PleaseTech blog

We aim to provide useful, pertinent and sometimes fun insights into the world of document collaboration and the workings of a technology company

PleaseTech and Generis form strategic partnership to integrate PleaseReview with CARA for life science organizations

Posted by Sarah Edmonds on 20. May 2014 15:47

The other half of marketing... Google


Following a strategic partnership with Generis Knowledge Management, PleaseTech is undertaking a project to integrate PleaseReview with the CARA user interface. This will be of particular interest to life science organizations which already use a content management platform - typically Documentum although there will be other supported ECMs. 

For those who aren’t aware, CARA is a configurable user interface and business rules engine that facilitates the creation, review, approval and management of documents and connects with various document repositories. CMSWire recently called CARA a ‘pretty slick tool’. Specifically, with the deprecation of EMC Documentum’s Webtop interface, CARA is being used as a replacement by many organizations.

This latest integration will provide life sciences organizations and other CARA users with a market leading document review and co-authoring process seamlessly integrated within their CARA interface.

Initially, we’ll be supporting CARA with the EMC Documentum platform. Other platforms will follow.

What this means for Generis’ customers is that they’ll be able to leverage the power and functionality of PleaseReview’s document review and co-authoring tools through CARA on their Content Management Systems.

So, as we start the long, slow farewell to Documentum’s WebTop, we hope this strategic partnership is just the beginning for CARA and PleaseReview.

Trials and tribulations of online security

Posted by Tim Robinson on 8. May 2014 14:45

CTO at PleaseTech


For most people working in IT, security is never far from the top of the priority list, and for PleaseTech we seem to get hit all ways because we’re an ISV but also a SaaS provider, our software often integrates with other applications (whether in the enterprise or the cloud), and we’re a distributed company that relies on many cloud and internet systems to get our job done.

We got off lightly with the Heartbleed virus because it does not affect Microsoft IIS, and by definition PleaseReview only works on IIS.

Heartbleed was a very interesting bug because it was such a simple coding mistake that could be understood, if not by everyone, then at least by non-programmers, whereas most attack vectors we see in software vulnerabilities are extremely sophisticated. Essentially what happens in a Heartbleed attack is that the client asks the server to “echo” back some data to show it’s still connected but, by lying about how much data it has sent, it can force the server to copy more data into the response than it should, and that extra data (which is just whatever happened to be stored in server memory at the time) could theoretically contain useful secrets.

Like many security glitches, this one comes down to the fact that C, the language used to implement SSL, allows a program to access blocks of “raw” memory rather than checking the start and end point of each variable being used. Because the attacker can’t choose which piece of memory to retrieve, he would have to rely on persistence and a large amount of luck to get anything useful, but the mass panic came because there was a theoretical chance of retrieving extremely sensitive information and nobody knew (or indeed still knows) to what extent it might have been exploited in the real world.

You can see that in this case, if you are a customer of, say, Dropbox, and a hacker uses the Heartbleed attack and happens to retrieve your password or credit card details, there is absolutely nothing you could have done to stop them.

Outside of direct PleaseTech business, I was affected by another internet security problem which is also quite simple and (hopefully) interesting to understand, and it is related to Hotmail hijacks.

If you’ve got friends or family that use Hotmail (which has recently been renamed Outlook, but let’s not confuse matters) you’ve probably received emails which appear to originate from them but are actually spam. Whenever this has happened to me in the past I have replied to the person in question saying that their Hotmail account may have been hacked and recommending them to change their password, but I’ve never really understood why this seems to happen with Hotmail (and less frequently Yahoo) but rarely or never to other providers. However, recently I was fortunate/unfortunate enough to witness a Hotmail hijack first-hand. Here’s how it works:

DISCLAIMER: I have described the nature of the attack to the best of my knowledge. I consider myself to be a pretty clever computer guy but there’s a chance I’ve gotten completely the wrong end of the stick about this whole thing. If you know better, let me know and I will happily withdraw this.

My girlfriend (who is emphatically not a computer geek) received an email apparently from a friend’s Hotmail account with a short piece of text and a hyperlink. Due to the format, I suspected it was spam but the text was something like “video of my recent holiday” so she had clicked on it before I could dissuade her. Up popped a video about a weight loss pill or something, so she realised it was spam and closed the window. Soon afterwards she noticed a lot of undeliverable and out-of-office replies coming into the inbox, so we checked the sent items and there were hundreds of them, all containing a short paragraph of text plus a hyperlink, and all sent during the few seconds she had the weight loss video on the screen.

This is called a "cross-site request forgery" (CSRF or XSRF). Basically because you are already logged in to Hotmail in one window, another window can also send requests to Hotmail which will automatically be executed under your Hotmail session. This was interesting to me because we have done work in PleaseReview to guard against exactly this type of attack.

There are well documented ways to guard against this kind of attack and recent versions of Microsoft’s own ASP.NET web development framework even have them built in. Why Hotmail doesn't use any of them is a mystery to me but it certainly explains why naïve users can have their Hotmail account hacked even when they have a secure password, whereas Gmail users don't suffer from the problem at all.

Hotmail detected the large amount of sent items, deduced there had been an attack and then made my girlfriend change her password and reset her security details. This might make the user feel like they have done something to counteract the spammers but as you can see, it doesn't make the slightest bit of difference to security because the attack doesn't depend on the spammer knowing your Hotmail password or any personal details, just on you clicking the link.

So how can you guard yourself against this kind of attack? This bug has been around for at least five years so don’t hold your breath waiting for Microsoft to fix it! Treat email hyperlinks that look like spam (i.e. where the text in the message doesn’t seem like the kind of thing your friend would normally write) with extreme suspicion and if you decide you want to click anyway just to find out, copy the URL and open it in another browser or in “private” browsing mode.

Following on from this, just last week there was an Internet Explorer vulnerability which could allow a hacker to access a user’s PC and run his own code. This was considered so serious by Microsoft that they even broke their rule of “XP support ends on April 8th” to release an immediate fix for XP. This isn’t quite so straightforward to explain but it basically comes down again to the fact that the software was written in C and so has no memory protection.

Similar to the Hotmail attack, this one means the attacker has to lure the user to a malicious web page but as we’ve seen, for many users that’s not difficult to do.

For all of us, both as suppliers and users of IT, it’s clear that online security is going to be an ever increasing part of our world. Even though bugs like these can be resolved, it would be extremely naïve to think we’ll ever solve them all when software is being produced at an ever increasing rate.

Plus of course, there are plenty of attacks that don’t rely on faulty software at all. In my own case I had to cancel my cell-phone account with EE because someone else was repeatedly calling up their support line claiming to be me but to have forgotten their password, then they would change their home address and order a new phone to be charged to my account. Even though this happened around 10 times in the course of a single month, EE seemed unable to put in place even the most basic measures to stop it (like calling me on me mobile phone which would have quickly enabled them to ascertain that the “me” trying to change the account details didn’t even have access to the phone connected to the account).

So the only lessons here for suppliers as well as customers are to be continually vigilant, understand what security threats exist and do your best to mitigate them, but don’t rely on any “silver bullet” to resolve your security issues..

 

The PleaseTech exhibition booth guide…we tried, we tested, we concluded…

Posted by Sarah Edmonds on 29. April 2014 10:23

The other half of marketing... Google


By the end of this year, PleaseTech will have exhibited at 13 conferences across the US and UK.  The eternal question we ask ourselves is, “is our booth working as well as possible?  Are the messages still correct, is the stand eye catching, is there anything we can improve?”

Budget is always a key factor, and making changes to a perfectly good stand is hard to justify, but recently the decision was made for us when the x-banner started to look faded and the panels on the table top started to break.

So it was with great excitement (well for the marketing department) that we embarked on a project to research new ideas for our stand.  We looked at everything from booths with in-built TV monitors, projectors to ping images of live demos, and other clever gizmos.

And there are so many options out there; most of them costing way more than their anticipated ROI.  However, what these sales promotion companies fail to consider time and time again, is how the average business is supposed to ship these exhibition booths and all the equipment that goes with them, from both a cost and logistics point of view?

Go to any show, and you’ll generally find one or two people manning a booth.  Unless they work for a really big company, those manning the booth are responsible for the set up and break down of all the kit.   

Big organizations employ companies to take care of this for them, but for businesses such as ourselves, once the conference is over, you’ll find our colleagues dragging the booth kit to the nearest UPS store for shipping back to our US storage facility.  And there’s a limit to how much you can drag or carry, not to mention how much you want to spend on shipping costs…

So where did we end up?  We’re currently re-doing our table top display to reflect new messaging and we’ve bought some nifty iPad stands to enable us to conduct surveys when we’re at shows (a brilliant way to collect data, which we then turn into content and distribute across our social media sites).  A new 22” TV has been purchased, which sits on a round cocktail table and enables us to run our new sales demo movie (if you haven’t seen it, please watch it here).

But the booth is only part of the story. A major factor for us is our use of cartoons.  We use these to bring to life what PleaseReview does, why people might use it and what it can do for them.  Our experience shows that the people who visit our stand genuinely resonate with the scenarios our cartoons depict (email chaos sound familiar, multiple copies of marked up documents?!).   We give away postcards of our cartoons and they are hugely successful in drawing interest and questions about what we do.  We also have a cartoon website, have a look at it here. 

So all of this combined, along with pre-show mailings to conference attendees, cross partner promotions and a great attitude from our booth staff means we’re pretty pleased with how well our booth now functions.  You can see it in operation at the next show, APMP in Chicago, followed by ABA in New Orleans and DIA in San Diego.

Of course, we’re always looking for new ideas…

 

Introducing PleaseReview v5.1

Posted by David Cornwell on 2. April 2014 09:34

Founder/CEO of PleaseTech Ltd - collaborative document review and co-authoring for the enterprise.


April already. They say that ‘time flies when you're having fun’. I can tell you that it certainly flies when you are trying to get a software release out.

The testing of PleaseReview v5.1 is now well under way and, assuming no major issues are identified, we expect a release date towards the end of May. We never release until we are sure it’s a quality product and our testing is complete. There is testing of the new functionality, regression testing and installation and upgrade testing and, of course, all documentation and other support material to prepare. There are so many elements in the mix.

So what will PleaseReview v5.1 contain? Well, as always, the thinking behind the release is to:

·         Continue the ‘beyond review’ strategy;

·         Facilitate enterprise rollout with enterprise enhancements;

·         Address new client requirements;

·         Keep up with the changing environment.

The ‘beyond review’ strategy’s intention is to consolidate our thought and technology leadership by adding value to the review process.

So, what does PleaseReview v5.1 include?

Sub-review and parallel reviews

One of the new features in v5.1 will be the concept of a sub-review. This will allow a review participant to create a sub-review, review the document(s) with their own chosen review participants and then publish selected comments and changes from the sub-review to the master review. To explain:

Imagine I was a department head and was invited to review a corporate policy or procedure which affected my department. I would want to first discuss this with my management team to get their feedback and consolidate their comments. Sub-reviews are designed for exactly this scenario. We can have an ‘internal’ departmental review and then publish our consolidated feedback to the master review without having to ‘wash our dirty linen in public’.

Parallel reviews are somewhat different. This would be appropriate if you wanted to gather feedback from two entirely separate groups at the same time without each of the other groups being aware of the other’s existence.

This increases the ‘workflows’ available in PleaseReview so with v5.1 there will be, out-of-the-box:

1.       Standard single stage collaborative review

2.       Sequential reviews where each stage can comprise one or many participants;

3.       Sub-reviews;

4.       Parallel reviews

Combinations are possible. For example, if permitted, it will possible for a participant in a stage of a sequential review to create a sub-review. This allows for very sophisticated review management.

Context-based review

Most people see review as an ability to comment upon and mark-up a document. And, whilst that is correct, there are many ways to look at the document. You can sit down and read it as you would a book. You can follow all the cross references and therefore jump backwards and forwards in the document. Or you can ask the question: ‘What does the document say about nnnnnn’?

It is this latter approach which context-based review is designed to support. Reviewers are able to search the document for a phrase or text string and PleaseReview will produce a report with all instances of the phrase (or text string)  presented in context. This is much like a Concordance, whereby a list of the material words used in a work are presented together with their immediate context as a separate index.

Providing the context in the report is important. This allows the reviewer to rapidly scan the report and examine the document for consistency. It’s more than just checking for spelling or capitalization. It allows the reviewer to check that a phrase or term is used in a consistent way throughout the document.

These subtle requirements come from being involved in endless discussions in respect of document review and from listening to people struggling with these issues. By listening to our target audience and then incorporating their requests and requirements into our product plans, PleaseReview continues to set the standard for document review.

Post review reporting

Post review reporting will further extend PleaseReview's ability to deliver metrics around the review. Whilst with the current release a set of comprehensive review metrics is already available, these are mainly delivered at a document or system level. For example, how many reviewers made how many comments and what percentage were accepted or rejected, etc.

The post review reporting available with v5.1 will allow companies to drill down deeper within the document itself.  So, for example, let’s examine section 3 of the document. How many accepted proposed changes were there? In section 4 of the document how many rejected proposed changes were there?

This requirement has been driven by one of our clients who is looking to use review metrics to analyse the quality of writing and reviewing. By examining the number of accepted and rejected changes on different sections of the document, some initial determination can be made of the quality of the author and/or the reviewer. At the very least, flags can be raised as to which areas merit further investigation.

This illustrates that reporting can bring real value by helping to control and measure the review process. In all honesty, it's not the primary reason customers turn to PleaseReview but is simply a welcome side benefit.

Enhanced configurability

As PleaseReview gets rolled out across large organizations, the requirements of many thousands of users need to be addressed. For example, the comment categories which may be appropriate for an engineering document will not be appropriate for those in marketing and will be different again to those required when reviewing a proposal.

We could have done the basic minimum but we took the plunge and have implemented a full hierarchical inheritance model. What this means in English is that we will deliver a highly configurable system which retains central control with the absolute minimum work required. It is possible to specify the behavior of the system with respect to a specific department and/or review type (for review types see below) and have one override another. So, for example, if a review type permits the download of the original document and the departmental settings do not, the departmental settings will override the review type. We believe that this level of configuration will serve to meet the requirements of large enterprises going forward.

Cost Center licensing

An aligned but separate requirement is that of cost center licensing.

A large company may have a single installation of PleaseReview, but licenses are purchased from individual departmental budgets. These departments may take a dim view of another department using licenses purchased from their budget.

Cost center licensing will allow groups of licenses to be ring fenced for an individual department’s use.  Once again this facilitates enterprise deployment and, hopefully, keeps peace and harmony in the corporation.

Review types

Facilitated by the enhanced configurability, review types take PleaseReview's current templating capability to a whole new level.

Now standard review types can be set up which specify all review parameters including, potentially, the duration of the review, the review participants (via standard distribution lists) and a host of other configuration parameters.

So, for example, as someone who has just written a blog entry and wants it reviewed, there could be a standard review type called ‘Blog entry’. So all I have to do is upload the document, select the review type and the review will be started for a set duration to a standard set of people included on the ‘blog review’ distribution list. If, in the future I need to change who reviewed the blog entry, I wouldn’t change the review type I’d simply amend the distribution list associated with the review type 'Blog entry'.

Of course, for larger companies, it would be possible to have subsets, such as engineering blog, marketing blog, etc.  

This is especially powerful when coupled with standard workflow systems such as those found in a document management system (DMS). The DMS user simply initiates a pre-set workflow which in turn calls the PleaseReview review type. In this way a sophisticated, integrated system requires very little work.

Archive 

Finally, we will be offering an optional archive module as a cost option.  When we initially conceived PleaseReview we saw reviews as transient instances which, when the document was approved, would be discarded. The approved document would be the true electronic record and how it got there was immaterial.

However, as we have started branching out into new market sectors and people are placing a greater importance on due diligence, compliance and being able to prove that company procedures were observed, several clients have requested the ability to archive review data.

The archiving module will meet the needs of these clients by ensuring that the review data is securely archived prior to a review being remvoed from the system.

Other stuff

Additionally there will be support for new environments. As a company offering on premise solutions (in addition to the cloud), we operate in a complex, ever changing environment as other companies upgrade their offerings.

Needless to say, with a release of this magnitude there are always minor enhancements and bug fixes included. These are too numerous to mention.

The only constant is change.

I’m confident that with PleaseReview v5.1 we maintain the high standards PleaseReview has been setting for years and that PleaseReview will continue to lead the market with respect to document review.

The evolution of testing

Posted by Ashley Harrison on 11. March 2014 11:11

Senior test analyst for PleaseTech


The test team here at PleaseTech are at full speed ahead. This is currently one of my more exciting times as a tester as the next release of PleaseReview, our collaborative review solution, looms on the horizon and a host of new functionality and enhancements start to roll in. Getting to strip down a specification for new functionality where new ideas and possibly new technology are being implemented, analysing and identifying areas of risk, prioritising risk and ultimately identifying test case criteria are what gets the blood of a tester flowing - what other job pays you to break things!?

At the beginning of every release cycle for PleaseReview I sit down and look at what is coming, and establish a plan of attack – and then the murmur of automation creeps into my mind. Automation is on the mind of every test team I have been a part of, whether it was only a consideration or was being actively worked on. As a relatively juvenile profession, the core of a test team’s work is on a predominately manual basis. Automation is the evolution of testing.

When you sit down and think about it, automation initially appears a no brainer. The brilliant thing about automation is the flexibility it provides, for example:

-     It can be added to the overnight build script which then provides you with a log of results, which are waiting for you on your arrival in the morning and highlight any potential issues

      It can be used to lighten the load of regression testing allowing manual focus to be intensified on high risk areas;

      It can even (subject to software and configuration) identify areas of code change and call on previous automation test cases that ran over that specific area of code, giving you a heads up on potential issues before you have even had the chance to   look at the work item.

However, automation is not answer to everything… Certain software and testing activities lend themselves to automation but many don’t, especially in the area of document review.

For example, it’s one thing to automatically test the completion and submissions of an HTML form, it’s another to select some text in a document and edit it to create a proposed change.  If you think about it, the test is going to work for that precise document and that precise edit. However, we can’t control what documents clients put into PleaseReview, which bits they edit and what they put in that edit. In reality, edits are frequently copied and pasted from other documents. In fact, the Word documents are frequently large, complex documents which make full use of Word’s cross referencing, field codes, styles, and so on.

So, whilst there are areas of the testing we can automate some areas will have to continue to be manual.

There is also the fact that the initial implementation of an automated suite of tests is incredibly labour intensive, as is the maintenance. Before you even get to the stage of writing test cases you must establish which software fits best and what technology you are going to use. Once that has been decided on you can get to grips with creating an automation suite.

Creating an automation suite is, in itself, a software project. It needs to be designed, developed and tested, and that’s a challenge I’m up for.

Ultimately the quality of a released product lies with me. So automation is a must have in my point of view. We pride ourselves in the quality of our product, and to maintain the high standards that we have set ourselves, I plan to have automation up and running in the near future. The initial analysis of automation implementation suggests that it’s not going to be easy, but who likes easy?

Watch this space and I’ll let you know how I get on.

header bg