Oracle OpenWorld came and went. I had some interesting sessions which I’ll summarize shortly, some less interesting sessions, lots of beer and a great concert by Billy Joel and Lenny Kravitz. I arrived in SF on Friday night from Philadelphia (after being selected again at the airport for “random” inspection). I had several interesting meetings with customers in Philadelphia so I was very much exhausted and went straight to sleep. Saturday, I met with friends and registered to the conference.

Sunday started with a nice security session from Oracle’s Chad Hughes and two other guys. The interesting part in the session was a sneak peak into Oracle’s internal secure coding standards. It looks like Oracle is running Fortify on their code for code analysis. I believe they are also running it on their PL/SQL packages to catch un-validated user input passed to dynamic statements. In fact, I heard that one of the reasons for DBMS_ASSERT.NOOP was to remove false positive alerts coming from Fortify. Some other interesting stuff was related to Oracle’s “Secure by default” initiative. Things like auditing turned on by default, smarter password profiles that will lock users, etc. are interesting indeed but on the other hand, I got the distinct feeling that Oracle is talking the talk but not walking the walk, so to speak. If you check the attack surface in Oracle 11g, you can easily see that the number of public packages has increased tremendously and you have APEX installed by default?! The rest of the talk was dedicated to ISO-17799 (later renumbered as ISO-27002). All about control, asset management, etc.

Later that night we had Mr. Larry Ellison starring in the Sunday Night Live show. It was very interesting hearing about Oracle’s first days. I heard some other keynotes from Larry Ellison but none was so nostalgic and so informal. Ah, the early days of a young company – living in the office, surviving on pizza and coke. Reminds me of myself this past year.

Sunday we also had the nostalgic party which was fun…

Monday was filled with many announcements and coverage of new Oracle 11g features. Among them we heard about Oracle VM, which caught VMWare by surprise. Another highlighted though badly named feature was RAT (Real Application Testing) – a truly interesting feature. As I always tell my customers, you must test it before deploying in production 🙂 This feature makes testing so much easier.

The best session of the day was from Tom Kyte of asktom in the no slide zone. It was pure entertainment. Tom hosted a contest between DBA 1.0 with scripts and command line against DBA 2.0 with the new Oracle tools like EM, ADDM, AWR and some more TLAs in “real live” scenarios. As you might expect, DBA 2.0 won the contest while showing the effectiveness and ease of use of the tools. Although, because of the slow WIFI, DBA 2.0 actually almost lost in the first scenario. It was hilarious. I must admit that although traditionally I’m more of a command line type of guy, the presentation was very convincing.

Monday night was OTN night and of course lots of beer and other liquids.

On Tuesday, I had more security sessions but I managed to squeeze in another Tom Kyte session where he counted his 11 best features of 11g. Again, very nicely delivered.

Another interesting session was the “Oracle CPU best practices” session. CPU stands for Critical Patch Update and Oracle has a predictable process to deliver them to customers. I really feel Oracle’s pain here. The process has to be predictable and ordered but this means that vulnerabilities like this one are published without a patch being available for 3 months. Also, from my experience, many customers find the CPUs too hard to follow and either skip them entirely (and rely on patch sets) or install every other one. Here are 10 interesting random facts about the CPU:
1. They are mostly tested on common platforms. Tests are hardly performed on non-common ones.
2. Pre-release information is available on last Thursday before CPU
3. The CPU is released on Tuesday
4. There are 3 types of patches – security, security dependent and customer conflicts in patches. From 10.2.0.3, the conflicts patches are removed.
5. Sometimes, patches are released without information because they are not available on all platforms
6. October 07 contained 82 combinations (5 supported versions ported to 12 platforms).
7. Testing is done in a 6 week cycle
8. 75% of bugs are found by Oracle internally (1% – open source, 10% – customers, 15% – researchers)
9. Oracle prioritizes by severity – source of discovery, availability of exploit code, CVSS score, etc.
10. Next dates – 01/15, 04/15, 07/15, 10/15
The funniest question from the audience was “the rate of vulnerabilities is not declining. When is Oracle going to fix all problems?”. And the truthful answer was “never” 🙂

On Tuesday night, Oracle Israel invited all the Israeli guys to Beni Hanna (a Japanese restaurant) where again, we ate and drank mojitos and sake.

The best part of Wednesday was the Billy Joel concert. Oracle organized the entire event superbly and besides entertainment we had plenty of food and drinks.

Of course, the day after, we saw a lot of tired Oracle attendees.

That’s it… Another year of OOW came and went… As always, it was a great experience and besides beer provided many interesting insights into Oracle’s current features and future plans.