[ISN] Oracle aims to tone security muscle with Fusion

InfoSec News isn at c4i.org
Mon Feb 6 01:39:25 EST 2006


By Joris Evers
Special to ZDNet
06 February 2006 

Billions of dollars worth of acquisitions have bought Oracle a perhaps
unexpected bonus: security lessons.

Last year, the technology maker bought more than a dozen companies.  
Now it's picking up tips from those operations and using them in a
major overhaul of its business applications software, an initiative
called Project Fusion. Other products and processes are benefiting,

In return, Oracle is teaching its new employees something about
security -- literally. The Redwood Shores, California-based, company
found that none of the companies it bought required security-specific
training for staff. But Oracle does. So employees brought in from
PeopleSoft, JD Edwards, Retek and Oblix purchases, among others, are
learning the ropes.

All in all, Oracle hopes the security sum will be greater than its

"To make the merged organisation successful, we take the best of what
they did and the best of what we do, and make it what the combined
company does," Mary Ann Davidson, Oracle's chief security officer,
said in an interview on Tuesday.

Security has been a bugbear for the database specialist, which has
drawn criticism for the time it takes to fix flaws and the quality of
its patches. Experts will be watching closely to see what comes of any
new effort. Moreover, Fusion is a hefty undertaking, with the aim of
incorporating the technology of companies Oracle has acquired.

And security is only one element of Fusion. Oracle President Charles
Phillips recently said the company, one year into the project, is
already half done with its work on the next generation of its
applications. Yet, Phillips said, the first Fusion applications won't
be ready until 2008 -- a schedule that falls in line with previous

Oracle isn't saying much about security in Fusion or in any of its
other products, but in meetings with ZDNet Australia’s sister site
CNET News.com last week, company representatives lifted the veil on
the software maker's endeavours to get all its security eggs into one

One lesson Oracle has learned from PeopleSoft is that less
customisation equals fewer security risks. While Oracle has
historically allowed developers to program on top of its applications,
PeopleSoft took a more limited approach. Its software was mainly set
up to let customers analyse their business processes, then build upon
its applications.

"What you can do from a security perspective in PeopleSoft is limited,
while Oracle is more fine-grained and more customisable," said John
Heimann, director of security program management at Oracle. "Sometimes
simplicity is good for security, because you can sometimes code
yourself into a hole."

Oracle's buying spree

In 2005 alone, Oracle acquired more than a dozen companies. The
security synchronisation effort includes some of these:

PeopleSoft (January), Oblix (March), Retek (April), TripleHop (June),
TimesTen (June), ProfitLogic (July), Context Media (July), I-flex
(August), Siebel (September), G-Log (September), Innobase (October),
Thor Technologies (November), OctetString (November), TempoSoft

Oracle allows developers to define security roles with a lot of
flexibility, increasing the risk of mistakes and thus the introduction
of flaws. For example, it is possible to restrict which user can
access a specific part of an application based on very detailed rules,
Heimann said. PeopleSoft doesn't provide the same level of
flexibility, he said.

"We're going to try and combine the simplicity and declarative nature
of PeopleSoft and PeopleTools with the extensibility and flexibility
of the Oracle applications framework," Heimann said.

As an indication of that, Oracle executives said a key person working
on security for Fusion is Robert Armstrong, a former PeopleSoft
security chief.

Another lesson partially learned from PeopleSoft is to ship products
that have a high level of security out of the box, or at least provide
an easy way to increase the security level -- something Oracle calls
the Secure Configuration Initiative. "In the past, our products have
tended to be developer-friendly out of the box," Heimann said. "There
were accounts with easy-to-remember passwords like 'Welcome1', demo
code, and things were set with permissions that were wide open."

Oracle's 10g database products, which shipped in 2004, delivered on
some of the "secure by default" approach, Heimann said. Customers
should see more of it in future products, including the next
generation of the database family, he added.

"It will be there to a much greater extent in 11g, and it is a focus
for Fusion," he said. "That is the future: Security by default, and
delivering it so you don't have to be a sophisticated developer to
implement security rules."

For example, Oracle is thinking of allowing a system administrator to
change security settings using a simple user interface or with
drag-and-drop capabilities, Heimann said.

Patchy record

Oracle, which has marketed its products as "unbreakable," has faced
mounting criticism over its security practices. Security researchers
have accused the company of fixing security flaws too late, releasing
faulty security updates or not plugging holes at all.

"Oracle can no longer be considered a bastion of security," Gartner
analyst Rich Mogull wrote in a research note after Oracle released a
slew of security patches on 17 January. "Critical Oracle
vulnerabilities are being discovered and disclosed at an increasing
rate, and exploit tools and proof-of-concept code are appearing more

The database specialist has not yet experienced a mass security
exploit, but this does not mean that one will never occur, Mogull said
in his note. He advises database and application managers to protect
and maintain Oracle systems more aggressively.

Becoming part of Oracle's line-up could intensify the security
community's scrutiny of products previously sold by the companies it
acquired. So, in addition to product development, the mergers have
also had effects on security processes. For example, each unit has
amended how it deals with reports of vulnerabilities and with
publishing of security alerts, Oracle executives said.

The employees and products of the purchased companies have borne the
brunt of changes, said Duncan Harris, the senior director for security
assurance at Oracle.

"The acquired companies did not have very many vulnerabilities
reported to them by external researchers. PeopleSoft was the
exception," Harris said. "All were still very much using a manual
tracking system like that we had five years ago."

As for public announcement of fixes, PeopleSoft and JD Edwards
security updates are now part of Oracle's quarterly critical patch
bulletins. That's a change from before the acquisition. Oracle's patch
alerts offer only few details on specific flaws and their impact,
while PeopleSoft's security bulletins had more information.

Bug handling for most companies Oracle acquired is now part of
Oracle's automated system. However, PeopleSoft still maintains its own
way of handling vulnerabilities, Harris said. While Oracle has people
whose full-time job is dealing with flaws, PeopleSoft has a council of
employees that discusses bugs as a team, he said.

Another change is that Harris' team of "ethical hackers" will now
expand its scope and may scrutinise the newly acquired products. "We
don't declare what products my team looks at, but clearly as Oracle
acquires new products, then those are eligible for the hackers to have
a look at and do an assessment against," he said.

Harris wouldn't say if people from any of the acquired companies have
joined his hacking team, which is based in the U.K. He also declined
to so how large the team currently is.

Still, former PeopleSoft employees appear to have a major role in
charting the future of Oracle and will leave their marks, especially
when it comes to security. "When I knew that we were going to go ahead
and buy PeopleSoft, I immediately wanted to have dibs on certain
people," Oracle's Davidson said.

Added Heimann: "Fusion is serious. We really learned some good things
from them and we're really trying to capture the best of it."

More information about the ISN mailing list