OraNA :: Oracle News Aggregator

Now when James McGovern repeats his question of "when will Oracle show how to write secure code" we can point him to this post :).

First - make sure to read and check-back with Oracle Secure Technology Center.This is basically one-stop place for all of our security information. Oracle covers everything from OS to applications. And this location covers that breadth with links to deeper-dives.

Second - our Chief Security Officer Mary Ann Davidson has been trying to get developer education ecosystem (e.g. CS programs and their cousins) to do a better job of teaching secure coding. I believe she articulated the problem very well in her post - "The Supply Chain Problem".

Third - read this book (Mary Ann Davidson recommends it in her Supply Chain Problem) - Foundations of Security: What Every Programmer Needs to Know.

Fourth - if you do anything with the database- David Knox's Effective Oracle Database 10g Security by Design is still the go-to resource. It's book #2 on my tech shelf- after my own (me being first is mostly a vanity thing :)).

As an addendum - if you are writing code in ADF you should check out the new tutorial based on the new demo application - "Fusion Order Demo" . Besides learning all of the cool things ADF/JDev bring to the table - Chapter 28 covers how to leverage the external security framework. I hope to be able to use this application to demonstrate more of our capabilities - in particular OVD/IGF but possibly others too. 

Charles Andres from the Information Card Foundation posted a comment to correct my earlier post that Microsoft created the Information Card Foundation:

One small correction: Microsoft did not start the Information Card
Foundation.  A community of architects and designers including the creators
of the Higgins Project    created the organization before inviting any
corporations to join. The consensus of this community was that the visual
metaphor of a digital wallet and cards shared by  The Higgins Project
(which included open source components contributed by engineers from
Parity, Novell, Oracle, and IBM) Microsoft CardSpace, and other
researchers, is the best way to present controls for identity and personal
information to the widest possible user base.    The merger of these efforts
along with other components that can benefit from standards protocols  now
underway at OASIS,  makes ICF a common effort by many forward-thinking
companies who want to make the Internet a safer and simpler environment for
all transactions.  The decision by  Microsoft to join the ICF was a great
step for the industry to advance toward  a common unified way for users to
wield trusted verified claims.

Since comments don't usually get read - I wanted to make sure this correction was read.

Posting early since I'm taking Friday off.

Crisis Begets accountability and transparency --  While not directly about software code it is an article that can be used as a "teachable moment" across many disciplines.  From a programming perspective, the lesson to be learned here is that accountability and transparency helps to make for a more secure environment. Additionally we will likely see more monitoring across different systems and changing of organizational structures. Thus we're going to need more code in more places that interoperate with each other to help security become a cohesive whole. Thus make sure you are taking steps to integrate secure auditing (such as Oracle Audit Vault), logging and of course enabling external fine grain access control leveraging standards like XACML.

ISC2 To Offer Certification For Software Lifecycle Security -- The organization that provides CISSP certification is launching a new certification for developers. It is a rather explicit industry acknowledgement that developer's are not taught security as a core competency. And thus it's not ingrained into training or expectations. It also (IMHO) acknowledges that CISSP is not about dealing with code-level security. They are two different types of disciplines and just because one is competent in one discipline does not necessarily mean you will be competent in another even though they maybe related.

Upcoming PHP 5.3 beefs up security -- If you are writing code in PHP - you will want to learn more about a couple of changes being made that likely will make your code more secure but may break some of your scripts.

This post is inspired by a conversation I had with one of our customers. They  have a team responsible for customer facing revenue applications and of course that team is trying to make sure they have strong security.

On the good news side - the team knows they need "two-factor" authentication. A factor is normally based on the concept of something you know (aka a password or answer to a security question) or something you have (digital certificate, fingerprint).

However, apparently it's the cool thing to do for certain web-sites to have "dual-cookies". One is persistent to store simple profile information (like what page do you want to go to when you login) - nothing secure. The other is your session cookie. And the perception in this team (and maybe they learned it from some magazine/conference) is that this is a type of two-factor authentication. And in particular they thought this would help protect access from "new unknown machines".

Any security professional knows this is not the case. Session cookies are often used to enable Web-based SSO. The persistent cookie is really just used to help manage profile information that can't be stored elsewhere. And just because there are two-cookies it does not make it two-factor authentication.

However, the better way to solve this problem isn't two cookies. It's to use actual multi-factor authentication and knowledge-based authorization. And Oracle can provide this via Oracle Adaptive Access Manager (OAAM).

Here is how OAAM could help in this scenario as quoted by one of our PM's in the Access Management Suite team:

OAAM uses many contextual information to determine the risk factor of any users performing any an action, whether it be viewing a resource or performing an action or or initiating a transaction.  The contextual information covers things like IP address, geo-location, time of day, day of week, device fingerprinting (which can be done as a persistent object on the client machine), and even user behavior.

If I drill down on the use case a little bit, I believe you guys are looking for a way to raise risk factors when a user is coming in from a machine that the user has never used.  The raised risk factor will require the user to answer an additional challenge question before the system can trust them enough to allow access to some resource.

So how does OAM and OAAM help accomplish the above?  One example would be as follows:

The first time a user attempts access to a protected resource, OAM initiates an authentication scheme that really calls OAAM in the backend.  OAAM then determines if the device has ever been used before based on device fingerprinting and if the machine is never used, then username, password, and a knowledge based question must all be provided before the user gets access.  Subsequently, the user attempts access again with the persistent object (or device fingerprint) that OAAM accepts, then only username and password is necessary.  This provides the knowledge based question as an added security measure if the user is coming from a machine that is never seen before.  Of course, this solution assumes that the knowledge based questions and answers has already been set up for all users. 

I also pitched a couple of other options - in particular if OAAM adoption would be slow to update for budget or time constraints:

1 - On sensitive pages - simply prompt for the password again. This would at least help with preventing someone who got access because the original person left the room.

2 - On sensitive pages - not only ask for a password but perhaps require a different pin code for that page.

3 - You could also use other authentication types  -like digital certificates but that has its own set of headaches.

Also you can read more about OAAM.

James was nice enough to ask more questions -  though I'm still curious as to how he thinks we specifically trail Microsoft in open-source contributions.

So here for the enjoyment of the readers is my response:

Maybe you could share on your next posting exactly how allowing closed source Oracle databases on the Amazon grid is open source?

[MEW]  I realize I should have clarified that point better. What I meant by this is that if you are a developer who needs to test your code against Oracle DB - there is not much easier way than using one of the pre-built EC2 images. Assuming you meet OTN requirements - you are probably only paying for EC2 fees. Which is still likely cheaper than having your own servers. I would think as an "enterprise architect" you would understand the value of this approach over having your developers having to become experts at installing Oracle database. And while sure you could have DBA's do that - it's still probably quicker/more flexible to do this (in particular for any research type work, or training on a new language/framework) than internally.

Likewise, there is a difference between open source and open specifications. Are you willing to say that all reference code will be of production quality?

[MEW] I don't know what you mean by production quality. I don't mean that to be sarcastically but rather a reflection that it is a relatively subjective question. What I can say is that code that we do contribute to OpenLiberty from our dev team will have gone through at least our base level software development process which includes design review, code review and automated regression tests. This is not to say that any identity attribute service on OpenLiberty will be 100% the same as Oracle's production version. Because we will be adding functionality to make it an actual product (such as UI and integration with Oracle audit/logging framework for example) that will not be part of the Project Liberty. But OpenLiberty is well, um, open - so you can participate as well.

Sun has open sourced LDAP. Would you as a product manager advocate the  same for virtual directories?

[MEW] Let's take a step back here. Sun did not open-source LDAP :). They have an open-source project that wrote from scratch an open-source ,storage-based LDAP server in Java. It's not the first open-source LDAP (UMichigan & OpenLDAP have that claim), nor the first open-source Java LDAP (even Apache isn't the first, but it's the longest-running) and heck even their C-based version was effectively open-source via the Fedora Directory Project. I am not sure why anyone at Sun thought starting from scratch was a good idea.  At the moment we are still able to grow the adoption of OVD (and OID), are able to improve upon the core product via customer feedback and have a plug-in API that allows for customers (whether themselves, partners or Oracle consulting) to extend the product to meet their needs - so I don't sense a valid reason to open-source OVD. I obviously cannot speak for any other virtual directory vendor/project.

OK, Kim Cameron of MS paid for implementations of Cardspace on other platforms in which MS is simply attempting to improve the ecosystem and won't make a cent off it. In many ways it actually competes with its own offerings. What is the Oracle equivalent?

[MEW] Microsoft has produced open specifications, a few examples and started the Information Card Foundation (which we are a member of) to help drive adoption of Information Cards.  I would argue we are on the same path on IGF via Open Liberty.  Except that since our work is done via Project Liberty we can avoid the need to create yet another foundation. The biggest difference is that since IGF is more middleware based, the visible bits have been slower to show though that is starting to change as you can see from Phil Hunt's (our lead technical person for IGF standard) DIDW presentation. And as mentioned in that presentation - we are releasing the IGF Attribute Service API as open-source (this is new code). The API will have at least 2 provider implementations - one using OVD (which I'm responsible for and is planned to be a core component of Fusion Middleware & Fusion Applications) and one based on Project Higgins. This is an open project - so you are welcome to go learn more.

We got a question from a customer via our comments:

We are looking to deploy OVD and the AD connector in our environment. Our environment contains several domains with various levels of trusts. We are looking for best practices on this type of deployment. Currently we have deployed OAM/OID and OIM.

This is a common deployment scenario - customer has multiple LDAP directories (in this case they are different Active Directory domains). The simplest approach is to have a common root such "dc=mydomain,dc=com". And then create an LDAP adapter for each domain. These adapters will be created as branches for example imagine you have one domain for HQ, one for Finance and one for Engineering you could configure OVD so that each become "virtual" children such as "ou=hq,dc=mydomain,dc=com" , "ou=finance,dc=mydomain,dc=com" and "ou=engineering,dc=mydoman.com". Each of these adapters can be mapped to the proper remote branch. OVD will take care of translating the directory names (aka Distinguished Names).

Then when configuring applications that use LDAP for authentication and authorization, you would set their search domain to "dc=mydomain,dc=com". When this is done - the application will be able to authenticate any user found in any of those domains, regardless of any trust relationships. This is because trusts don't really apply to LDAP operations (they are a relationship mechanism via Kerberos).

More information on configuring this kind of setup can be found on the OVD-OAM Oracle By Example.

Thank you for the question and let us know if you need any further clarification.

Matt Flynn posted a paraphrased quote from Divya Sundaram of Motorola:

If you front-end data (or a data store) that you don't own (or don't have control of), then you need to replicate/sync data (instead of virtualizing the view).

And then asked if this is a litmus test for Meta vs Virtual.

My answer is that it depends.

This is because Sundaram's statement is a false assumption though it's a common belief.

It's a common belief because people want to be "in-control" of data and feel that unless they control everything, they are not truly in control.

This of course is patently false - we have mechanisms (such as contracts) to deal with boundary control issues without needing to actually directly control everything

And this is reflected in the fact that many (if not most) virtual directory deployments - the team that runs the virtual directory does NOT own the data sources they are connecting to. They systems they connect to are often run by different teams usually with different management chains. But virtualization works because those systems are already designed to be used by external client applications with proper level of Service Level Agreements & availability.

And virtualization is a way to make the most out of these existing capabilities.

Where "meta-directory" makes the most sense is really two cases:

1 - You want to reduce the number of storage systems in particular different LDAP servers. Thus you could collapse many ADAM, Sun, Novell, openLDAP, etc into a single enterprise-class storage system such as Oracle Internet Directory.

2 - You need a standardized, provisioning system to meet business process & compliance requirements. This is the environment which Oracle Identity Manager fills.

James is on another rant. He has asked me to reply to a couple of other posts on LDAP topics, but I wanted to get clarity on one of his points.

9. I would use the same law and force Larry Ellison to make Oracle contribute more to open source. 

First - why single out Ellison and Oracle? Does he feel others like Microsoft or IBM or CA have done enough? And if so - what have they done for comparison.

Second - I would like to point our Oracle's contributions to Open Source. Most people are probably not familiar to the work we have done.

Start with our Open Source Site.

But just to give a summary:

1 - Oracle contributes heavily to Linux to help the database in particular work better. This is why we were able to offer Oracle Enterprise Linux.

2 - We have put significant effort - in terms of drivers and related work to various projects including PHP, Ruby, Spring and of course EclipseLink (aka open-source of Toplink)

3 - We effectively donated our entire next-generation UI library (ADF) to Apache to help provider a richer platform for Web applications.

4 - We doing all of the reference work for IGF in the open at openLiberty.

5 - It's now possible to run Oracle software on Amazon EC2. This is particular useful when it comes to the database - you can now have a full EE database instance running in 5 minutes without having to fiddle with any kernel or related parameters.

So James -what specifically do you want Oracle to do more of? And what would be the value for you to do so?  If you have specific items I'm happy to hear them & communicate them to the appropriate people.

Are you encrypting database traffic? Are you sure? You should be! -- This is a nice simple post that reminds you that just because you have enabled HTTPS for your Web application doesn't mean your database data is encrypted. HTTPS only means the link between the browser and the Web server is encrypted. And that you should also encrypt the link between the app server (whether Java, PHP or .NET) and the database.

5 Password Utilities That Will Make Your Life Simpler -- Not really any coding tips but since passwords will be with us for a long time - these might be helpful for you and your users. Interesting they mentioned OpenID as one of the utilities but not InfoCards.

Pete Finnigan - Oracle [database] security information -- A page with various utilities to help test your local Oracle password security and tools to help with auditing the database.

When you map a user in Enterprise User Security (EUS) - I found that you can indeed avoid mapping the user in Enterprise Security Manager (ESM) if you provide the complete syntax when creating/altering the user.

So for example:

alter user hr identified globally as 'cn=Mark Wilcox,cn=Users,dc=ovddemo,dc=com';

Should allow you to then login as Mark Wilcox using his uid value (e.g. mwilcox).

I'm sure I read that in Knox's book before but it didn't sink in until I was asked about this at OOW last week.

Apologies for this being late. Because of OOW I got a bit behind.

Passwords -- This blog post from the "Blown to Bits" blog talks about problems with passwords. On a personal level - you should have a random password. No words. Just mix of characters. From a developer perspective - do not write your own login code. Almost all frameworks now have their own login subsystem - leverage that. It will allow you to focus on code that is actually core to your business application. Or as I would think - I would not want my friend Quan writing my UI but he knows how to write awesome security code. I know my friend Josh knows how to make awesome looking UI - he shouldn't be writing my security code. And from an enterprise level - make sure you are adopting  comprehensive access products such as Oracle Access Manager suite.

"Using Yahoo! Login Mechanisms for Desktop Applications" -- If you want to use Yahoo! for user password management this might be useful to you.

Criminal probe of ex-Lottery employee Launched  -- Basically another data leak problem. Remember - when writing apps to make sure you allow for proper auditing. Also make sure to put in hooks that can allow for access controls to be written using a standard like XACML (such as provided by Oracle Entitlement Server). And if you are storing data in a database make sure the application can work with strong security measures like Oracle Database Vault and Transparent Data Encryption. And - if you managing/installing database - make sure you enable these features if your applications can support them.

Schneier On Security -- Bruce Scheier who is the expert on security - has released a new book. I believe it's a collection of his columns, so if you are a regular reader probably nothing new. However, if you are new to this field - you should get a copy. As well as his previous book Beyond Fear. Or if you are up to speed on these books - then be sure to read The Unthinkable: Who Survives When Disaster Strikes - and Why.

We have gone live with our resource kit on how to centrally manage Oracle database accounts in Active Directory and Sun Directory. The kit includes a webcast of a customer case study, a podcast discussing the technology and whitepapers.

The resource kit can be found here.

Oracle and State of Delaware released a joint press release on how the State of Delaware has used Oracle Identity & Access Management Suite to enable their eGovernment initiative. And Oracle Virtual Directory is key to enabling this solution.

If you are going to be at Oracle OpenWorld 2008 be sure to check out the presentation with State of Delaware and Oracle on their use of Oracle Virtual Directory.  Or if you can't make the presentation - be sure to at least visit our booth.

The presentation details:

Since I'm focusing this blog more on the technical side - I thought I would try to regularly provide a set of links and commentary to security and privacy articles I find. 

"For Your Browser Only" -- Reminds developer's that if you are writing cookies from your server code to remember to mark them "HTTP Only". This dramatically reduces the surface area for cross-site scripting attacks. I would also add that other techniques - such as using a standards-based framework for authentication/session management and risk-based access control like Oracle provides via Fusion Middleware and the Access Management Suite will add extra protection.

Security Researches Uncover Spring Framework Vulnerabilities  --  Some researchers have found vulnerabilities in the popular Spring framework.

What Californians Understand About Privacy Online -- A paper showing how big the gulf is between the average person's perception of how their privacy is protected and the reality . One could of course make a joke about what do you expect from people who elect "The Terminator" their governor  but it is a real problem.

SQL Injection issue in :limit and :offset parameter -- A two-fer this week - security issues in two of the most popular frameworks out there - Spring and now Rails. I give credit to the author for trying to help raise awareness and in general I think adopting frameworks (in particular standard - whether that's "Standard" like JSF or a "standard" like Spring/Rails) make you more productive - and yes, secure.

5 Features Your Login System Must Have -- An interesting article for those who are still "rolling their own system". Of course for an enterprise - I'm not sure of any valid use case where that would be a good idea - there's too many good products out there such as Oracle Access Management Suite that can do this for you without needing to become a SSO developer. If you are working on a consumer site - then at the very least, you should adopt something like OpenID or Infocards so that you are not managing passwords.

Read our new white-paper on MKB Bank and how they used OVD to centralize database accounts in Active Directory. This solution was integrated with their existing 3rd party provisioning system and helped eliminate helpdesk calls about database passwords.

As I hinted out earlier - we have a new blog dedicated to business level discussion on directories. It's called Directory Service Stories and we have posted our first post on a customer related story.

The purpose of that blog in compared to mine is that we will focus on customer stories and higher level use cases. While i continue to be more technical here.