oil revenue to import technology? I’ll tell you why.

It is not the fact that its large number of citizens need technology to improve their efficiency in the course of professional and occupational pursuits or that of the booming entertainment industry that requires state of the art technology for the addition of finesse to thespian endeavour. 

It is that we are self serving and intellectually lazy. An unfortunate mien that, as far as the rest of the world is concerned, is the ethos of our land. Sadly this has been allowed to fester amid a pungent heap of hedonistic and reprobate manoeuvrings at every level of society that persist as our status quo. It is safe to say that within these borders, the rule and not the exception has been that no socioeconomic initiative, no matter how noble or urgent can see the light of day if its protagonists do not understand the language of ‘settling’ meaning Nigeria’s version of the concept of stakeholder management. And so, we continue to stifle creativity, competition, growth and joy.

It is also because generally speaking, there is  a huge chasm of unfulfilled promises and unrequited loyalties by the government such that the nation’s sense of responsibility to each other has been largely eroded by the myopic will to acquire for survival. The huge potential of Nigeria’s human resources lies greatly and unforgivably untapped as all fall victim of the resource curse and place higher premium on what comes out of the ground than who put it there. If there is any doubt as to this imbalance of priorities, consider that the educational sector of Nigeria remains terribly insufficient in providing skilled manpower. Meanwhile funds continue to be ‘packaged’ and disseminated in inordinate amounts on all sorts of ill conceived, disconnected and counter-active projects without focus and proper prioritisation. Like an unfortunately recalcitrant mother whose illiteracy, obstinacy and ignorance provide the deadly mix that favours administering nothing but analgesics to a child with malaria, the risk grows with each laboured breath of sudden, irrevocable but preventable end of life.

It is time to be reminded that the most technologically advanced countries of the world all achieved superlative feats  of creativity and innovation by self determination with sovereign mandate and leadership serving as the necessary fulcrum and impetus. Real progress is only to be made when a demand is placed on the people to achieve great feats. Such is the nature of good leadership. The idea of government and industry committing to a plan of using indigenously developed software is such a demand.

Why Software? Because in Nigeria, it’s virgin territory with much yet to offer and we spend too much on its importation. Because it does not come shipped in freight containers and get cleared at the ports may not make that immediately obvious. We use a lot of it - from banking software, electronic funds transfer platforms to Enterprise Resource Planning applications for large corporates and government establishments. We are an emerging market with the promise of continuous growth and lots of unused potential.  A lot of that growth will be driven by technology and software is a critical part of that. Additionally, it is less prohibitive than hardware. The case is to be made for the forging of electronic components for the construction of hardware in Nigeria but for that we need to reverse the huge embarrassment of our lack of industrialisation. Textile industries even in cotton producing states are closed and the Ajaokuta steel rolling mill project remains moribund. It would be nice to be able to produce technology from locally extracted materials but that is a story for another time.

Due to the foregoing is the huge burden on Nigeria’s foreign exchange. Dependance on other climes for most of our software we continue to spend forex to acquire and support imported software. There are other factors - other areas where we can  also become self reliant and reduce the pressure on our reserves, but we will stick with software in this discussion. The expectation is that other sectors of the economy will find adequate representation in the clamour for self reliance.According to Global Consulting Firm, PWC, the most populous black nation on earth is not mentioned among the world’s top 100 software earners. In recent history, Countries like China, Brazil and South Korea have developed an extensive software sector relying largely on fulfilling the demand in their domestic market and then handling external demand. The quantum of existent and potential SMEs should be incentive enough for large scale software development for the local  SME market.


What do we stand to gain? We can create jobs on an unprecedented scale and improve the general wellbeing of our people by making Nigeria a veritable knowledge economy. A quick glance through the stocks listings in the dailies will show that we do not create enough value internally to withstand the continued lack of revenue from oil. Foreign software firms who have enjoyed patronage by the country could be invited to set up local development campuses to foster the knowledge and skills to promote cost effective production.

Developing software internally will reduce foreign exchange depletion and improve indigenous skills in technology. The higher local content component will promote a more technology savvy populace which means more effectiveness of the labour force. Generally speaking ICT by its nature provides support to strategic objectives and deepening of the industry will provide support to lofty national visions such as Vision 2020:20 and the MDGs. This implies a revived educational sector due to demand for high quality skills and eventually more cost effective technology solutions and products. 

To get a clearer picture of the challenge being put out, consider this list of government mandated technological projects that changed the course of history. 

To start with a bang, The Manhattan Project, a research and development project that produced the first nuclear weapons during World War II was led by the United States with the support of the United Kingdom and Canada. A project that began modestly in 1939, it grew to employ more than 130,000 people and cost nearly $26 billion in today’s US dollars. It was led by a team of Military and private sector scientists and engineers under the direction of Major General Leslie Groves of the US Army Corp of Engineers  while physicist J. Robert Oppenheimer was the director of the Los Alamos National Laboratory that designed the actual bombs. It was a multidisciplinary effort that produced several allied scientific discoveries that find many industrial applications today. To quote Major General Groves’ words as he bade farewell to the men and women who had worked on the project, 
”Five years ago, the idea of Atomic Power was only a dream. You have made that dream a reality. You have seized upon the most nebulous of ideas and translated them into actualities. You have built cities where none were known before. You have constructed industrial plants of a magnitude and to a precision heretofore deemed impossible. You built the weapon which ended the War and thereby saved countless American lives. With regard to peacetime applications, you have raised the curtain on vistas of a new world”
While I am not fond of the destruction unleashed by the results of the project, its success changed the face of history, helped secure America’s sovereignty and involved the actualisation in Grove’s words of lofty, nebulous dreams in just five (5) years.

Next and more recently, the internet which is now so ubiquitous in its application is a culmination of  work commissioned by the US Department of Defense in the 1960s. In the words of Oliver Burkeman, a writer for the Guardian Newspapers of the UK in an article published in 2009, attempting to express the magnitude of the internet’s impact on modern life is an undertaking that quickly exposes the limits of the english language.
Huge advances made in aeronautics have stemmed from space programmes launched by the Soviet and America governments from as early as the 1950s. In a riveting performance by Benedict Cumberbatch in the 2014 film “The Imitation Game” we are reminded of the man Alan Turing, consider to be the father of theoretical computer science and artificial intelligence who was highly influential in the development of modern computing techniques and provided a formalisation of the concepts of algorithms and computation with the eponymously named Turing machine which is the model for the general purpose computer we use today. Hs lofty achievements were not the product of his sheer genius alone but also due to essential ingredient of opportunity provided by the English government for his theories and skills to be honed. As shown in the film, his work in creating a computational machine to break the code of the enigma device used by the Germans to encrypt sensitive information helped to end the second world war.

The point I am driving at, dear reader is that the Nigerian government needs to pick up on the air of urgency that is wafting from and among the hearts of its people and create adequate opportunities for potential talent in the populace to exercise and develop creative and professional abilities in software. The required approach is not to simply throw money or men at the problem but to constructively develop a plan to maximise the ability of Nigerians to create and innovate.

What can be done now?
The journey of a thousand miles start with a single step and it is said that success is not a destination, but a continuous never ending journey. Steps need to be taken to reverse the trend of fruitless national exertions especially in the light of the countries dwindling resources and take steps that provide the maximum positive impact and value.

We complain about brain drain and our best people migrating to other climes but yet fail to provide safety for their autonomy, freedom to allow them solve complex problems or sufficient assurance that reward will vary proportionately with their effort. The right environment will attract and nurture the right people.

The quaternary sector of the economy which is the knowledge based part of it must receive appropriate attention by closing the gap between the output of the education sector and industry. Our schools apart from being grossly inadequate to meet demand provide little preparation in terms of practical skills to graduands. This is alarming considering that five to ten years from now, they will need to be working in jobs whose descriptions have yet to be written with some skills no one has today. Such is the continuously changing vista of information technology. Research and development is virtually non existent in industry and academia but needs to be properly funded and pursued.

The Ministries of ICT, Science and technology and Trade and Investment should work together to institutionalise a software development/management unit that is charged with the task of planning for Nigeria’s use of locally developed software for mission critical and essential services of government. At the very least, said unit will develop and maintain a blueprint for the creation of a software and technology framework for the agencies of government that emphasises security, efficiency, collaboration coordination and optimisation of processes to manage the government’s cost of technology. Technology should not be procured for government from foreign parties unless it can be proven that the resources do not exist to create such technology locally within reasonable boundaries of time and cost. 

As a matter of national emergency, interest should be taken in the revival of the nations extractive industry such particularly the steel rolling mills of Ajaodkuta and Delta. Their importance in serving as a springboard for Nigeria’s industrial renaissance cannot be overestimated. The multi-billion dollar Ajaokuta steel rolling mill, commonly referred to as the ‘bedrock of Nigeria’s industrialization’ would definitely have been more economically productive if the land upon which it is built was used to grow cassava. The steel plant itself is built on 800 hectares of land within a larger expanse of 24000 hectares. Whatever, the reasons for its lying moribund for decades as a first class national embarrassment, successive governments have failed to execute a plan that will achieve optimal production till date.

In summary, the challenge here presented is for government to commit to significantly cutting its costs by actualising a plan to using locally developed software and technology within a sensible timeframe. On the chance that your mind still clutches desperately to any vestiges of doubt as to the dire need and imperative for the need to take this one, recall the ongoing struggle with insurgency which to a large extent stems from a lack of proper engagement of the country’s youth. It is quite plausible to consider that the alternative outcome for some felled enemy combatant that succumbed to the destructive strategies of radicalisation could have been much better had they been properly exposed and guided to meaningful opportunities. And where they do not take up weapons, the under utilised and disenfranchised find occupation in less than noble pursuits. For this reason and in addition to the natural course of things we are then a nation whose population continues to increase geometrically and the net effect of ignoring this challenge to greater responsibility should only be imagined.
Sadly, but instructively, within the rank and file of the nation’s peoples are those who will most likely never achieve anything of significance despite immense God given talent. Significance for them is an eventuality currently precluded by their continuous battle to maintain subsistence. They are watching, waiting and hoping.

In closing, recall the eminent software entrepreneur and philanthropist Bill Gates who needs little introduction.  He was born on the 28th of October 1955. This date is important because it is the same year that Steve Jobs who founded Apple Computers was born on February 24th and not more than one year apart from Bill Joy (November 8 1954), Vinod Khosla (January 28, 1955), Scott McNealy ( November 13, 1954) and Andy Bechtolsheim(September 30, 1955) - the four of which founded Sun Microsystems - the creators of the Java Programming Language and Network File System. Today, their average age is about 60. They became giants of the technology industry because as children, they witnessed the birth of the Personal Computing revolution in the 1950s and 1960s and their eager, absorbent minds were the incubator for the many ideas that they brought to life.

What opportunities are we exposing the young people of today to? The possibilities are instructive.

Saturday, May 30, 2015

Buhari's Presidency - The Return of A Change Agent?

When President Muhammadu Buhari became the Head of State of Nigeria On the 31st of December 1983, he was a forty one (41) year Major-General serving as General Officer Commanding the Third Armored Division of the Nigerian Army in Jos and it was just a few days after his birthday on the 17th. On the 29th May 2015 some thirty odd years after he has been sworn in as president. This time he is - in his own words - a "Converted Democrat". He is now a seventy two (72) year old politician who has run for that post in every election in the fourth republic - a total of four (4) times.

The amount of controversy that trailed him during the general elections begged the need to gain some clarity about him.  I discovered that he's participated in three (3) coups in Nigeria's rich sixty five (65) year history and his last one ousted Shagari. He's been a governor,  minister of petroleum resources and head of the PTDF but has confined himself to a somewhat ascetic existence in atypical fashion.
While a lot can and has been said of him on both sides of the moral divide, it is undeniable when considered objectively that he is regarded as an incorrupt  leader and a man of fierce integrity.
Needless to say, in a time when corruption has become commonplace in our most hallowed institutions, the fight against corruption and war against indiscipline - two strong elements of his previous government - are imperative as critical and pivotal elements of the strategy that must be deployed going forward.

One cannot fail to see the resemblance especially as astutely outlined in this PM News article - Buhari, A Hero Then, A Hero Now in his first and second ascension to the highest office in the country. In 1983, he became head of state amidst precarious economic circumstances during the Shehu Shagari regime which are all too reminiscent of Nigeria's current situation. To name a few, there was then and is now:
  • Significant decline in world oil prices and resultant dwindling of the nation's finances.
  • Copious allegations of corruption absent judicial consequence.
  • Endemic ethnic religious violence.
  • Widespread unpopularity of the government with the citizens.
This raises a few questions for me - is Buhari's  return a coincidence or by design - divine or human?
Are Nigerians only ready to accept the taste of the bitter medicine we need for things to get better when it is almost too late? We must point out that this "change" is only here now because the people of Nigeria didn't want it bad enough until now. Our experiences as a nation have brought us up to the point where we would rather have a former military ruler take charge than a civilian democrat. Perhaps we were too busy doing the dance around with quacks and charlatans who distracted us with such loud but empty promises - with micro interventions that did nothing to stop the rapid dilapidation of the nation.
As is commonly said in politics - "Vox Di Populi, Vox Di Dei" - meaning "The voice of the people is the voice of God" - The people of Nigeria have clamored for a change still not many may even recognize in its true, tangible form. This is not the first time we have jubilated at the commencement of Buhari's or even any other's tenure as president. With a train of panegyrics and encomiums, we create the persona of a messiah that has come to solve all of our problems. That has to stop.
This time, let us as a nation be older and wiser and tread the path of National recovery with more participation and vigilance. No one can singlehandedly solve even their own problems.

A lot has also been said about his suitability for the position of President of Nigeria considering his past as a military 'dictator' but what matters now is that he is president. It is immaterial whether it was just bad luck for the outgoing administration to be the first incumbent to be voted out in Nigeria's political history or as a result of gross mismanagement and monumental ineptitude among other things,

We must discontinue the promotion of divisive sentiments that do nothing for national unity but rather talk objectively about advancing the commonwealth of Nigeria for the good of all.
Such a conversation must be continuous, careful and calculated, a national discourse that is without feudalistic machinations and  draconian hegemony. It must be all encompassing and embracing, bold and visionary. It must not preclude any sect or group from participation but be forthright and equitable forthwith.

I am not talking about another national conference but rather, the manifestation of a government that does not waste any effort in promoting the welfare of its citizens - that understands that it comes from the same crop of people and without them - it is nothing. Even the most powerful kingdoms of the earth in times past have only thrived on the support of their people.

This power of the people is a concept that I believe the outgoing ruling party has become quite familiar with. The people of Nigeria more so. I have lost count of how many times I have heard someone tell me it doesn't matter if we vote, the "powers that be" would put their man in power. It is only mental laziness to think that way. Our numbers at the very least are too overwhelming for us to embrace docility so easily. We have all witnessed firsthand our power to self determine. The power to choose our own destiny as a people and not succumb to mediocrity and think it will be alright in the end.

In summary, my hope is all Nigerians will now realize that God only helps those who help themselves. Good leadership isn't borne of luck, good or bad but of duty, discipline and diligence. We must uphold the values and noble ideals that all men everywhere hold true. We must expand our internal capacity for self development and progress. Because when we put our minds and backs to it, the harvest can be plenteous and abundant, more than enough for all - and then it won't matter what part of the country we are from, or how we choose to worship.

Change has begun, let's get to work.

Thank you for reading. Please leave your comments below.


Sunday, May 17, 2015

Don't try using Oracle's Fusion Middleware with Windows FTP. Just don't

I'm writing this out of pure frustration with Oracle's SOA Suite Product.

It's disgraceful and a downright time waster. To avoid sounding like a ranter, the following is a summary of my issues with it.


  1. The absence of a proper debugging environment. If there is, I haven't seen how to use it in any of the documentation I've been looking for about 2 years now. To 'debug' BPEL and Composite Applications I have to rely on the audit trail in  the Enterprise Manager window. That's a cycle of develop, deploy and run on the FMW server for every little change I'd like to test and examine. It doesn't stop there! To see more details about why for example FTP connection is failing, I have to scour the log files - there's no point trying to use the EM GUI for that, it's too unwieldy to make productive sense. 
  2. The combination of Oracle SOA Suite + Oracle Weblogic Server is a memory hungry monster that will eat up all of your precious working memory. 
  3. Deploying other products such as hyperion, essbase is a nightmare! Too many things left to the administrator. Why not just wrap all these up into a proper UI and handle your business. It all gives the feeling that all of the products were hurriedly put together.
  4. Don't try using the FTP Adapter with a windows NT FTP Server. Even when the servertype, listParserType, recentDateFormat etc parameters are properly configured as per http://docs.oracle.com/cd/E12839_01/integration.1111/e10231/adptr_file.htm#BABEDEGC it still doesn't work! And wait, there's no way to properly debug it to find out what's exactly happening and the log files aren't helping much.

P.S. I'm writing this after spending at least 6 hours trying to list files on a windows FTP server from BPEL without success even when the Weblogic/SOA is installed on Windows itself.
The default settings on the FTP Adapter work without issues tho.

Dear Oracle, keep it up

Friday, February 21, 2014

Unable to invoke endpoint URI successfully due to: oracle.fabric.common.PolicyEnforcementException: Non-MTOM message has been received when MTOM message was expected

I followed these steps while attempting to mock an ssl enabled web service using the very cool soapui.
I went here to get rolling http://ejvyas.blogspot.in/2010/12/2-two-way-ssl-using-soapui-as-client.html.


  • Created a mock service in soapui using an existing wsdl file on disk which had a valid xsd imported into into it in the same folder). 
  • Created a composite in Jdeveloper and deployed to Oracle SOA to call the yet to be ssl enabled webservice and I get the unexpected error.
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
   <env:Header/>
   <env:Body>
      <env:Fault>
         <faultcode>env:Server</faultcode>
         <faultstring>Unable to invoke endpoint URI "http://<host>:<port>/xxx/xxxxxx" successfully due to: oracle.fabric.common.PolicyEnforcementException: Non-MTOM message has been received when MTOM message was expected.</faultstring>
         <faultactor/>
         <detail>
            <exception>Unable to invoke endpoint URI "http://<host>:<port>/xxxxx/xxxxx" successfully due to: oracle.fabric.common.PolicyEnforcementException: Non-MTOM message has been received when MTOM message was expected.</exception>
         </detail>
      </env:Fault>
   </env:Body>
</env:Envelope>

So I find out that MTOM according to wikipedia(MTOM) is the W3C Message Transmission Optimization Mechanism, a method of efficiently sending binary data to and from Web services and is usually used with something called XOP. Right then, I didn't care about MTOM optimization. I just wanted to call the mock service and move on to ssl enabling it.

I discovered there are number of ways to fix this:

  1. In the request and mockresponse in soapui, there are some properties forceMTOM and enableMTOM. Set forcemtom to true in the mockresponse properties or.
  2. In jdeveloper, right click on the affected reference service, configure WS Policies and under MTOM add the oracle/no_mtom_policy (ensure the box next to it is checked). Compile and deploy. The WS Policy should be visible in Enterprise Manager Fusion (EM)Middleware Control. The policy can be attached in EM but it will be lost on redeployment if it's not attached in the source code.

    However, I was under the impression that soa suite didn't expect mtom by default as I hadn't got the error before then when calling webservices.
    After digging around a little more I found out that mtom is associated with serializing large binary data being transmitted to/from webservices. I also noticed the wsdl file had some elements I wasn't used to - binding, service and policy. It turns out that the policy element had something in it - a OptimizedMimeSerialization element which, from here -> http://www.w3.org/Submission/WS-MTOMPolicy/ indicates that mtom is to be used for the service. So, the wsdl was to blame!. It had to use mtom. So we fixed that and moved on.
  3. Used the java keytool  to create a keystore and self signed certificate for soapui. (See referenced blog for details). All mocked ssl in soapui services will use the same certificate.
  4. Import the mock server certificate into weblogic's keystore using the command.
    keytool -import -alias <certalias> -file c:\server.cer -keystore $MW_HOME\wlserver_10.3\server\lib\DemoTrust.jks

    I was prompted for a password which is usually DemoTrustKeyStorePassPhrase.
  5. Restart weblogic server and soa and test the composite. 
If like me, you had enabled "require client authentication" in the soapui SSL preferences,  you may get the error below.  Just uncheck the box in ssl preferences.

Unable to invoke endpoint URI "https://<host>:<sslport>/xxx/xxxxxxxxxxx" successfully due to: javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: Software caused connection abort: recv failed



Cheers.

Sunday, January 12, 2014

India to be declared Polio Free on Monday 13th January 2014.

What a way to start the new year!
It's a victory for Indians. A victory for public health professionals. A victory for mankind.
I'm not indian but I like to celebrate things like this.
I'm sure it took a concerted effort by all the arms of government. They saw a problem, worked at it - over the years - and now it's over.

Overcoming Ignorance, illiteracy, a large population etc. they did it. ,

Congratulations, India.

http://www.hindustantimes.com/india-news/india-will-officially-be-declared-polio-free-on-monday/article1-1171899.aspx