PleaseTech blog

We aim to provide useful, pertinent and sometimes fun insights into the world of document collaboration and the workings of a technology company

PleaseTech and Generis form strategic partnership to integrate PleaseReview with CARA for life science organizations

Posted by Sarah Edmonds on 20. May 2014 15:47

The other half of marketing... Google


Following a strategic partnership with Generis Knowledge Management, PleaseTech is undertaking a project to integrate PleaseReview with the CARA user interface. This will be of particular interest to life science organizations which already use a content management platform - typically Documentum although there will be other supported ECMs. 

For those who aren’t aware, CARA is a configurable user interface and business rules engine that facilitates the creation, review, approval and management of documents and connects with various document repositories. CMSWire recently called CARA a ‘pretty slick tool’. Specifically, with the deprecation of EMC Documentum’s Webtop interface, CARA is being used as a replacement by many organizations.

This latest integration will provide life sciences organizations and other CARA users with a market leading document review and co-authoring process seamlessly integrated within their CARA interface.

Initially, we’ll be supporting CARA with the EMC Documentum platform. Other platforms will follow.

What this means for Generis’ customers is that they’ll be able to leverage the power and functionality of PleaseReview’s document review and co-authoring tools through CARA on their Content Management Systems.

So, as we start the long, slow farewell to Documentum’s WebTop, we hope this strategic partnership is just the beginning for CARA and PleaseReview.

Trials and tribulations of online security

Posted by Tim Robinson on 8. May 2014 14:45

CTO at PleaseTech


For most people working in IT, security is never far from the top of the priority list, and for PleaseTech we seem to get hit all ways because we’re an ISV but also a SaaS provider, our software often integrates with other applications (whether in the enterprise or the cloud), and we’re a distributed company that relies on many cloud and internet systems to get our job done.

We got off lightly with the Heartbleed virus because it does not affect Microsoft IIS, and by definition PleaseReview only works on IIS.

Heartbleed was a very interesting bug because it was such a simple coding mistake that could be understood, if not by everyone, then at least by non-programmers, whereas most attack vectors we see in software vulnerabilities are extremely sophisticated. Essentially what happens in a Heartbleed attack is that the client asks the server to “echo” back some data to show it’s still connected but, by lying about how much data it has sent, it can force the server to copy more data into the response than it should, and that extra data (which is just whatever happened to be stored in server memory at the time) could theoretically contain useful secrets.

Like many security glitches, this one comes down to the fact that C, the language used to implement SSL, allows a program to access blocks of “raw” memory rather than checking the start and end point of each variable being used. Because the attacker can’t choose which piece of memory to retrieve, he would have to rely on persistence and a large amount of luck to get anything useful, but the mass panic came because there was a theoretical chance of retrieving extremely sensitive information and nobody knew (or indeed still knows) to what extent it might have been exploited in the real world.

You can see that in this case, if you are a customer of, say, Dropbox, and a hacker uses the Heartbleed attack and happens to retrieve your password or credit card details, there is absolutely nothing you could have done to stop them.

Outside of direct PleaseTech business, I was affected by another internet security problem which is also quite simple and (hopefully) interesting to understand, and it is related to Hotmail hijacks.

If you’ve got friends or family that use Hotmail (which has recently been renamed Outlook, but let’s not confuse matters) you’ve probably received emails which appear to originate from them but are actually spam. Whenever this has happened to me in the past I have replied to the person in question saying that their Hotmail account may have been hacked and recommending them to change their password, but I’ve never really understood why this seems to happen with Hotmail (and less frequently Yahoo) but rarely or never to other providers. However, recently I was fortunate/unfortunate enough to witness a Hotmail hijack first-hand. Here’s how it works:

DISCLAIMER: I have described the nature of the attack to the best of my knowledge. I consider myself to be a pretty clever computer guy but there’s a chance I’ve gotten completely the wrong end of the stick about this whole thing. If you know better, let me know and I will happily withdraw this.

My girlfriend (who is emphatically not a computer geek) received an email apparently from a friend’s Hotmail account with a short piece of text and a hyperlink. Due to the format, I suspected it was spam but the text was something like “video of my recent holiday” so she had clicked on it before I could dissuade her. Up popped a video about a weight loss pill or something, so she realised it was spam and closed the window. Soon afterwards she noticed a lot of undeliverable and out-of-office replies coming into the inbox, so we checked the sent items and there were hundreds of them, all containing a short paragraph of text plus a hyperlink, and all sent during the few seconds she had the weight loss video on the screen.

This is called a "cross-site request forgery" (CSRF or XSRF). Basically because you are already logged in to Hotmail in one window, another window can also send requests to Hotmail which will automatically be executed under your Hotmail session. This was interesting to me because we have done work in PleaseReview to guard against exactly this type of attack.

There are well documented ways to guard against this kind of attack and recent versions of Microsoft’s own ASP.NET web development framework even have them built in. Why Hotmail doesn't use any of them is a mystery to me but it certainly explains why naïve users can have their Hotmail account hacked even when they have a secure password, whereas Gmail users don't suffer from the problem at all.

Hotmail detected the large amount of sent items, deduced there had been an attack and then made my girlfriend change her password and reset her security details. This might make the user feel like they have done something to counteract the spammers but as you can see, it doesn't make the slightest bit of difference to security because the attack doesn't depend on the spammer knowing your Hotmail password or any personal details, just on you clicking the link.

So how can you guard yourself against this kind of attack? This bug has been around for at least five years so don’t hold your breath waiting for Microsoft to fix it! Treat email hyperlinks that look like spam (i.e. where the text in the message doesn’t seem like the kind of thing your friend would normally write) with extreme suspicion and if you decide you want to click anyway just to find out, copy the URL and open it in another browser or in “private” browsing mode.

Following on from this, just last week there was an Internet Explorer vulnerability which could allow a hacker to access a user’s PC and run his own code. This was considered so serious by Microsoft that they even broke their rule of “XP support ends on April 8th” to release an immediate fix for XP. This isn’t quite so straightforward to explain but it basically comes down again to the fact that the software was written in C and so has no memory protection.

Similar to the Hotmail attack, this one means the attacker has to lure the user to a malicious web page but as we’ve seen, for many users that’s not difficult to do.

For all of us, both as suppliers and users of IT, it’s clear that online security is going to be an ever increasing part of our world. Even though bugs like these can be resolved, it would be extremely naïve to think we’ll ever solve them all when software is being produced at an ever increasing rate.

Plus of course, there are plenty of attacks that don’t rely on faulty software at all. In my own case I had to cancel my cell-phone account with EE because someone else was repeatedly calling up their support line claiming to be me but to have forgotten their password, then they would change their home address and order a new phone to be charged to my account. Even though this happened around 10 times in the course of a single month, EE seemed unable to put in place even the most basic measures to stop it (like calling me on me mobile phone which would have quickly enabled them to ascertain that the “me” trying to change the account details didn’t even have access to the phone connected to the account).

So the only lessons here for suppliers as well as customers are to be continually vigilant, understand what security threats exist and do your best to mitigate them, but don’t rely on any “silver bullet” to resolve your security issues..

 

The evolution of testing

Posted by Ashley Harrison on 11. March 2014 11:11

Senior test analyst for PleaseTech


The test team here at PleaseTech are at full speed ahead. This is currently one of my more exciting times as a tester as the next release of PleaseReview, our collaborative review solution, looms on the horizon and a host of new functionality and enhancements start to roll in. Getting to strip down a specification for new functionality where new ideas and possibly new technology are being implemented, analysing and identifying areas of risk, prioritising risk and ultimately identifying test case criteria are what gets the blood of a tester flowing - what other job pays you to break things!?

At the beginning of every release cycle for PleaseReview I sit down and look at what is coming, and establish a plan of attack – and then the murmur of automation creeps into my mind. Automation is on the mind of every test team I have been a part of, whether it was only a consideration or was being actively worked on. As a relatively juvenile profession, the core of a test team’s work is on a predominately manual basis. Automation is the evolution of testing.

When you sit down and think about it, automation initially appears a no brainer. The brilliant thing about automation is the flexibility it provides, for example:

-     It can be added to the overnight build script which then provides you with a log of results, which are waiting for you on your arrival in the morning and highlight any potential issues

      It can be used to lighten the load of regression testing allowing manual focus to be intensified on high risk areas;

      It can even (subject to software and configuration) identify areas of code change and call on previous automation test cases that ran over that specific area of code, giving you a heads up on potential issues before you have even had the chance to   look at the work item.

However, automation is not answer to everything… Certain software and testing activities lend themselves to automation but many don’t, especially in the area of document review.

For example, it’s one thing to automatically test the completion and submissions of an HTML form, it’s another to select some text in a document and edit it to create a proposed change.  If you think about it, the test is going to work for that precise document and that precise edit. However, we can’t control what documents clients put into PleaseReview, which bits they edit and what they put in that edit. In reality, edits are frequently copied and pasted from other documents. In fact, the Word documents are frequently large, complex documents which make full use of Word’s cross referencing, field codes, styles, and so on.

So, whilst there are areas of the testing we can automate some areas will have to continue to be manual.

There is also the fact that the initial implementation of an automated suite of tests is incredibly labour intensive, as is the maintenance. Before you even get to the stage of writing test cases you must establish which software fits best and what technology you are going to use. Once that has been decided on you can get to grips with creating an automation suite.

Creating an automation suite is, in itself, a software project. It needs to be designed, developed and tested, and that’s a challenge I’m up for.

Ultimately the quality of a released product lies with me. So automation is a must have in my point of view. We pride ourselves in the quality of our product, and to maintain the high standards that we have set ourselves, I plan to have automation up and running in the near future. The initial analysis of automation implementation suggests that it’s not going to be easy, but who likes easy?

Watch this space and I’ll let you know how I get on.

PleaseTech and Oracle® introduce WebCenter Content’s new collaborative document review capabilities

Posted by Sarah Holden on 24. January 2014 10:10

Half of the PleaseTech marketing team.


It’s been a couple of weeks since we announced our PleaseTech integration with Oracle’s WebCenter Content ECM platform. We are now following that up by hosting a brief webinar to demonstrate both what this partnership brings and how it works.

Oracle’s WebCenter Content allows businesses to not only consolidate and manage their documents and content from a central platform, but now has the added capability to address a very specific, yet prolific business issue. How to collaboratively edit, review and co-author a document at the same time as others, whilst maintaining control over the document, management over the process and adherence to corporate compliance requirements. Oh, and making it easy to do, too!

The webinar will be presented by PleaseTech CEO, Dave Cornwell and Senior Principal, Product Management, Oracle.

So simply sign up! LINK to webinar page.

Webinar: Collaborative document review within Oracle WebCenter Content

Thursday January 30th, 2014: 12 noon, EST / 9am PST / 5pm GMT

Duration: 30 minutes

 

We look forward to you joining us next week.

Integrating PleaseReview with Oracle WebCenter Content

Posted by John Tanner on 22. January 2014 11:06

Our PleaseTech integration expert


When setting out on developing the integration of WebCenter Content with PleaseReview, our primary aims were the same as with other PleaseReview document management integrations. We wanted to develop a seamless solution which would allow all of the controlled collaboration benefits of PleaseReview to be available from within WebCenter Content without the user having to log into a separate system.  In addition, we wanted to make it possible for existing PleaseReview users already familiar with the User Interface, to be able to log into it using their WebCenter Content Credentials and carry out reviews using WebCenter documents and WebCenter Users as Participants.

In order to achieve these aims it was necessary to develop three separate components, which together work hand-in-hand to join WebCenter Content and PleaseReview....

Firstly a custom WebCenter Content Component was created in order to update the WebCenter Content user interface to include new PleaseReview menu items and custom inbox pages in the style of the WebCenter Content instance, for users with the appropriate permissions.  The result was a custom component that can easily be deployed and configured to work with PleaseReview by a WebCenter Content administrator.

Next, a custom PleaseReview extension (or System Connector) specific to WebCenter Content was built to enable users to log into the PleaseReview UI using their WebCenter Credentials and to enable PleaseReview to be able to interact with WebCenter Content via its APIs, for purposes such as accessing documents, selecting users etc. This was built using the standard PleaseReview system connector structure, so as to simplify the deployment process.

Finally, in order to enable PleaseReview to obtain details of the PleaseReview specific users and groups administered from within WebLogic Admin Console, a WebLogic PleaseReview Connector was developed, which can simply be deployed as a Web Application on the WebLogic server on which WebCenter Content resides using the WebLogic AdminClient.

Putting these three components together we now have a solution which offers everything we initially set out to do, making a seamless collaborative review process possible from within WebCenter Content.  

For anyone interested in finding out more about this integration and the collaborative document review capabilities within WebCenter Content, please join us for our complimentary webinar on January 30th- just sign up here

 

header bg