Bottom line: I wouldn’t go near any sensitive web-based system if it hasn’t been penetration tested by specialists. Regardless of whether this was a beta system it clearly was not penetration tested. It should have been before it made it even half-as-far as been available for semi-public testing.

That alone says to me that Sage don’t know what they are doing.

To the drawing board now…

Once you consider the reputation Sage have amongst ‘laymen’, and the sort of data that they are ‘protecting’ – it’s even scarier.

I investigated Sage’s desktop version last year for a company wide deployment for a client. I found it to be a fantastic product, well over priced but still a good service. While it was first choice out of the services investigated it fell short because of cost. Even then Sage were already offering a hosted version through a company here in NZ.
http://www.appserv.co.nz

What i can’t understand is how Sage could screw up their own offering so badly when others were offering their product as a hosted version already.

Seems the term “proper SaaS player” won’t be attributed to Sage any time soon, especially when some one else is beating them at their own game with their own product.

Clearly Sage has security issues which need resolving and thats a huge worry as data-security and data-integrity are the two top priorities in this game and something which I personally highlight to any new hires a number of times during their initial few weeks… yes i DRUM it into them 😉

I think Sage management should firstly re-evaluate their development plan (if they have one) and ensure security is at the top of the list. Secondly they should check the experience and technical savy of the development team and make changes if necessary as the system will only be as good as the people building it.

Something else I had to laugh at in your screen grabs was the obvious carrying of permissions and credentials within URL strings… really smart, NOT!

Kind regards
Alan Barlow
CTO & Chief Software Architect
ProWorkflow.com

Thanks for the comments. I’m the first to admit I struggle to be objective when it comes to Sage.

I almost did include comments about it being in beta. But decided it’s not relevant. They’re encouraging real businesses to put real business data in there.

I’ve just re-read my link regarding BEA, and you’re spot on. I’d mis-read it. I’ll add a correction note to the main blog piece.

a) Not that beta releases should have flaws in them, but this was a Sage Live free public beta, no? Perhaps being more explicit on that point will add further clarity.

b) Did not check BEA AquaLogic stuff, but the link you provide points to the old BEA website, which talks about the website being discontinued and points to “Learn more about the role of BEA AquaLogic Products in the Oracle Fusion Middleware strategy.”.

I stand to be corrected, from what you say in the post, it’s not quite clear which AL product or products you imply Sage Live is powered by therefore what is its status in the Oracle strategy.

Admittedly, bit of nitpicking, I guess the thrust of the article is clear. Just my 2p!