OraNA :: Oracle News Aggregator

Hi! My name is Joshua Solomin. I am the Product Manager for Oracle Configuration Manager.

Oracle recently launched its new Web support portal My Oracle Support (previously known as MetaLink). More than just providing a slick interface, the new site also delivers additional benefits to customers, including a personalized support experience, resulting in faster time–to-resolution of technical issues.

Some of the most significant benefits of the new My Oracle Support portal are the integrated configuration management capabilities – formerly known as Software Configuration Manager – which are provided through the use of Oracle Configuration Manager. Now bundled with most new Oracle product releases and utilities like OPatch, Oracle Configuration Manager can automatically gather the configuration information of Oracle product installs, and upload this information onto Oracle’s support systems. The configuration information being collected by Oracle Configuration Manager includes:
• Installed patches
• Deployment platforms, dates, versions, and type
• Deployed components and applications
• Content of configuration files
• Information about network configurations

Note that the information collected by Oracle Configuration Manager is limited to configuration information. The utility does not collect sensitive data such as actual customer data (that is any data other than configuration information, including actual applications or database transactions), password hash values, log on events, etc. My Oracle Support note 728985.1 provides a list of all the data collected by Oracle Configuration Manager.

Once collected, this configuration data can be used to populate the customer’s private My Oracle Support dashboard. The dashboard will then display a detailed list of systems in the enterprise, not only allowing the customer to view their configuration settings, but also enabling change history tracking that will identify any changes made to system configurations over time. Furthermore, the uploaded data allows Oracle Support to provide customized information about the overall health of the customer’s systems (including information about release and patch levels currently installed in the environment) and recommendations to ensure that each system operates in peak condition.

Note that customers need to specifically enable Oracle Configuration Manager in order for it to start collecting configuration information and securely sending this information to Oracle Support. Furthermore, if a customer’s security policies prohibit the automatic sending of configuration information outside of the organization, Oracle Configuration Manager can be configured to work in a “disconnected mode”, allowing the customer’s systems and security administrators the ability to review the information prior to it being sent out to Oracle Support.

A great feature provided by Oracle Configuration Manager to My Oracle Support users is the ability to quickly create Service Requests with accurate and complete system configuration information attached. In other words, customers can use My Oracle Support to see recent changes that could have been made to their environment to troubleshoot technical issues, and if unable to solve the problem themselves, customers can then open a Service Request with Oracle that will come pre-populated with the configuration information that is typically required by Oracle support in order to initiate a service ticket.

The combination of Oracle Configuration Manager with the My Oracle Support portal provides Oracle customers with tremendous benefits. Oracle Configuration Manager is available at no additional charge to current Oracle Support customers. My Oracle Support access is included with the annual paid Oracle Premier Support subscription. This combination can provide customers with a complete view of the configuration of their Oracle environment and with environment-specific recommendations in order to yield maximum benefits from their Oracle systems while maintaining a positive security posture. The various reports available in the My Oracle Support portal can help customers prevent outages, troubleshoot systems, and identify trends across their systems.

A short video explaining the benefits of Oracle Configuration Manager is available online. In addition, the Collector tab on My Oracle Support is dedicated to explaining how to use Oracle Configuration Manager and gaining the most value out of My Oracle Support. In order to get started, just make sure that the Oracle Configuration Manager which was installed with your Oracle product has been configured and is running. You can also download the software from My Oracle Support if your recent product installs didn’t come bundled with Oracle Configuration Manager.

Hi, this is Evelyn Sell. I am a Senior Principal Program Manager in Oracle Global Product Security. My primary function is in the security compliance area, helping to ensure that the various development organizations follow Oracle Software Security Assurance policies. This includes managing secure coding training that is based on Oracle’s Secure Coding Standards.

I am often asked what it takes to write secure code. In my experience, developers generally cannot prevent introducing security flaws in their code if they don’t know what to watch out for. It is also my experience that people generally, and developers in particular, want to do the right thing - but they need to know what the right thing is.

For the purpose of this blog, we will not go into why software security is important. That is pretty much common knowledge by now. However, there is a significant paradox in that writing secure code is not commonly taught at the Universities as part of Computer Science curriculum. In a previous blog entry, Mary Ann Davidson expressed the difficulties faced by software vendors such as Oracle to find developers with secure development expertise. Universities typically do not teach secure coding to their IT grads.

Even if secure coding skills were taught in schools, there is already a large pool of software professionals who have been writing code for some time and would not be security aware unless their company rolled out secure coding practices training. Thus, until the need for security training has been met externally by the education system for some time, it falls on software vendors to train their staff. The cold, hard fact is that coding responsibly means knowing how.

At Oracle, mandatory security training has been in place for several years and is fully supported by executive management. The majority of development staff across Oracle has completed the training. New hires, or staff joining Oracle via acquisitions, are automatically notified of the mandatory security training requirement, as applicable.

In my experience, I have noticed that some developers expect their product to be used in the way in which it was intended; thinking “Why would anyone do anything different?” Well, for one, software users (customers) are typically not involved in the design and development phases of the product, and as such, the use cases anticipated by development may be somewhat different from how the software is used in “real life”. Security researchers and malicious hackers will not feel bound to use the product in the way intended by developers: they will explore avenues to break in, in ways that the developer did not foresee. For example, a malicious attacker may attempt to inject SQL commands hoping to demonstrate that the developers didn’t provide for sufficient input validation (best case scenario), or, in a worst case scenario, the attacker may try to gain access to the data or gain additional database privileges. In addition, QA testers are inherently focused on ensuring that the product works as it is supposed to whereby in many instances, security researchers and malicious hackers will do exactly the opposite with “negative” or “destructive” testing. Actually, in many ways, the job of the security researcher is to explore the boundaries outside of the normal use of software. An important aspect of security training is to help developers become security aware by teaching them to “think like a hacker”.

With appropriate training in secure coding principles development staff will be better prepared to guard against software vulnerabilities and understand that users will not always adhere to use cases and recommended “best practices”. In many ways, security trained developers become aware of the unintended consequences that may result from choosing the easy way to solve a particular coding problem and leaving their code exposed to exploits. Secure development training helps prepare developers and QA staff to recognize potential security risks in code they encounter in the larger stack. A desired result of security training is seeing development teams log security bugs against their own code because they are now aware of the existence of such bugs. With appropriate training every team member becomes a security advocate in his/her own right, an additional gatekeeper who helps contribute to the increased quality of the code produced by his/her own team.

An additional benefit to secure coding training is helping to increase the overall quality of the code produced: most often security bugs are really common coding errors, but with far more serious consequences than “regular” bugs. We can generally see that secure coding training results in helping developers not only avoid potential security flaws, but also prevent other kinds of bugs as well.

Just as security training is essential for developers, it is equally essential that senior development managers are trained to help ensure that they make the right decision when allocating resources and especially to resist “shortcuts” when facing time pressure: a secure coding solution may take longer than an easier, yet insecure, one and it is not uncommon that fixing a security bug can results in introducing delays in the release schedule.

I am often asked at conferences what was the key success factor in successfully rolling out secure coding training to an organization as large and diverse as Oracle. In my mind, and without a doubt, I think that executive management buy-in is the most critical success factor. The benefits of secure coding training must be understood and endorsed from the top down. Executive management must fully support and mandate the application of the secure coding standards. Senior development managers must be trained to be security aware and be willing to sponsor the adoption of the secure coding practices in their teams. The development staff must become aware of these standards, be security trained, and ultimately embrace secure coding principles as a value-add to their work product.

Oracle sees much value in security training. The cost of resource time spent on training is small when compared to the cost of testing and installing just one security fix. Security training does change developer behavior: quality of code improves along with the security posture provided by the software. The most rewarding aspect of my job is seeing feedback from developers such as: “The course is invaluable. Now that our group has completed the training we think more about security when coding.”