[SecurityRatty] tag: oracle

Oracle OpenWorld

Tue, 30 Sep 2008 03:18:05 +0000

Well, Oracle OpenWorld came and went. As usual, I hardly had any time to attend sessions. The one really cool session I attended ( besides my own ) was by Tanel Poder talking about troubleshooting Oracle when the Oracle instrumentation does not work. See his blog for details. I really loved his straight forward [...]

Links List 9.29.08

Mon, 29 Sep 2008 23:00:14 +0000

Trade shows, trade shows and more trade shows. VMworld and Interop dominated the stage a couple of weeks ago and then there was the annual Oracle blowout in SF last week. Has anyone gotten any work done lately?? (image from cdye1)

Does Oracle run the world? I would have to say no but Raj (Larry Ellison is his idol) and the 40,000 Oracle customers that descended upon SF last week might beg to differ. What do James Carville and Mary Matalin have to do with enterprise software? Pretty much nothing, except for the fact that they delivered the opening keynote for Oracle OpenWorld. (And that’s the only and last politically-oriented thing you’ll hear from me as we run up to the election). For a surprisingly funny and extensive photo gallery of the eye-popping event, check out cdye1’s photostream on Flickr.

But UB40, Elvis Costello and Seal aside, Oracle OpenWorld did offer training, certifications, and always entertaining speeches by Ellison. Ben Worthen’s favorite – “Larry Ellison’s Brilliant Anti-Cloud Computing Rant” delivered to analysts on Thursday. From Ben’s slightly-edited excerpt:

“The interesting thing about cloud computing is that we’ve redefined cloud computing to include everything that we already do. I can’t think of anything that isn’t cloud computing with all of these announcements. The computer industry is the only industry that is more fashion-driven than women’s fashion. Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it? It’s complete gibberish. It’s insane. When is this idiocy going to stop?

“We’ll make cloud computing announcements. I’m not going to fight this thing. But I don’t understand what we would do differently in the light of cloud computing other than change the wording of some of our ads. That’s my view.”

So did everyone catch that? Cloud computing is complete gibberish and idiocy, but apparently Oracle’s already been doing enough around it to advertise the fact. I will have my cake and eat it too!

We’ve been pumping out the posts from the shows we went to – let me tell you, live-blogging is hard when you’re trying to share apparently miniscule amounts of bandwidth with 14,000 other attendees – and we have even more to share as we step back, contemplate and describe how some of the announcements, info and especially roadmaps fit into our overall picture over here at ScienceLogic.

For example, we released the results of our annual industry IT survey last week. Twice a year – at FOSE (for Government IT) and at Interop NY (for enterprises) – we take advantage of the fact that we have a big beautiful booth at these shows and offer a fabulous ScienceLogic t-shirt in return for a couple of minutes time with attendees living the problems we try to solve. Instead of telling people what their problems and priorities are, we like to ask.
Interop NY Survey - Trends and Challenges
Detailed Reports on Trends and Comparison to Government IT

And I just had to share this one because it is so bizarre. Are VMware and Paul Maritz guilty of plagiarism? You have to check this out to get even part of the picture. Apparently this guy has posted his slides (we know they are from VMworld 2007 because it says so in the lower-right-hand corner…) which prove that the “virtual datacenter operating system” idea was his idea a year before it showed up on Maritz’s keynote this year. Hmmm. And then after posting all these slides and making all the connections between his presentation and Maritz’s, he says he’s just kidding about the plagiarism. Can anyone sort this out and let me know?

I’ll tell you who wasn’t kidding when I went by their booth at VMworld – a certain chargeback vendor and VMware “partner” who was quite shocked two months ago when they walked into a meeting with VMware about future roadmap. Apparently, the slides they saw (preview of VMware’s announcement re adding extended chargeback capability within vCenter management services) were mighty might similar to slides they had given in a presentation to VMware about their own roadmap. Coincidence? I’ll let you decide. And I’ll also say, their strategy to combat this – support for Hyper-V coming early in 2009.

Interop NY: Cloud Language: The Taxonomy of On-Demand Computing

Wed, 17 Sep 2008 14:25:32 +0000

This session on cloud computing was presented by Peter Laird of Oracle Corporation. Peter is a lead architect for the WebCenter product family. He previously worked with BEA as an architect for SaaS efforts. He also blogs at Laird On Demand.

Defining Cloud Computing

Cloud computing is a very active community. The Google Group gets 600 posts per month and many bloggers are covering the space. However, “cloud computing” is impossible to define in a way that satisfies everyone (or even most). Cloud computing is not alone in this controversy, consider the definition and meaning of “Web 2.0″, “mashups” or “RESTful architecture”. All of these terms are relatively recent. According to Google Trends, these terms became popular to the general public sometime between 2005 and 2007:

Web 2.0 - often confused with RIA, AKA Social Computing, Long-Tail Apps, Crowdware (2005 by O’Reilly Media)
Mashup - made popular by Google Maps, AKA Composite/Situational Apps. (2005)
REST - Has a strict definition, but many don’t understand it and abuse the term. (2006 by R. Fielding)
Cloud computing - collides with many other terms, such as SaaS, Grid, Utility, PaaS, etc. (2007)

The definition of cloud computing is in progress:

There’s a Darwinian evolution of the exact definition of cloud computing running around. We’re about a country mile away from “knowing when I see it”, which is excellent progress. The cloud to everyone’s silver-lining has enough material to write a 3 volume desktop reference at this point. - Michael Cote, June 2008

Definition #1 - “Cloud computing is the realisation of Internet (”Cloud”) based development and use of computer technology (”Computing”) delivered by an ecosystem of providers. - Sam Johnston, July 2008

Definition #2 - “Cloud computing = network computing. I love the idea of cloud computing, the next evolution of the most network intensive architecture possible, but one that if it works well, is transparent. It’s all about the transparency.” - Douglas Gourlay, Cisco, May 2008

Definition #3 - “There seems to be a group myopia around so-called “cloud computing” and its definitions. What we’re really talking about are “cloud services” of which, “computing” is only a subset…Cloud services are not SaaS. They are far more akin to web services…” - Randy Bias, neoTactics, May 2008

(Anti-)Definition #4 - “Note that I refer to cloud services, not to the could. I am not interested in defining cloud as a term, because I don’t think it’s very useful. For those of us in the distributed computing’s pace

The Working Definition (Winner!):

“…the notion of providing easily accessible compute and storage resources on a pay-as-you-go, on-demand basis, from a virtually infinite infrastructure managed by someone else. As a customer, you don’t know where the resources are, and for the most part, you don’t care. What’s really important is the capability to access your application anywhere, move it freely and easily, and inexpensively add resources for instant scalability.” - Mitchell Crandell, Rightscale, June 2008

Taxonomies of the Cloud Space

Taxonomies are useful to provide insight into a market. It classifies a multitude of players into a smaller bucket.

Andreessen’s Platforms - September 2007

Provided an early taxonomy model for emerging cloud platforms

Platform being a system that can be programmed

Access API - platform that provides web service endpoints
Plug-In API - platform invokes your code, that you have deployed remotely
Runtime Environment - your code runs inside the platform’s process space.

Mehta 11 Layer Stack, April 2008

Facilities (space, power, cooling)
Network
Hardware (e.g. servers Amazon EC2 runs)
Hardware virtualization (e.g. Xen for EC2) - optional
O/S (e.g. Linux)
Systems Management (e.g., tools to manage EC2 instances)
Application Middleware (e.g., MySQL on EC2)
Application Code
Application APIs / Web Services
GUI for Application
GUI for Application Development / Customization

Croll Cloud Stack, June 2008

7 layer stack within Turnkey app and Generic Platform.

Turnkey app

SaaS
Extensible app
Generic IDE
Constrained APIs
App Cluster
Virtual Data Center
Virtual Servers

Generic Platform

The bottom of Alistair’s stack includes “root access “style compute clouds.

Robert Anderson, July 2008

3 layer stack

Software (SaaS)
Platform (PaaS)
Infrastructure (IaaS)

This is the model taxonomy for this session.

Related Concepts and Terms

Infrastructure as a Service (IaaS), Hardware as a Service (HaaS) are synonyms to cloud infrastructure.
Virtualization
Hosting
Autonomic computing
Distributed computing
Grid computing

Cloud Applications

SaaS
S+S (Software+Services)
Managed Service Provider (MSP)

Links for 2008-09-10 [del.icio.us]

Wed, 10 Sep 2008 20:00:00 +0000

Paul Melson's Blog: ArcSight User Conference 2008
* Logger 3.0 has adopted a more-ESM-like boolean filter interface. Big improvement over the chained-regex search in 2.5 and earlier. * Demo of Logger 3.0 shows that searches of data (no details on data set) are roughly 80x faster than a similar sized search on 2.5. (The claim is 100x faster, but I counted. Still, that's a significant improvement.) * Hugh has hinted that the slick, high-performance append-only storage stuff that Logger has is going to be integrated into ESM is some release beyond 4.5. That could mean the end of the Oracle / PartitionArchiver storage model.
Splunk Tames the Chaos Brought on by Virtualization : VMblog.com - Virtualization Technology News and Information for Everyone
Existing system management tools were not designed to handle the dynamic nature of virtualization. The Splunk for VMWare Management application includes a VMWare API for data input, over 25 pre-defined searches, alerts, and reports and dashboards specifically designed to monitor key metrics for the VMWare Virtual Infrastructure.
Dorian Software BLOG: Why Your HR Department Will Love Windows Vista, Even If Your IT Department Doesn't.
Event ID 4802 tracks whenever the screensaver is invoked after a group policy-determined idle time. Event ID 4803 tracks whenever the screensaver is dismissed by the logged-on user.
Moderately Idiotic Competitor
But the clever inside criminal is taking all the payroll data from the system that is either off the network or is temporarily down. When the machine comes back up, there is no record of the intrusion and the traditional "inside out" log management system tells the user there is no problem.
Last In - First Out: Presumed Hostile - Your Application is Out to Get You
Help - Eclipse SDK - Working with the Log4J Logging sample
Cartoon 2 from The Data Governance Institute ROI
Eccentric Engineer » Blog Archive » Conf Call Hem and Haw
It’s just a damned centralized-logging platform. Unix sysadmins have been doing those for years. This stuff is about as basic as tying your shoes. All this fluff seems like overkill…but it’s IT…and we have policies.
(ISC)2 Blog: Security metrics: more is not better
Are you Owned? | Roer.Com Information Security Blog
# list of all your profiles online, with your log in. # list of all your IM/e-mail and other communication tools, with log in # list of other sites/tools that requires you to log on. # The lists above should also include each sites URL or contact information for changing passwords, or in worst case shutting them down. # a friends-list who you trust, and who are willing to help you get back your own life online. The purpose is to have them help you rebuild your internet presence. Make sure you agree some way for them to be certain that they are communicating with you, and not someone else.
Industry View: Web Application Security Today - Are We All Insane? - CSO Online - Security and Risk
The problem has gotten so bad that industry sources say most websites hosting malware have been hacked, Google says 1.3 percent of their search queries return malicious content, and Vint Cerf (father of the Internet) approximates that one quarter of all PCs are part of a botnet. Firewalls are not working. Antivirus/spyware is not working, nor are weekly patching, user education, SSL, or "turning off the home computer" as recommended by the FBI cyber-crime website. In what has become an inside joke, every authority says to use these "best-practices" despite their ineffectiveness.
TaoSecurity: Schneier Agrees: Security ROI is "Mostly Bunk"

It Was Sposed to Be So Eaaasy

Wed, 10 Sep 2008 03:12:42 +0000

Earlier this year, I gave a talk with on Breaking Web Services with Brian Chess at RSA. We pointed out that adding security into Web services is an exercise left to the implementer, the standards bodies and vendors give you some primitives, but it is still up to you to figure out all of the items on the Web services security checklist should work together in a cohesive system. Needless to say, there are many ways to shoot yourself in the foot.

So during our talk, someone from Oracle stands up and says, "hey, you guys are making this stuff sound hard. Its not hard we support WS-Security..." etc. Again, the whole point of our presentation was *not* that there are not very interesting general purpose security capabilities in Web services, our point was that you need to figure out the architecture yourself, and then bend the tools to your will. Oh, and deliver on time.

So imagine my surprise, when I read this article "Digitally Signing and Verifying Messages in Web Services" which talks about using Oracle's WSM tools to sign Web service messages and verify signatures in Web service messages, but only addresses integrity - absolutely nowt on authenticity! Integrity is important, but there are lots of times when it is not enough. Many times your service needs to be concerned with replay attacks, authentication policies and so on. To deal with those things, we would typically add policies and capabilities for timestamps, nonces and other primitives into the signature block, but the article is silent on those things. (Rad Mark O'Neill's post on this as well)

Its not about _can_ the standards do something or other, I mean given the right resources the standards can put a monkey on the moon, its about what use cases have they engineered in and what is supported in the tools today. I firmly believe SAML has such great adoption across the industry because they have a use case centric view and so gave the vendors something to engineer and optimize for. I think we'll still get there in WS-Security and other areas as well, but the use cases are not built into the spec (as with SAML) and so its taking longer.

One of our points in the talk was - we want you vendors to do your job better and instead of shipping a box Legos, ship a Lego gas station, a Lego airport, and so on. Connect some dots for your customers.

What I see in training on this topic, is sort of the following - 1) Do I need Web service security? 2) Oh ok, well can I get by with SSL? 3) Oh wait that doesn't actually protect my assets, can I just use WS-Security? 4) Oh wait, WS-Security isn't just a checkbox for security, I need to figure out timestamps, nonces, signatures, encryption policies and so on. And finally 5) How do I accomplish this?

Once we get to step 5 then the real work can begin. Its not easy to get a lot of developers through all of this, and again this is before the real work begins. Even once the lead developers and architects figure this out, there is still the little matter of transitioning it to the rest of the team.

I remember I was working with an enterprise architect several years ago, and he bought a Web service XML gateway like Vordel to add WS-Security support into his Web services apps, but he didn't even buy it as a runtime tool, he bought it as Security API, the runtime enforcement in his opinion was a bonus! He said in effect, well I know I need to do this, but I can't expose all these security primitives directly to my developers.

So yeah, I wish it was easier, but in my experience its not right now. Its not about raw capabilities its about use case realization. I think learning from what has worked well is the way to go. SAML's use case centric approach is one that has.

Towards a Streaming SQL Standard

Fri, 05 Sep 2008 13:39:08 +0000

In More Towards a Streaming SQL Standard, Marc Adler says, “Despite what I think about Streambase’s marketing and sales organization, you must admit that Zdonik and Cherniack are first-class researchers, and have contributed a lot to the field of CEP.”

I agree that these gentlemen are top notch researchers, witnessed by the fact that the authors do not mention nor claim to be “complex event processing” anywhere in their paper! This paper is not about CEP, nor does it claim to be about CEP, it is about stream processing and unifying SQL standards.

ABSTRACT: This paper describes a unification of two different SQL extensions for streams and its associated semantics. We use the data models from Oracle and StreamBase as our examples. Oracle uses a time-based execution model while StreamBase uses a tuple-based execution model. Time-based execution provides a way to model simultaneity while tuple-based execution provides a way to react to primitive events as soon as they are seen by the system.

Asmentioned on numerous occasions, stream processing is a very important area in CEP/EP. It is important not to confuse the higher situational knowledge from object-object correlation and state management with the single-object event refinement that occurs in stream processsing. Event stream processing is fundamentally different than complex event processing.

Event stream processing performs operations on streaming event objects. In almost all advanced CEP/EP applications is is necessary to perform robust track and trace operations on streaming event objects, like tracking the position of an airplane. Tracking the position of an aircraft can be modelled very nicely with event stream processing. Tracking individual event objects is a precuror to multiclass object situation refinement.

When we manage the state of all the aircraft in the skies over New York, you need more than a stream processing construct. You need to manage the state of all the aircraft. Paul Vincent of TIBCO Software being to address this important point in The Value of State…

Again, we will be better equiped to solve complex distributed event processing problems if we do not confuse the notion of event stream processing and complex event processing. These technologies are indeed complimentary, both very important, but they are not the same.

I applaud Oracle and StreamBase’s work toward a unified standard for SQL extensions for streams.

Streaming SQL Approaches Insist in Ignoring Causality by PatternStorm

Fri, 05 Sep 2008 10:25:35 +0000

The following excellent discussion is reposted from Streaming SQL approaches insist in ignoring causality by PatternStorm.

The recent paper “Towards a Streaming SQL Standard” by Oracle and Streambase unifies and generalizes two different execution models of Streaming SQL: Oracle’s and StreamBase’s.

While it’s true that the generalization succeeds in overcoming the unability of both execution models of producing correct results for astonishing simple queries (showing evidence of the actual limitations of these two Streaming SQL languages) it is also true that the generalization is closer to being overly complex than natural and intuitive.

The root cause behind the actual limitations of these two Streaming SQL languages is that their execution models “hardcode” the way events can be related to each other: in the Oracle case events are partially ordered by timestamp, in the StreamBase case events are totally ordered by time of arrival. These design decisions (natural in a stream oriented lamguage) have strong implications on what queries can be answered correctly, particularly when these queries involve joins of derived streams.

The generalization, of course, mainly consists in providing a new operator that allows the user to establish custom ordering relationships among the events (the SPREAD operator), which is good news but takes us to the fundamental issue: event processing cannot be reduced to stream processing, that is, to the processing of events that are totally or partially ordered by a pre-defined relationship (as Oracle and StreamBase actual implementations do), on the contrary, no particular ordering can be assumed because the user needs to be able to order the events in different ways in order to solve different problems. This is what event processing is about and the paper provides evidence that Streaming SQL approaches have found the need to move towards that direction and are having trouble in their way.

For instance, one of the queries used in the paper as an example of a query that StreamBase cannot solve (but Oracle can) is the following: correlate the stream that contains the total number of cars on the road for each time interval with the stream that contains the total average speed of the cars on the road for each time interval in order to detect the situation where the avergae speed is below 45 and the total number of cars is two or more. This query can be very easily and more robustly solved if you order the events by causality rather than by time, that is, if you have each position report update the average speed stream and the total number of cars stream and then you causally relate each position report to the new average speed event and the new total number of cars event that it generates; then the query is just a matter of detecting all report speeds that are causally related both to an average speed event below 45 and a total number of cars event of two or more (notice that this approach is more robust than Oracle’s time-based one because it works without requiring derived streams to be synchronized with the report speed stream)

Conclusions:

Event Processing is a generalization of Stream Processing (as the paper shows)
Event Processing requires providing the ability to the user of creating custom relationships among events and then define patterns/queries using those custom relationships.
Causality is more often than not a more robust and easier criteria to order events than time or order of arrival.
Event Processing Languages should support causality.

Regards,
PatternStorm

XSS fortune cookie

Tue, 02 Sep 2008 12:10:00 +0000

Forgive me in advance for an extremely bad joke, if you can even call it that, but I just can't help it.
Here's how to get an XSS fortune cookie:

1) Ask the mighty Google oracle who might be able to tell you your fortune.
http://www.google.com/search?hl=en&q=tell+my+fortune&btnG=Search&lr=lang_en

2) Select one of the sponsored links; in this case I chose SpritualExperts.com.

3) Pick a variable. I settled for banid.

4) Ask it if it has a cookie for you.
http://www.spiritualexperts.com/psychic_reading/psychic_reading.asp?banid=%22%3E%3CSCRIPT%3Ealert%28document%2Ecookie%29%3C%2FSCRIPT%3E

Voila...an XSS fortune cookie. Sorry. Really, I am.

The webmaster has been advised...play nice.

Screenshot for after they fix the issue.

del.icio.us | digg

Golf Driven Security

Tue, 26 Aug 2008 13:00:50 +0000

I don't have anything against the sport, in fact I think that if the software security people want to get in the enterprise security game they have to get a lot better at golf. I blogged about how the network security sector is about fifteen times larger than software security sector, prompting one person to write saying that we have invested wisely in network security, eliminated the problems and will address the software security problem with internal processes and tools.

The problem is that compared to software security we are clearly overspending on network security, the hardware/software is unchanged for a decade - in any other area of computing the cost would be falling like a rock (how much would 1995 version of Oracle or Windows cost now? 5 cents on the dollar, yet CISOs still cut $900M worth of checks to Checkpoint each year). The problem is there is no market effect because the CISO's budget keeps increasing and they have no idea what/where/how to spend so they just play golf with their Checkpoint rep and send in the renewal.

Internal processes and tools are necessary yet nowhere near sufficient to "solve" software security. One reason we "have gotten rid of" network attacks is that no one cares. its a 1990s 31337 attacker goal, not a mafia enterprise goal (botnets aside). business, be they legit or criminal, wants data and functionality. so its all about apps and data. we are just at the very begining crawl stage of even understanding how to solve these problems. That's why when i hear security consultants harsh on something like static analysis I just laugh. are they better than a top 1% resource in the world? no way. do we have a multi billion dollar gap to close? ya sure, ya betcha. We need things that scale.

People dont write their own virus protection, but for some reason attempt to do their own input validation, it is the same exact problem. people routinely write their own authentication, authorization and audit. i could go on.

I have rarely seen an industry so ripe for disruptive innovation as software security.

Software Security Market

Mon, 25 Aug 2008 09:18:59 +0000

Information Security budgets are pretty crufty, they are an accumulation of decisions but the analysis that led to these decisions is rarely revisited, it just snowballs. So the normal Information Security budget is just a legacy artifact of when the network was the greatest vulnerability. Gary McGraw took a pass at reviewing the numbers in software security, breaking down software security sectors like tools and services (note to Gary - I think Aspect does more than just training!). This is great work by Gary to get these numbers to see the real changes occuring in software security. Here were his findings on software security tools:

One of the most important developments in the software security market can be seen in the tools space which, combined, almost doubled to $150-180 million. Top of list are two major acquisitions that closed in 2007: Watchfire's purchase by IBM (somewhere in the range of $120-150 million on 2006 revenue of $26 million) and SPI Dynamics's purchase by HP (for around $100 million on 2006 revenue of $21.2 million).

...

The black box space was flat in 2007, with IBM/Watchfire checking in at $24.1 million and HP/SPI Dynamics earning $22.3 million. Smaller companies in the space, including Cenzic, Codenomicon, WhiteHat and the like had combined revenues around $12.5 million (a growth of 25%, though Cenzic grew 16% and WhiteHat 52%). Most of the growth "hiccup" in the black box market can be attributed to the serious challenges posed by any acquisition. So far 2008 looks to be back on track from a growth perspective in the black box testing space. The global reach that IBM and HP offer are already making a big difference.

On a more positive note, static analysis tools for code review grew at a healthy clip in 2007 into a $91.9 million dollar market. Fortify was up 83% to $29.2 million. Klocwork grew over 60% to $26 million. Coverity grew over 50% to $27.2 million. Ounce Labs tripled their revenue to $9.5 million.

These are very nice growth numbers, what company doesn't want 83% growth? However, the total picture is not so good. Gary's estimate shows the software security space coming in at $150 Million total, yet we see a company like Checkpoint that won the network security war in 1995 with earnings of around $900 Million! One single network security vendor is 6 times bigger than the entire software security space?!? Complete UTTER Madness!

This is the stupefying, stultifying effects of budget cruft, where the decisions made in The People's Republic of Information Security have no bearing on reality of threats or even a business case.

Let's look at networks. Obviously Cisco is the biggest, they earned $39.5 Billion last year. Pretty stellar. So spending $900 Million (Checkpoint) to defined $39.5 Billion seems like a pretty good deal.

Except, let's compare software security spending - last year Microsoft earned $60 Billion, SAP $16 billion, and Oracle $22 Billion. So that is about $98 Billion and you are going to "defend" that with allocating $150 Million worth of software security tools?

	Network	Software
Asset Value	$39.5 billion	$98 billion
Security Investment	$900 Million	$150 Million
Security Investment as a percentage of asset value	2.28%	0.15%

This table greatly disturbs me. From a prioritization standpoint The People's Republic of Information Security is misaligned by orders of magnitude. Next time you read about a data breach, or see an auditor's report with thousands of findings you won't have to wonder how it happened. It happened because Information Security doesn't have its eye on the ball.

Consider that software security tools could grow 50% a year for five years and still be half of where Checkpoint is today!

I see the outcomes of backwards looking, crufty decisions by Information Security every day - one or two software security sherpas heading out to work with thousands of developers, meanwhile the network security people sit around and read the newspaper and go home every day at 5.

The optimistic way of looking at all this data is that there is major room for growth for software security, if you take Checkpoint as a target, then the software security space should evolve to around 2% of the software space meaning that it should evolve into a $2 billion space around fifteen times larger than it is today. Unprotected assets will either be protected or will cease to be assets, VCs get your check books ready.