Entries tagged with “oracle_security”.


Oracle OpenWorld came and went. I had some interesting sessions which I’ll summarize shortly, some less interesting sessions, lots of beer and a great concert by Billy Joel and Lenny Kravitz. I arrived in SF on Friday night from Philadelphia (after being selected again at the airport for “random” inspection). I had several interesting meetings with customers in Philadelphia so I was very much exhausted and went straight to sleep. Saturday, I met with friends and registered to the conference.

Sunday started with a nice security session from Oracle’s Chad Hughes and two other guys. The interesting part in the session was a sneak peak into Oracle’s internal secure coding standards. It looks like Oracle is running Fortify on their code for code analysis. I believe they are also running it on their PL/SQL packages to catch un-validated user input passed to dynamic statements. In fact, I heard that one of the reasons for DBMS_ASSERT.NOOP was to remove false positive alerts coming from Fortify. Some other interesting stuff was related to Oracle’s “Secure by default” initiative. Things like auditing turned on by default, smarter password profiles that will lock users, etc. are interesting indeed but on the other hand, I got the distinct feeling that Oracle is talking the talk but not walking the walk, so to speak. If you check the attack surface in Oracle 11g, you can easily see that the number of public packages has increased tremendously and you have APEX installed by default?! The rest of the talk was dedicated to ISO-17799 (later renumbered as ISO-27002). All about control, asset management, etc.

Later that night we had Mr. Larry Ellison starring in the Sunday Night Live show. It was very interesting hearing about Oracle’s first days. I heard some other keynotes from Larry Ellison but none was so nostalgic and so informal. Ah, the early days of a young company – living in the office, surviving on pizza and coke. Reminds me of myself this past year.

Sunday we also had the nostalgic party which was fun…

Monday was filled with many announcements and coverage of new Oracle 11g features. Among them we heard about Oracle VM, which caught VMWare by surprise. Another highlighted though badly named feature was RAT (Real Application Testing) – a truly interesting feature. As I always tell my customers, you must test it before deploying in production 🙂 This feature makes testing so much easier.

The best session of the day was from Tom Kyte of asktom in the no slide zone. It was pure entertainment. Tom hosted a contest between DBA 1.0 with scripts and command line against DBA 2.0 with the new Oracle tools like EM, ADDM, AWR and some more TLAs in “real live” scenarios. As you might expect, DBA 2.0 won the contest while showing the effectiveness and ease of use of the tools. Although, because of the slow WIFI, DBA 2.0 actually almost lost in the first scenario. It was hilarious. I must admit that although traditionally I’m more of a command line type of guy, the presentation was very convincing.

Monday night was OTN night and of course lots of beer and other liquids.

On Tuesday, I had more security sessions but I managed to squeeze in another Tom Kyte session where he counted his 11 best features of 11g. Again, very nicely delivered.

Another interesting session was the “Oracle CPU best practices” session. CPU stands for Critical Patch Update and Oracle has a predictable process to deliver them to customers. I really feel Oracle’s pain here. The process has to be predictable and ordered but this means that vulnerabilities like this one are published without a patch being available for 3 months. Also, from my experience, many customers find the CPUs too hard to follow and either skip them entirely (and rely on patch sets) or install every other one. Here are 10 interesting random facts about the CPU:
1. They are mostly tested on common platforms. Tests are hardly performed on non-common ones.
2. Pre-release information is available on last Thursday before CPU
3. The CPU is released on Tuesday
4. There are 3 types of patches – security, security dependent and customer conflicts in patches. From 10.2.0.3, the conflicts patches are removed.
5. Sometimes, patches are released without information because they are not available on all platforms
6. October 07 contained 82 combinations (5 supported versions ported to 12 platforms).
7. Testing is done in a 6 week cycle
8. 75% of bugs are found by Oracle internally (1% – open source, 10% – customers, 15% – researchers)
9. Oracle prioritizes by severity – source of discovery, availability of exploit code, CVSS score, etc.
10. Next dates – 01/15, 04/15, 07/15, 10/15
The funniest question from the audience was “the rate of vulnerabilities is not declining. When is Oracle going to fix all problems?”. And the truthful answer was “never” 🙂

On Tuesday night, Oracle Israel invited all the Israeli guys to Beni Hanna (a Japanese restaurant) where again, we ate and drank mojitos and sake.

The best part of Wednesday was the Billy Joel concert. Oracle organized the entire event superbly and besides entertainment we had plenty of food and drinks.

Of course, the day after, we saw a lot of tired Oracle attendees.

That’s it… Another year of OOW came and went… As always, it was a great experience and besides beer provided many interesting insights into Oracle’s current features and future plans.

I promised to blog a bit about my traveling, so here I go:

I was visiting customers in India and the US and giving presentations to Oracle user groups in the US. Amazingly, the state of US airports is just getting worse every month. Flying from Israel to India and from India to NY went without any problems. However not did a 35 minute flight from NY to Boston take 3 hours, but they managed to lose my suitcase in the process. Every flight I had in the US in the previous week was late.

Enough moaning and back to Oracle security… I would like to share with you some insights I had while giving presentations. First, it looks as if database security is getting more and more attention from both DBAs as well as IT managers. By show of hands at the presentations, I could see that at least some of the DBAs are handling security issues as part of their day-to-day job. But still, DBAs are not hearing the following from their managers – “last year you met your MBOs because no database breach had occurred. Here is your bonus…” – though many have heard the bonus speech for HA or performance MBO achievements.

Second, almost no one had deployed the July 2007 Critical Patch Update from Oracle. From a crowd of about 50, only 2 raised their hands.

Third and most startling of all, only about a third of the DBAs have ever deployed an Oracle CPU. Let me repeat that again – more than two thirds of DBAs in this small but significant sample have never deployed an Oracle CPU. Ever.

So this got me thinking – do we care about Oracle CPUs at all? Oracle was getting a lot of heat from security researchers for not providing security patches or providing them with irregular intervals. Finally, Oracle is stepping up to the plate with the patches. They provide them on regular basis, they announce the the patch before issuing it so organizations can prepare for them. They are improving coding techniques and code vulnerability scanning tools. And after all that, customers are still not protected. The reason for this is that the database is an extremely complicated piece of software and is the life-line of the organization. An enterprise will need to test the CPU thoroughly before deploying and testing takes a lot of time (months). This is further complicated by the fact that many organizations have applications running on top of Oracle databases, and those applications are not “forward compatible” and certified by their vendors to run on future Oracle versions.

Ironically, from a security standpoint the situation after a CPU is announced is actually worse than before it is announced: The hackers get a road-map of all the vulnerabilities while most organizations have not yet plugged those holes. This is a similar notion to hacking IPS software in order to retrieve vulnerabilities (see this black hat presentation).

I’m not saying that Oracle should stop providing CPUs. Quite the contrary, I’m saying that organizations must deploy CPUs as quickly as possible to keep this sensitive period short. Even considering the objective difficulties in applying patches, it seems that enterprises are not taking database vulnerability seriously enough. Also, organizations must have other solutions to mitigate the threat in post-CPU release period. Those solutions must not change the Oracle software at all or else they will fall into the same trap of interdependency, stability issues and so forth. They must provide virtual patches to externally test for attacks and plug the security holes from the outside.

I am curious to know other people’s experiences and views on this topic – so fire away…