It’s been a while since I’ve blogged. Hit a dry spell, I guess. Will try to post more frequently and about some technical issues as well. Anyway, I’m at the RSA conference in San Francisco for the entire week. It’s been a great conference so far with interesting keynotes and sessions. Also, a lot of evening receptions that basically give you an excuse to drink beer and wine 🙂
I visited the PCI reception on Monday evening which was a big success with many interesting conversations. Spoke with many security managers from large organizations about PCI. It turns out that 99% of the people I’ve talked with are either in the midst of a PCI audit or have just undergone one. Interestingly, when asked about database security, most of the security managers I’ve talked with are saying that this is the next thing for them to invest in.
On Tuesday evening, I went to the SC magazine awards gala. My company (Sentrigo) was nominated for “Rookie security company of the year” which is very important to me and shows the security industry’s recognition of the importance of database security. And the best part of the evening was that we actually won!!! It was amazing being called to the stage and later interviewed for the magazine. I felt a bit like at the Oscars… Sorry about the poor image quality…
The only problem with the conference so far is that I actually don’t have enough time to go to all the sessions and keynotes I would like to go to. Too many meetings, I guess…
Next week, I’ll be presenting at Collaborate08 in Denver under the auspices of IOUG – if you’re around come and see me on Monday, or catch me later at our booth (#1826) in the IOUG section.
I’ll be presenting on Oracle database hacking and security at the UKOUG DBMS Special Interest Group meeting this week. The meeting will take place on Thursday, 20th March 2008 in Baylis House, Slough (UK, obviously). Here’s the link for the agenda and details http://www.ukoug.org/calendar/show_event.jsp?id=3358
Hope to see some of you there – come and say hello…
Oracle OpenWorld came and went. I had some interesting sessions which I’ll summarize shortly, some less interesting sessions, lots of beer and a great concert by Billy Joel and Lenny Kravitz. I arrived in SF on Friday night from Philadelphia (after being selected again at the airport for “random” inspection). I had several interesting meetings with customers in Philadelphia so I was very much exhausted and went straight to sleep. Saturday, I met with friends and registered to the conference.
Sunday started with a nice security session from Oracle’s Chad Hughes and two other guys. The interesting part in the session was a sneak peak into Oracle’s internal secure coding standards. It looks like Oracle is running Fortify on their code for code analysis. I believe they are also running it on their PL/SQL packages to catch un-validated user input passed to dynamic statements. In fact, I heard that one of the reasons for DBMS_ASSERT.NOOP was to remove false positive alerts coming from Fortify. Some other interesting stuff was related to Oracle’s “Secure by default” initiative. Things like auditing turned on by default, smarter password profiles that will lock users, etc. are interesting indeed but on the other hand, I got the distinct feeling that Oracle is talking the talk but not walking the walk, so to speak. If you check the attack surface in Oracle 11g, you can easily see that the number of public packages has increased tremendously and you have APEX installed by default?! The rest of the talk was dedicated to ISO-17799 (later renumbered as ISO-27002). All about control, asset management, etc.
Later that night we had Mr. Larry Ellison starring in the Sunday Night Live show. It was very interesting hearing about Oracle’s first days. I heard some other keynotes from Larry Ellison but none was so nostalgic and so informal. Ah, the early days of a young company – living in the office, surviving on pizza and coke. Reminds me of myself this past year.
Sunday we also had the nostalgic party which was fun…
Monday was filled with many announcements and coverage of new Oracle 11g features. Among them we heard about Oracle VM, which caught VMWare by surprise. Another highlighted though badly named feature was RAT (Real Application Testing) – a truly interesting feature. As I always tell my customers, you must test it before deploying in production 🙂 This feature makes testing so much easier.
The best session of the day was from Tom Kyte of asktom in the no slide zone. It was pure entertainment. Tom hosted a contest between DBA 1.0 with scripts and command line against DBA 2.0 with the new Oracle tools like EM, ADDM, AWR and some more TLAs in “real live” scenarios. As you might expect, DBA 2.0 won the contest while showing the effectiveness and ease of use of the tools. Although, because of the slow WIFI, DBA 2.0 actually almost lost in the first scenario. It was hilarious. I must admit that although traditionally I’m more of a command line type of guy, the presentation was very convincing.
Monday night was OTN night and of course lots of beer and other liquids.
On Tuesday, I had more security sessions but I managed to squeeze in another Tom Kyte session where he counted his 11 best features of 11g. Again, very nicely delivered.
Another interesting session was the “Oracle CPU best practices” session. CPU stands for Critical Patch Update and Oracle has a predictable process to deliver them to customers. I really feel Oracle’s pain here. The process has to be predictable and ordered but this means that vulnerabilities like this one are published without a patch being available for 3 months. Also, from my experience, many customers find the CPUs too hard to follow and either skip them entirely (and rely on patch sets) or install every other one. Here are 10 interesting random facts about the CPU:
1. They are mostly tested on common platforms. Tests are hardly performed on non-common ones.
2. Pre-release information is available on last Thursday before CPU
3. The CPU is released on Tuesday
4. There are 3 types of patches – security, security dependent and customer conflicts in patches. From 10.2.0.3, the conflicts patches are removed.
5. Sometimes, patches are released without information because they are not available on all platforms
6. October 07 contained 82 combinations (5 supported versions ported to 12 platforms).
7. Testing is done in a 6 week cycle
8. 75% of bugs are found by Oracle internally (1% – open source, 10% – customers, 15% – researchers)
9. Oracle prioritizes by severity – source of discovery, availability of exploit code, CVSS score, etc.
10. Next dates – 01/15, 04/15, 07/15, 10/15
The funniest question from the audience was “the rate of vulnerabilities is not declining. When is Oracle going to fix all problems?”. And the truthful answer was “never” 🙂
On Tuesday night, Oracle Israel invited all the Israeli guys to Beni Hanna (a Japanese restaurant) where again, we ate and drank mojitos and sake.
The best part of Wednesday was the Billy Joel concert. Oracle organized the entire event superbly and besides entertainment we had plenty of food and drinks.
Of course, the day after, we saw a lot of tired Oracle attendees.
That’s it… Another year of OOW came and went… As always, it was a great experience and besides beer provided many interesting insights into Oracle’s current features and future plans.