PKI Security in Large Scale Web Applications – Part 1: The Call for PKI Validation

This week, Partnet begins a five part series on PKI security in Large Scale Web Applications. We will cover the importance of PKI validation within the Federal Government, the limits of Off-the-Shelf PKI validation packages, a DOD case study for use of Partnet’s new eValidate software and a description of the solution and outcome.

Part 1:  The Call for PKI Validation

Over the past decade, technology has enabled government agencies to provide more immediate services to citizens and greater flexibility in meeting their mission objectives. As a result, these agencies have become increasingly dependent on the integrity of their information systems. In recent years, attacks on these systems have grown in size and sophistication, with the Department of Defense (DOD) now suffering more than 5,000 attacks a day on its servers.1

Security breaches have plagued nearly every agency, whether through malicious code, stolen data, or compromised IDs and passwords. The government is now fighting back with a renewed focus on cyber security and access control. Chief among these tasks is the move towards a Public Key Infrastructure (PKI) for application and network security. Unlike traditional security models that rely on usernames and passwords, PKI is based on the issuance of public keys that bind digital certificates to a user’s identity and credentials.

Major advantages of PKI include:

Centralized x.509 certification – Specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm across government agencies.
Elimination of username and password management – Cryptographic public keys preclude problems associated with forgotten or shared login credentials.
Revocation of compromised certificates – Certificate Authorities (CA) help agencies to immediately identify and revoke compromised or invalid certificates.

As PKI has matured, so has the application of digital identification cards, known […]

Naming Conventions and Standardization: Improving Findability on the DOD EMALL

“What’s in a name? That which we call a rose by any other name would smell as sweet.”

Shakespeare’s famous quote may be true of flowers and lovers, but what about hardware and repair parts?

Name standardization and good data quality are important aspects of eCommerce,  but they are especially imperative in a Government eCommerce site, where the Federal Catalog System has required item identification and naming standards  since World War II.

Unfortunately, some manufacturers label items using cryptic part numbers that confuse customers.   Vendors frequently shrug this off, saying, “My customers know what my products are and how to find them.”  Vendors making this case, however, are simply cutting themselves off from a much larger customer base.

Naming conventions are one way to solve this, but even then, the conventions themselves must be standardized.  Lack of standardized naming conventions is a frequent problem within Government eCommerce sites.  A single item may have one name in the private sector, and an entirely different name in the government space.

Names may even change from region to region.  Take gypsum board, sheet rock, and wallboard, for instance.  Many customers might be surprised to find that these names all refer to the same item.  Allowing for the use of colloquial names makes it easier for the customer to find items in a Government eCommerce site.

Partnet continues to search for new ways to make products easier to find on the DOD EMALL.  Using standard naming conventions across suppliers and enabling colloquial search criteria are two ways we’re simplifying the process for EMALL customers.

In doing so, perhaps we afford them a chance to take time to  smell the roses.

DOD EMALL’s pivotal role in the Haitian relief effort

According to recent reports from the Defense Logistics Information Service:
DOD EMALL has been instrumental in the Haitian relief effort by providing a purchase venue for much needed relief material.  Many organizations, primarily the US Navy, has utilized the DOD EMALL Disaster Relief Corridor to procure relief items.

While most purchased items were medical in nature, other items included maps, clothing, and aircraft accessories, along with food and water.

To date, more than $2.25 million in disaster relief materials have been purchased through DOD EMALL for Haiti.  During the height of the relief effort, sales averaged $300,000 daily.  DOD EMALL remains at the vanguard of support as DLA’s premier eCommerce logistics support tool . . . ” DLIS-L (Logistics Systems, May 2010)
As the original developer and current operator of the DOD EMALL, Partnet takes great satisfaction in knowing its Government eCommerce solutions are helping the Haitian people in their time of need.  Further, we applaud the Armed Servcies, as well as the Defense Logistics Agency, for leveraging  eCommerce innovations  in support of the DOD’s international, humanitarian mission.

Does Data Quality Influence Government eCommerce Sales?

The simple answer is, “absolutely.”

eCommerce data quality relates to both invalid data and incomplete data.  Potential customers may find its difficult to recognize what they’re buying without an image or thorough description. Data analysis on the DOD EMALL shows that vendors providing robust data descriptions and product images sell much higher volumes then vendors providing minimal data.  Not surprisingly, the absence of a product image is often the most common catalog characteristic affecting sales.

Partnet engineers are working to improve master data verification and ensure the most complete, accurate data is available to DOD EMALL customers.  In addition, Partnet’s distributed architecture and vendor management system allows vendors to maintain and update their own product data through real-time connections, which has proven to be a faster, more efficient model than caching data with a third-party host.

Good data is also portable–that is, standardized in a way that makes it consumable to external applications and systems. Toward this end, Partnet is working to improve the quality and portability of data on the DOD EMALL, in accordance with Electronic Commerce Code Management Association (ECCMA) guidelines and ISO 8000-110:2009.

Robust data can’t be achieved overnight–it requires a sustained process and thorough commitment to data integrity. Enterprises willing to make that commitment, however, will find it translates into increased sales and satisfied customers.

Around And Around With Rounding We Go . . .

No, it’s not the latest Dr. Seuss book.  It’s dealing with rounding of numbers, and in this case currency within  eCommerce websites.

Rounding has been part of computer languages as early as FORTRAN and C, which started back in the 1950s.  Unfortunately for developers during those times, various forms of rounding had to be coded specifically for each instance.  Since then, however, more modern programming languages allow for various rounding options in much easier fashions.

eCommerce sites often integrate with multiple downstream systems.  The DOD EMALL — the largest Government eCommerce site for federal buyers — is no different.  Recent efforts within DOD EMALL have been to compare all uses of currency within the application, as well as to review their uses in downstream systems.

How many versions of rounding can there be?  Well, there are numerous forms of rounding, including round-up, round-down, round-ceiling, round-floor, round-half-even, round-half-up, and round-half-down.  It really depends on how complex you want (or need) things to be.  Software developers may be wondering why their code isn’t acting as expected, and will be seeking answers. As a DOD-contracted IT-provider for the DOD EMALL, Partnet has used several rounding functions, but here are a couple of examples:

The first example is the one you probably learned when you were a child. Round-Half-Up goes to the nearest neighbor —  less than 5 rounds down, equal to or greater than 5 rounds up.

Round-Half-Up Examples

Initial Value
2 Digits of Precision

3.2277
3.23

3.22277
3.22

3.22255
3.22

3.275
3.28

Round-Half-Even is different, as it rounds to the nearest neighbor value (less than 5 rounds down, greater than 5 rounds up), but if it is 5, then it rounds to the nearest even number (either by staying or going up).

Round-Half-Even Examples

Initial Value
4 Digits of Precision

3.22223
3.2222

3.222347875
3.2223

3.222247875
3.2222

So why is rounding a big deal?  If you […]

Google+