Oracle aims to tone security muscle with Fusion

(continued from previous page)

"It will be there to a much greater extent in 11g, and it is a focus for Fusion," he said. "That is the future: Security by default, and delivering it so you don't have to be a sophisticated developer to implement security rules."

For example, Oracle is thinking of allowing a system administrator to change security settings using a simple user interface or with drag-and-drop capabilities, Heimann said.

Patchy record
Oracle, which has marketed its products as "unbreakable," has faced mounting criticism over its security practices. Security researchers have accused the company of fixing security flaws too late, releasing faulty security updates or not plugging holes at all.

"Oracle can no longer be considered a bastion of security," Gartner analyst Rich Mogull wrote in a research note after Oracle released a slew of security patches on Jan. 17. "Critical Oracle vulnerabilities are being discovered and disclosed at an increasing rate, and exploit tools and proof-of-concept code are appearing more regularly."

The database specialist has not yet experienced a mass security exploit, but this does not mean that one will never occur, Mogull said in his note. He advises database and application managers to protect and maintain Oracle systems more aggressively.

Becoming part of Oracle's line-up could intensify the security community's scrutiny of products previously sold by the companies it acquired. So, in addition to product development, the mergers have also had effects on security processes. For example, each unit has amended how it deals with reports of vulnerabilities and with publishing of security alerts, Oracle executives said.

The employees and products of the purchased companies have borne the brunt of changes, said Duncan Harris, the senior director for security assurance at Oracle.

"The acquired companies did not have very many vulnerabilities reported to them by external researchers. PeopleSoft was the exception," Harris said. "All were still very much using a manual tracking system like that we had five years ago."

As for public announcement of fixes, PeopleSoft and J.D. Edwards security updates are now part of Oracle's quarterly critical patch bulletins. That's a change from before the acquisition. Oracle's patch alerts offer only few details on specific flaws and their impact, while PeopleSoft's security bulletins had more information.

Bug handling for most companies Oracle acquired is now part of Oracle's automated system. However, PeopleSoft still maintains its own way of handling vulnerabilities, Harris said. While Oracle has people whose full-time job is dealing with flaws, PeopleSoft has a council of employees that discusses bugs as a team, he said.

Another change is that Harris' team of "ethical hackers" will now expand its scope and may scrutinize the newly acquired products. "We don't declare what products my team looks at, but clearly as Oracle acquires new products, then those are eligible for the hackers to have a look at and do an assessment against," he said.

Harris wouldn't say if people from any of the acquired companies have joined his hacking team, which is based in the U.K. He also declined to so how large the team currently is.

Still, former PeopleSoft employees appear to have a major role in charting the future of Oracle and will leave their marks, especially when it comes to security. "When I knew that we were going to go ahead and buy PeopleSoft, I immediately wanted to have dibs on certain people," Oracle's Davidson said.

Added Heimann: "Fusion is serious. We really learned some good things from them and we're really trying to capture the best of it."

[SqlserverCode]

Unbreakable

Unbreakable?

Is it just a myth?

<a class="jive-link-external" href="http://sqlservercode.blogspot.com/" target="_newWindow">http://sqlservercode.blogspot.com/</a>