OraNA :: Oracle News Aggregator

It would be good if we have a file that contain the version and the component versions of WL server like OC4J (ias.properties in $OH/config). Its different though in WL. Couple of ways to figure out the Weblogic Version:

1. Weblogic Console - simplest of all. But we get just the Weblogic kernel version from here.

2. To know the components and the versions (of specifications) of those components in Weblogic, run these:
$ java weblogic.version -verbose
(OR)
$  java weblogic.utils.Versions

We need to source the setDomain.env ($WL_HOME/user_projects/domains/[domain_name]/bin directory (or any other appropriate file which sets the environment and has weblogic.jar in the classpath).

Better Information With Master Data Management

In our last blog, we showed how every single answer produced by the BI tools on the Data Warehouse star schema was wrong.

What is the average revenue per customer?              $47.50

Who is the most valuable customer?                        Mary Smith

How much did the most valuable customer spend?  $50

Who is the number one retailer?                               Old Navy

What is the maximum revenue for any supplier?      $50.00

 

The answers were wrong because the analytical side of the business is not designed to deal with the following transactional realities:

·         Mary Smith married Mr. Evans and changed her name to Mary Evans after she bought the sweater from Old Navy. She is, in fact, the same person who bought the similar sweater from Banana Republic the next day.

·         Old Navy and Banana Republic are both subsidiaries of The Gap.

·         AI Corp is an alias for Acme, Inc.  They are in fact the same supplier.

·         VN-Sweater and RF-Sweater are two ids for the same actual item.

Oracle's MDM solution is designed to understand these facts, accurately reflect this reality, and provide the correct dimension information to the Data Warehouse.

MDM Capabilities

We will now itemize the key MDM capabilities supporting BI. We will then rebuild the star schema and re-execute the queries to get the right answers.

Data Model

In any MDM solution, the data model, or schema, is the foundation upon which all subsequent MDM application functionality is built. As an applications vendor, Oracle had to create technologies that cleansed the master data within our own applications. We used the proven application data models themselves to build applications to master the applications' own data. We then extended these capabilities to the enterprise to run with or without other Oracle applications. 

The Oracle model is tailored to map to the way organizations actually do business. The Oracle MDM data models are unique in that they are an OLTP schema that represents a superset of every way master data has been defined by all attached applications. It has the flexibility to accommodate organization and industry specific extensions.  It holds all necessary hierarchical information, all attributes needed for duplicate identification, removal and prevention, as well as cross-reference information for all attached operational systems.

In our example, the MDM schema holds customer data in both business-to-business (Old Navy, Banana Republic) and business-to-consumer (Mary Smith, Mary Evans) formats. In addition, it holds the master supplier data (Acme, Inc, AI Corp) and retail product data (VN-Sweater, RF-Sweater). The names and all needed attributes are maintained.

Change Management

In order to deal with real time changes to master data, such a the marriage of Mary Smith to Mr. Evans, Oracle's MDM solution includes a real time Business Event System. Any change to master data attributes triggers a business event that in turn invokes a workflow process. The workflow process builds appropriate XML payload packages and executes the configured steps for the particular data change.

In our example, the introduction of Mary Evans triggered a 'New Customer' event. This kicked off a workflow to populate Mary's record with all available information. For example, it may have requested address validation from a postal address verification vendor to insure that all addresses are mailable. Standardized addresses also aid in duplicate identification. The workflow may have requested data augmentation for credit ratings, or obtained an AbiliTec ID from Acxiom to assist with duplicate identification.  This is done in real time.

 

Person Duplicate Identification

Oracle's MDM solution for customer data is the Customer Hub. It comes with a variety of mechanisms for finding duplicate customer records. A primary technique is to configure a rules engine to find potential matches using a large number of customer attributes.  In our example, Old Navy has entered Mary Smith as a customer. Her universal ID is established. The Customer Hub manages Old Navy as a source system and records Mary Smith's ID in that system. Mary Evans is similarly managed. This is the base for the MDM cross-reference.

MDM utilizes all available attributes to determine if these are duplicates.  Typical match rules will examine addresses, phone numbers, e-mail addresses etc.  Additionally, 3^rd party data such as an AbiliTec ID from Acxiom may be used. In our example, the system fines that Mary Smith and Mary Evans are indeed duplicates in spite of the different name and address.

Company Duplicate Identification

Company duplicate identification uses the same general rules engines as the Person duplicate identification.  The key difference is that the number and type of attributes available for a company are different.  For example, companies can have a DUNs number provided by D&B. In our example, a search on AI Corp produces a match with Acme Inc. Alias information was used by out-of-the-box duplicate identification rules.

Duplicate Elimination & Cross-reference

Once the Customer Hub identifies Mary Smith and Mary Evans as duplicates, it eliminates the duplicates by merging the multiple records into one. The cross reference is maintained.  Where before the merge, there were two customer records each pointing back to one source system, we now have one customer record pointing back to two source systems.

Attribute Survivorship

Another key capability of the Customer Hub is its ability to manage the survival of customer attributes in the face of multiple sourcing systems and customer record merges. The MDM Customer Hub maintains the source system priority rankings for each attribute.  While all records remain in the MDM data store, only the 'blended' single version of the truth record is seen by applications and viewers.

Product Standardization

Oracle's MDM solution for product data is the Product Hub with Oracle Product Data Quality (PDQ) for product data standardization.  This standardization enables rapid and parameterized searching and accurate duplicate identification. In our example, Old Navy uses the string: VN PO 50 Blue W 24W 36B 22A. Banana Republic's sweater is identified by: B Wool V Neck Pllver S:36. These records are loaded into the Product Hub schema through PDQ's Data Lens. Attributes such as style, color, and size are populated as well as catalog codes.  An English description is generated as well as other appropriate languages as needed. In our example, we see that both products are V-Neck Pullover blue wool sweaters and that they actually have the same ID code.  They are in fact the same product and now the MDM system recognizes them as such.

Hierarchy Management

Hierarchy information is critical for proper aggregation and roll-ups. Oracle's Customer Hub maintains any number of simultaneous hierarchies used by the operational applications. These include Dunn & Bradstreet hierarchies with out-of-the-box connectivity to D&B for both batch and real time information access. In our example, D&B provides the hierarchy information for Old Navy and Banana Republic. It turns out that they are both subsidiaries of The Gap.

 

Updated Star Schema

MDM has identified the customer duplicates; maintained the cross reference back to the sourcing systems across a merge; developed the single golden customer record utilizing survivorship rules; found the two products to be identical; learned that the two retailers belong to one corporate hierarchy; and found through good duplicate identification techniques that Acme, Inc. and AI Corp are in fact two names for the same vendor. If we deliver this updated cross reference and dimension data to the data warehouse, we get the following star schema.

 

  

Re-Run the Query

Re-running the same query now get the correct answers:

     What is the average revenue per customer?                     $95

     Who is the most valuable customer?                               Mary Evans

     How much did the most valuable customer spend?         $95

     Who is the number one retailer?                                      The Gap

     What is the Max revenue for any supplier?                      $95

We see that better information has been provided through Master Data Management. MDM fixed the data quality problem at its source and delivered quality dimensions to the analytics. No other technology on the market is designed to accomplish this essential task.

Conclusion

There are three legs to a complete Business Intelligence solution: 1) the Data Warehouse for holding the operational history; 2) the Enterprise Master Data Management solution for insuring that quality data under those operational applications and hierarchies are supplied to the Data Warehouse; and 3) the BI applications themselves that utilize the DW and MDM data to get clean authoritative information to everyone in the organization that needs it. Without MDM, the solution falls over. Poor decisions based on inaccurate data drive less than optimal performance.  Compliance becomes difficult and risks increase.

 

Oracle MDM provides clean consolidated accurate master data seamlessly propagated throughout the enterprise. This data reflects the actual operations of the organization. It insures that this is the data the BI tools use.  It is the glue between the operational and analytical sides of the business. Oracle MDM enables organizations to get a single view of the enterprise for the first time since the application landscape fragmented back in the 1970s.  This can save companies millions of dollars a year, dramatically increase operating efficiencies, improve customer loyalty and support sound corporate governance[1]. 

. 

After spending some time on discussing some of the new parallel features (like AutoDOP and Statement Queuing) it is about time to put these features in a larger context. That context is managing diverse workloads with varying degrees of parallelism for various actions on the data.

A lot can be said about setting up workload management, so expect this to be one of the posts in a series on this topic. As it is the first post, let's start from the beginning, with understanding workloads and a framework of setting up such a management infrastructure.

Continuous Improvements

Workload management - the understanding and management of a set of diverse workloads on a system - is really an ecosystem with many participants. It is ever-changing and therefore is one of these things in life that will always be in motion. As the workload changes, or the environment in which the workload runs, adjustments will be required to ensure everything runs smoothly.

At a high level, the cycle of continuous improvements begins with the definition of a workload plan. That definition should be based on a clear understanding of the actual workloads running on this system (more later on some of the required questions). That will be tested when the workloads are running on the system, and your main task is to monitor and adjust the workload. Adjusting - if all goes well and your plan is reasonable - is mostly required in the beginning when fine tuning of the plan is done.

Once the system stabilizes and all small exceptions to the plan are corrected your main task is to monitor. This whole cycle will repeat itself upon changes to the workloads or to the system. It is crucial that major changes are planned for and not just resolved in an adjustment.

Planning your Solution

To start creating effective workload management solutions it is crucial to understand the phases in above shown picture.

Understand the Workload

To understand the workload for your given system you will need to gather information on the following main points:

Who is doing the work? - Which users are running workloads, which applications are running workloads?

What types of work are done on the system? - Are these workloads batch, ad-hoc, resource intensive (which resources) and are these mixed or separated in some form?

When are certain types being done? - Are there different workloads during different times of the day, are there different priorities during different time windows?

Where are performance problem areas? - Are there any specific issues in today's workload, why are these problems there, what is being done to fix these?

What are the priorities, and do they change during a time window? - Which of the various workloads are most important and when?

Are there priority conflicts? - And if so, who is going to make sure the right decisions are made on the real priorities?

Understanding the workload is a crucial phase! If your understanding is incorrect, your plans are incorrect and you will see issues popping up during the initial running of the workload. Poorly understood workloads might even drive you back to square zero and cause a lot of issues when a system (like an operational DW) is mission critical.

Creating and Implementing the Plan

Now that you know (in detail) the characteristics of your workload you can start to document it all and then implement this plan. It is recommended to document the details and reasoning for the decisions (as with all systems). Out of the documented plan you would create (already in Oracle speak, more later on the products):

Create the required Resource Plans:

For example: Nighttime vs. daytime, online vs. offline

Create the resource groups:

Map to users, application context or other characteristics
Map based on estimated execution time
Etc

Set the overall priorities:

Which resource group gets most resources (per plan/window) for IO, CPU, Parallel Processing
Cap max utilizations that these sessions can use on the system
Etc

Create thresholds:

Estimated execution times to determine in which group to run
Reject sessions if too much time, CPU or IO is required (both estimated and actual)
Downgrade (or upgrade) based on resources used
Set queuing thresholds for parallel statements
Etc

Create throttles:

Limit the number of active sessions
Limit degrees of parallelism
Limit the maximum CPU, IO that can be allocated
Etc

The above is just a small number of the things to consider when putting your plan into action and is mostly focused on Database Resource Manager and IO Resource Manager (IORM is Exadata only!). Also consider working with Services and Server Pools and when you running several databases on a system consider instance caging.

Monitoring and Adjusting

Last but not least you will put the plan into action and now monitor your workloads. As the system runs you will adjust the implemented settings. Those adjustments come at various levels:

System Levels:

Memory allocations
Queuing Thresholds
Maximum Parallel Processes running
Server Pools
Etc

Resource Management Settings:

Increase or Decrease throttles and thresholds
Change the queuing guidelines
CPU and IO levels
Etc

All of these adjustments should be minor tweaks... if there are major changes required, you should consider going back to drawing board and understand what the issues with your plan are.

Products Used

In this case we are focusing on the database environment and we are leveraging components that are part of RAC (Services and Server Pools), Database and IO Resource Manager and Enterprise Manager to monitor the workloads. To study your workload you will be looking at AWR for example.

The next post will cover these products and how they all relate. Hopefully I get that one done rather sooner than later...

Estão disponíveis 2 novas demos animadas de Oracle VM.

• New Oracle VM Demo

Esta curta demo apresenta as características principais do Oracle VM  e os benefícios para os utilizadores. Em cerca de 4 minutos, percorre a estratégia da Oracle com o Oracle VM, dá uma visão rápida de algumas das suas características principais, e explica o foco da Oracle em ajudar os utilizadores a conseguir obter maiores benefícios da virtualização para além da simples consolidação de servidores.

• New Demo on Accelerating Application Development

Esta demo apresenta uma visão geral sobre os Oracle VM Templates e o Oracle Virtual Assembly Builder.

Vejam as demos e apreciem.

Tuxedo product management Sr. Director Deepak Goel blogs about the general availability of Tuxedo 11gR1 PS1 release (version 11.1.1.2.0). According to Deepak, this release introduces several cusomer-driven enhancements and features for mainframe application rehosting. He highlights the features/enhancements included in this release. He also notes that these new capabilities will be discussed and demonstrated at Oracle OpenWorld (OOW), San Francisco week of September 19th. If you are coming to OOW, please plan to attend one or more of the Tuxedo sessions and also stop by our demo pod, W-190, in Moscone West.

These days, customers expect quality customer service. Those who have worked in customer service know how hard it is.

Consistent, quality customer service is even a bigger challenge for companies with multiple business units or divisions. In many cases, each division has its own processes and systems. Besides the overhead costs of maintaining and supporting multiple systems, there is no way to implement best practices across the company.

Air System Components Inc. (ASC) is a market-leading supplier of heating, air conditioning, and ventilation system components for commercial applications. ASC sells its products under multiple brands that operate as independent companies, including Titus, Krueger, Tuttle & Bailey and PennBarry.

In the video below, you can hear how ASC has standardized its customer service processes across many brands using Oracle CRM On Demand. They have seen many benefits such as reducing resolution time and balanced work loads. Oh, and they were live in 4 weeks!

Click here to read more about the ASC story and here to learn more about Oracle CRM On Demand.

We are soliciting your feedback on our recently announced E-Business Suite Release 11i + 10gR2 Cross Platform Transportable Tablespaces (XTTS) database migration process.

We know that quite a few of you have requested this and are curious as to how you might be faring with it. For those customers who have downloaded the controlled patch (6158038) required for this migration of the EBS database, we would love to hear your answers to the following questions:

I'm very pleased to welcome John Abraham to this blog's panel of guest authors.  John is part of the same team led by Terri Noyes, who joined this blog's panel earlier this year.  With John's participation, we are able to potentially double our coverage of server operating system topics.

John joined Oracle in 2003 and worked as an engineer before moving into a Product Management role in the E-Business Suite Platform Engineering group.  John leads the team responsible for the strategic direction of EBS as it relates to operating systems and hardware architectures, and works to identify solutions that will add value to Oracle, partners, and customers.

Prior to Oracle he worked in various engineering roles such as leading a Developer Support group at a realtime graphical  software company (SL Corp), as a systems engineer developing electrical grid control software for a large engineering company (Asea Brown Boveri/ABB), and as a UI developer for a CRM company (Kana Software).

John has a B.S. and M.S. in Mechanical Engineering from the University of Wisconsin-Madison with a focus on Control Systems and Computer Modeling of complex electro-mechanical systems. In his spare time he is known to play tennis, kick a soccer ball on occasion, loves travel and follows international soccer intently.

He can be reached at: 

We have a jam-packed and very exciting agenda for WebLogic at this year's OpenWorld. Here are some of the highlights (Editor's Pick, if you may)

For those of you arriving on Sunday, I recommend:
Performance-Tuning Web Applications by Paul Dorsey, President Dulcian, Inc. and Michael Rosenblum, DBA, Dulcian, Inc. S318493 at Moscone West L2, Rm 2014 from 1:00 pm - 01:45 pm
For Oracle application server customers, Migrate: Oracle Application Server Containers for J2EE to Oracle WebLogic Server By Liran Zelkha, CEO, Aluna maybe useful. Session S316615 at Moscone West L2, Rm 2010, from 3:30 pm - 04:00 pm

Monday Sessions:
Don't miss Mike Lehmann's presentation on WebLogic roadmap: Oracle Fusion Middleware Application Server Roadmap; Session S317474 at Marriott Marquis Salon 9 from 11:00 am - 12:00 pm
Those of you interested in Oracle's JVM strategy, Oracle's Java Virtual Machine Strategy by Henrik Stahl. Is a must attend. Session S317386 at Marriott Marquis, Salon 9, 12:30 pm - 13:30 pm
Managing Oracle WebLogic Server: New Features and Best Practices, Session S3170630, Moscone West L3, Rm 3024, 5:00 pm - 06:00 pm

Tuesday Sessions:
Don't miss Will Lyons' Increasing Performance and Reducing Costs with Oracle WebLogic Suite, Session S317406 at Moscone West L3, Rm 3022, from 3:30 pm - 4:30 pm
For our developer community, Oracle Fusion Development Platform: Oracle JDeveloper and Oracle ADF Overview by Shay Shmeltzer, session S316855 at Marriott Marquis Salon 9 from 11-12pm seems very appropriate.

Wednesday Sessions:
A rich mix of sessions focused on RIA and Web 2.0, Java, ADF, and virtualization in the middle tier:
10:00 am - 11:00 pm, S317457: Virtualizing the Application Grid by Mahendra Singh, National Australia Bank at Marriott Marquis, Salon 9
11:30 am - 12:30 pm, S316899: RIAs and Web 2.0 Development Made Simple at Marriott Marquis , Salon 9
11:30 am - 12:30 pm, S317623: Extending the Life of Your Java Applications with Java for Business, Moscone West L3, Rm 3024
01:00 pm - 02:00 pm S315175: Lessons Learned: Automating Scholarships with Oracle ADF, Todd Hill, Ed O'Connor-Giles from University of Wisconsin at Moscone West L3, Rm 3024
Here you take a break and go to Larry Ellisons's Keynote
04:45 pm - 05:45 pm, S316884: Developing Applications with Oracle ADF: A Customer Case Study, Gert Leenders, Axi NV, Greg Opie, ECS at Marriott Marquis Salon 6

Thursday Sessions:
Don't miss the last session of this day: Introducing an Optimized Compute Platform for Oracle Fusion Middleware, S317409, at Marriott Marquis, Salon 6 from 03:00 pm - 04:00 pm
Other sessions that maybe interesting are:
09:00 am - 10:00 am, S317067: Oracle WebLogic Server Management for Oracle DBAs at Marriott Marquis, Salon 9
12:00 pm - 01:00 pm, S317048: Enabling Multichannel Access to Your Applications: Web, Mobile, and Desktop at Marriott Marquis, Salon 6
01:30 pm - 02:30 pm S317066: Deep Java Diagnostics and Performance Tuning: Expert Tips and Techniques at Marriott Marquis, Salon 9

Here are some sessions on the topic of 'Cloud':
Monday September 20, 2010
05:00 pm - 06:00 pm, S318440: Partnering with Oracle in the Cloud by Kevin O'Brien, Senior Director, ISV and SaaS Strategy at Westin Market Street Hotel Franciscan I
Tuesday September 21, 2010
05:00 pm - 06:00 pm, S317479: Platform as a Service (PaaS) Is the Sweet Spot for Private Clouds by Tom Gilbert, Deutsche Bank and Brent Juelich, Savvis, Inc. at Moscone West L3 Rm 3022

For a complete guide to all WebLogic and application grid sessions read the 'Focus-on Application Grid' document.

Here is listing of Tuxedo related sessions at OOW, San Francisco along with date/time and venue for each:

1. Monday, 9/20 at 3:30pm, Marriot Marquis/Salon 9 - S317398: Oracle Tuxedo Roadmap: Mission Critical SOA and Mainframe Application Rehosting
2. Tuesday, 9/21 at 3:30pm, Marriot Marquis/Salon 6 - The ART of Mainframe Migration and Modernization
3. Wednesday, 9/22 at 10am, Hotel Hilton, Franciscan A/ B/ C/ D - S318573: HOL - Be an ARTist: Re-host an IBM Mainframe Online Application to Oracle Tuxedo
4. Wednesday, 9/22 at 4:45pm, Hotel Nikko/Nikko Ballroom II - S317400: How to improve scalability and availability of PHP/Python/Ruby web apps?
5. Thursday, 9/23 at 12pm, Marriot Marquis/Salon 9 - SOA Application Development Using Oracle Service Architecture Leveraging Tuxedo
6. Thursday, 9/23 at 2pm, Hotel Nikko/Nikko Ballroom II - S317399: Leverage high performing non-Java services from Java applications
7. Thursday, 9/23 at 3:30pm, Hilton San Francisco/Franciscan A/ B/ C/ D - S318572: HOL - Develop enterprise apps in PHP, Python or Ruby and scale with Oracle Tuxedo

Tuxedo Demo booth is W-190 in Moscone West.

• Webcast: Linux Configuration and Diagnostic Tips & Tricks
  (tags: linux, linux)
• On Demand Webcast: Technical Best Practices for Accelerating Linux Deployments with Oracle Validated Configurations
  Oracle Validated Configurations are pre-tested architectures spanning software, hardware, storage, and network components, documented as best practice guides and available for free download. Oracle Linux experts Sergio Leunissen and Thor Nolen share best practices and real-world use cases. 
  (tags: oracle otn linux)
• Focus on Real Application Clusters and Database Cloud Computing
  Guide to relevant sessions/events at Oracle OpenWorld 2010
  (tags: oracle otn oow10 RAC cloud database)
• JavaOne Session/Event Guide: Focus on Architects and Architecture
  An extensive list of keynotes, sessions, an networking opportunities selected for software architects attending JavaOne 2010.
  (tags: oracle otn javaone10 architecture)

While effective talent management has always been a key differentiator for successful businesses, the recession forced everyone to reexamine both their internal processes and how best to invest resources in order to maximize strategic growth. Today, the need for cost-cutting and a focus on workforce efficiency are still very much a reality for most companies, while continuing to try and prepare for tomorrow. HR organizations that still silo their talent management process and tools will find they are not only engaging in massive duplication of efforts with regard to data collection and analysis, but are also needlessly limiting their ability to meet the future "talent" needs of their organization. In fact, recent Bersin & Associates research correlates corporate ability to manage change to implemented talent management strategies.

Join us for this live Webcast to hear from Principal Analysts Stacey Harris and Barb Arth from Bersin & Associates, sharing insights on the transition of the ERP market into an integrated system for meeting your "talent management" needs.

In this session we will answer:

• What are some of the business benefits that can be realized from implementing an integrated talent management strategy?


• How have ERP's evolved to meet today's needs for integrated talent management processes


• What are the best practices and ways to overcome the challenges in using your ERP system for your integrated talent management efforts


• What are Practical examples of how companies have implemented talent management in their ERP systems?


• Where is the future heading in relation to integrated talent management?

http://event.on24.com/r.htm?e=239000&s=1&k=1E62CA1BB6EF4A5EA75FAE2033B7AF75

I am happy to announce general availability of Tuxedo 11gR1 PS1 release (version 11.1.1.2.0). This release introduces several enhancements and features - almost all of which are driven by customer feedback received during 11gR1 beta, POCs and other direct customer engagements, especially related to mainframe application rehosting. Given below are highlights of the features/enhancements included in this release. Note that, we will talk about and demonstrate many of the new features at OOW, San Francisco Week of September 19th. If you are coming to OOW, please plan to attend one or more of the Tuxedo sessions and also stop by our demo pod W-190 in Moscone West. I will post list of Tuxedo sessions along with timing and venue separately. This will be a great event.

New features/Enhancements in Tuxedo ART Runtime and Workbench 11gR1 PS1:
- More coverage for CICS APIs
- Support for RRDS
- Enhanced CICS TSQ and TDQ support
- SSL for TN3270 Terminal server
- Sort support for migrated files
- Support for additional JCL features
- Enhanced batch utilities and parallelization of batch job execution
- Enhanced management of batch output

New features/Enhancements in Tuxedo core and other product options:
- Support for multiple resource managers from a Tux application server
- Extremely simplified JCA Adapter configuration and deployment
- Flexible AUTOTRAN configuration within Tuxedo and JCA Adapter
- Monitoring of Tuxedo ART batch Jobs from TSAM
- Support of TSAM and SALT on OpenVMS and OS/400
- Availability of Tuxedo Mainframe Adapters (SNA, TCP and OSITP)
- Enhanced mainframe connection management for TMA SNA

For detailed list of new features/enhancements, see product documentation at: http://download.oracle.com/docs/cd/E18050_01/tuxedo/

To download Tuxedo 11gR1 PS1 release, go to: http://www.oracle.com/technetwork/middleware/tuxedo/downloads/index.html.

Regards,
Deepak
Senior Director, Software Development
Oracle Fusion Middleware

Summer in Idaho is treasured all the more since it is all too brief. We had a long, cold spring - my lilacs were two months behind those of friends and family on the east coast - and some flowers that normally do well here never did poke their colorful heads out of the ground.

My personal gardening forays have been mixed: some things I planted from seeds never came up, and others only just bloomed in August, much to my delight. I am trying to create order from chaos - more specifically, I want a lovely oasis of flowers in a rock garden I have admittedly neglected for several years. Nature abhors a vacuum and thus, she made a successful flanking maneuver to colonize flowerbeds with sagebrush and grasses. I am way beyond "yanking and weed killer" and have traded in my trowel for heavier equipment. You need a shovel and a strong back to pull up a sagebrush and as for the grass, I've had to remove the top three inches of soil in many places and move a number of rocks to get at the root system snaking under them.

I never appreciated the expression, "getting at the root of the problem" until I dealt with invasive sagebrush and "grass-zilla." I have no choice but to do it because if I do not eradicate the root system, I will continue to battle these opportunistic biological interlopers one new sprout at a time. Just as, if you do not figure out the - pun intended - root cause of a security vulnerability, but just fix the symptoms, you will later have to clean up the rest of the buggy snippets that are choking your code.

I have had professional experiences that mirror my rock garden. That is, that there are "interloping and invasive" ideas that take hold with unbelievable tenacity to the point it is hard to eradicate them. The sagebrush and grass of the cybersecurity area are what I can only call the (myth of the) evil vendor cabal (var. multae crappycodae) and supply chain risk management (malwarum hysteriensis). Both have taken hold of otherwise rational human beings just like the pods took over people's minds in Invasion of the Body Snatchers.

In the course of my work, I attend a lot of meetings, seminars and the like on software assurance. The good news is that in the last couple of years, most of the vendors who attend these events (think of the big names in software and hardware) are doing pretty much the same sort of mom and secure apple pie things in software development. The bar, I can say pretty confidently, has been raised. This does not mean industry is perfect, nor does it mean that industry is "done" improving security. I would add that all of us know that building better code is good business: good for customers and good for us. It's also important for critical infrastructure. We get it.

However, to go to some of these meetings, you wouldn't think anything had changed. I have recently been astonished at the statements of opinion - without any facts to back them up - about the state of software development and the motives of those of us who do it, and even more disturbed at what I can only describe as outright hostility to industry in particular and capitalism in general. I suspect at least part of the reason for the hostility is the self-selecting nature of some of these meetings. That is, for some assurance-focused groups, vendors only attend meetings sporadically (because it's more productive to spend time improving your product than in talking about it). That leaves the audience dominated by consultants, academics and policy makers. Each group, in its own way, wants to make the problem better and yet each, in its own way, has a vested interest in convincing other stakeholders that they - and only they - can fix the problem. Many of them have never actually built software or hardware or worked in industry - and it shows. Theory often crumbles upon the altar of actual practice.

What I have heard some of these professional theorists say is not only breathtakingly ironic but often more than a little hypocritical: for example, a tenured academic complaining that industry is "not responsive to the market." (See my earlier blog "The Supply Chain Problem") on fixing the often-execrable cybersecurity education in most university programs and the deafening silence I got in response from the universities I sent letters to.) If you are tenured, you do not have to respond to market forces: you can teach the same thing for thirty years whether or not it is what the market needs or wants and whether or not you are any good at it. (What was that again about being nonresponsive to market forces?)

I am also both amused and annoyed at the hordes of third party consultants all providing a Greek chorus of "you can't trust your suppliers - let us vet them for you." Their purpose in the drama of assurance seems to be the following:

• Create fear, uncertainty and doubt (FUD) in the market - "evil, money-grubbing vendors can't be trusted; good, noble consultants are needed to validate security"
• Draft standards - under contract to the government - that create new, expensive third party software and hardware validation schemes
• Become the "validator" of software after your recommendations to the government - the ones you wrote for them - have been accepted

Could there possibly be a clearer definition of "conflict of interest" than the above? Now, I do not blame anyone for trying to create a market - isn't that what capitalism is? - but trying to create a market for your services by demonizing capitalism is hilariously ironic. One wants to know, "quis custodiet ipsos custodes?" (Who watches the watchers, otherwise known as, "why should I trust consultants who, after all, exist to sell more consulting services?")

The antibusiness rhetoric got so bad once that I took advantage of a keynote I was delivering to remark - because I am nothing if not direct - that, contrary to popular belief, there is no actual Evil Vendor Cabal wherein major software and hardware suppliers collude to determine how we can collectively:

• build worse products
• charge more for them and
• put our customers at increased risk of cyberattack.

It doesn't happen. And furthermore, I added, the government likes and has benefited from buying commercial software for many applications since it is feature rich, maintained regularly, generally very configurable, and runs on a lot of operating systems. "How well," I added, "did it work when government tried to build all these systems from scratch?" The answer is, the government does not have the people or the money to do that: they never did. But the same consultants who are creating FUD about commercial software would be happy to build custom software for everything at 20 times the price, whether or not there is a reason to build custom software.

"You are all in business to make a profit!" one person stated accusingly, as if that were a bad thing. "Yes," I said, "and because we are in business to make a profit, it is very much in our interest to build robust, secure software, because it is enormously expensive for us to fix defects - especially security defects - after we ship software, and we'd much rather spend the resources on building new features we can charge for, instead of on old problems we have to fix in many, many places. Furthermore, we run our own businesses on our own software so if there is horrible security, we are the first 'customer' to suffer. And lastly, if you build buggy, crappy software that performs poorly and is expensive to maintain, you will lose customers to competitors, who love to point at your deficiencies if customers have not already found them."

The second and more disturbingly tenacious idea - and I put this in the category of grass since it seemingly will take a lot of grubbing in the dirt to eradicate it - is what is being called "supply chain risk," this year's hot boy band, judging from the amount of screaming, fainting and hysteria that surrounds it. And yet, if "it" is such a big deal, why oh why can't the people writing papers, draft standards and proposed legislation around "it" describe exactly what they are worried about? I have read multiple pieces of legislation and now, a draft NIST standard on "supply chain risk management" and still there is no clear articulation of "what are you worried about?"

I generally have a high degree of regard for the National Institute of Standards and Technology (NIST). In the past, I've even advocated to get them more money for specific projects that I thought would be a very good use of taxpayer money. I am therefore highly disturbed that a draft standard on supply chain risk management, a problem supposedly critical to our national interests, appears to be authored by contractors and not by NIST. Specifically, two out of three people who worked on the draft are consultants, not NIST employees. (Disclaimer: I know both of them professionally and I am not impugning them personally.) There is no way to know whether the NIST employee who is listed on the standard substantially contributed to the draft or merely managed a contract that "outsourced" development of it.

As I noted earlier, there is an inherent problem in having third parties who would directly stand to benefit if a "standard" is implemented participate in drafting it. Human nature being what it is, the temptation to create future business for oneself is insidiously hard to resist. Moreover, it is exceedingly difficult to resist one's own myopias about how to solve a problem and, let's face it, if you are a consultant, every problem looks like the solution is "hire a consultant." It would be exactly the same thing if, say, the federal government asked Oracle to draft a request for proposal that required a ...database. Does anybody think we could possibly be objective? Even if we tried to be open minded, the set of requirements we would come up with would look suspiciously like Oracle, because that's what we are most familiar with.

Some will argue that this is a draft standard, and will go through revisions, so the provenance of the ideas shouldn't matter. However, NIST's core mission is developing standards. If they are not capable of drafting standards themselves then they should either get the resources to do so or not do it at all. Putting it differently, if you can't perform a core mission, why are you in business? If I may be a bit cheeky here, there is a lesson from Good Old Capitalism here: you cannot be in all market segments (otherwise known as "You can't be all things to all people"). It's better to do a few things well than to try to do everything, and end up doing many things badly. I might add, any business that tried to be in too many market segments that they had no actual expertise in would fail - quickly - because the market imposes that discipline on them.

Back to the heart of the hysteria: what, precisely is meant by "supply chain risk?" At the root of all the agitation there appears to be two concerns, both of which are reasonable and legitimate to some degree. They are:

• Counterfeiting
• Malware

Taking the easier one first, "counterfeiting" in this context means "purchasing a piece of hardware FOO or software BAR where the product is not a bona fide FOO or BAR but a knockoff." (Note: this is not the case of buying a "solid gold Rolex" on the street corner for $10 when you know very well this is not a real Rolex - not at that price.) From the acquirer's viewpoint, the concern is that a counterfeit component will not perform as advertised (i.e., might fail at a critical juncture), or won't be supported/repaired/warranted by the manufacturer (since it is a fake product). It could also include a suspicion that instead of GoodFoo you are getting EvilKnockoffFOO, which does something very different - and malicious - from what it's supposed to do. More on that later.

From the manufacturer's standpoint, counterfeiting cuts into your revenue stream since someone is "free riding" on your brand, your advertising, maybe even your technology, and you are not getting paid for your work. Counterfeits may also damage your brand (when FakeFOO croaks under pressure instead of performing like the real product). Counterfeiting is the non-controversial part of supply chain concerns in that pretty much everybody agrees you should get what you pay for, and if you buy BigVendor's product FOO, version 5, you want to know you are actually getting FOO, version 5 (and not fake FOO). Note: I say, "non controversial," but when you have government customers buying products off eBay (deeply discounted) who are shocked - shocked I tell you! - to discover that they have bought fakes, you do want to say, "do you buy F-22s off eBay? No? Then what makes you think you can buy mission critical hardware off eBay? Buy From An Authorized Distributor, fool!"

The second area of supply chain risk hysteria is malware. Specifically, the concern that someone, somewhere will Put Something Bad in code (such as a kill switch which would render the software or hardware inoperable at a critical juncture). Without ever articulating it, the hysteria is typically that An Evil Foreigner - not a Good American Programmer - will Put Something Bad in Code. (Of course, other countries have precisely the same concern, only in their articulation, it is evil Americans who will Put Something Bad In Code.) The "foreign boogeymen" problem is at the heart of the supply chain risk hysteria and has led to the overreach of proposed solutions for it. (For example, the NIST draft wanted acquirers to be notified of changes to personnel involving "maintenance." Does this mean that every time a company hires a new developer to work on old code - and let's face it, almost everybody who works in development for an established company touches old code at some point - they have to send a letter to Uncle Sam with the name of the employee? Can you say "intrusive?")

So here is my take on the reality of the "malware" part of supply chain. It's a long explanation, and I stole it from a paper I did on supply chain issues for a group of legislators. I offer these ideas as points of clarification that I fervently hope will frame this discussion, before someone, in a burst of public service, creates an entirely new expensive, vague, "construct" of policy remedies for an unbounded problem. Back to my gardening analogy, if eradicating the roots of a plant is important and necessary to kill off a biological interloper, it is also true that some plants will not grow in all climates and in all soil no matter what you do: I cannot grow plumeria (outdoors) in Idaho no matter how hard I try and no matter how much I love it. Similarly, some of the proposed "solutions" to supply chain risk are not going to thrive because of a failure to understand what is reasonable and feasible and will "grow" and what absolutely will not. I'll go farther than that - some of the proposed remedies - and much of what is proposed in the draft NIST standard - should be dosed with weed killer.

Constraint 1: In the general case - and certainly for multi-purpose infrastructure and applications software and hardware - there are no COTS products without global development and manufacturing.

Discussion: The explosion in COTS software and hardware of the past 20 years has occurred precisely because companies are able to gain access to global talent by developing products around the world. For example, a development effort may include personnel on a single "virtual team" who work across the United States and in the United Kingdom and India. COTS suppliers also need access to global resources to support their global customers. For example, COTS suppliers often offer 7x24 support in which responsibility for addressing a critical customer service request migrates around the globe, from support center to support center (often referred to as a "follow the sun" model). Furthermore, the more effective and available (that is, 7x24 and global) support is, the more likely problems will be reported and resolved more quickly for the benefit of all customers. Even smaller firms that produce specialized COTS products (e.g., cryptographic or security software) may use global talent to produce it.

Hardware suppliers are typically no longer "soup to nuts" manufacturers. That is, a hardware supplier may use a global supply network in which components - sourced from multiple entities worldwide - are assembled by another entity. Software is loaded onto the finished hardware in yet another manufacturing step. Global manufacturing and assembly helps hardware suppliers focus on production of the elements for which they can best add value and keeps overall manufacturing and distribution costs low. We take it for granted that we can buy serviceable and powerful personal computers for under $1000, but it was not that long ago that the computing power in the average PC was out of reach for all but highly capitalized entities and special purpose applications. Global manufacturing and distribution makes this possible.

In summary, many organizations that would have deployed custom software and hardware in the past have now "bet the farm" on the use of COTS products because they are cheaper, more feature rich, and more supportable than custom software and hardware. As a result, COTS products are being embedded in many systems - or used in many deployment scenarios - that they were not necessarily designed for. Supply chain risk is by no means the only risk of deploying commercial products in non-commercial threat environments.

Constraint 2: It is not possible to prevent someone from putting something in code that is undetectable and potentially malicious, no matter how much you tighten geographic parameters.

Discussion: One of the main expressions of concern over supply chain risk is the "malware boogeyman," most often associated with the fear that a malicious employee with authorized access to code will put a backdoor or malware in code that is eventually sold to a critical infrastructure provider (e.g., financial services, utilities) or a defense or intelligence agency. Such code, it is feared, could enable an adversary to alter (i.e., change) data or exfiltrate data (e.g., remove copies of data surreptitiously) or make use of a planted "kill switch" to prevent the software or hardware from functioning. Typically, the fear is expressed as "a foreigner" could do this. However, it is unclear precisely what "foreigner" is in this context:

• There are many H1B visa holders (and green card holders) who work for companies located in the United States. Are these "foreigners?"


• There are US citizens who live in countries other than the US and work on code there. Are these "foreigners?" That is, is the fear of code corruption based on geography or national origin of the developer?


• There are developers who are naturalized US citizens (or dual passport holders). Are these "foreigners?"

(Ironically, naturalized citizens and H1B visa holders are arguably more "vetted" that native-born Americans.) It is unclear whether the concern is geographic locale, national origin of a developer or overall development practice and the consistency by which it is applied worldwide.

COTS software, particularly infrastructure software (operating systems, databases, middleware) or packaged applications (customer relationship management (CRM), enterprise resource planning (ERP)) typically has multiple millions of lines of code (e.g., the Oracle database has about 70 million lines of code). Also typically, commercial software is in near-constant state of development: there is always a new version under development or old versions undergoing maintenance. While there are automated tools on the market that can scan source code for exploitable security defects (so-called static analysis tools), such tools find only a portion of exploitable defects and these are typically of the "coding error" variety. They do not find most design defects and they would be unlikely to find deliberately introduced backdoors or malware.

Given the size of COTS code bases, the fact they are in a near constant state of flux, and the limits of automated tools, there is no way to absolutely prevent the insertion of bad code that would have unintended consequences and would not be detectable. (As a proof point, a security expert in command and control systems once put "bad code" in a specific 100 lines of code and challenged code reviewers to find it within the specific 100 lines of code. They couldn't. In other words, even if you know where to look, malware can be and often is undetectable.)

Lastly, we are sticking our collective heads in the sand if we think that no American would ever put something deliberately bad in code. Most of the biggest intelligence leaks of the past were perpetrated by cleared American citizens (e.g., Aldrich Ames, Robert Hanssen and the Walker spy ring). But there are other reasons people could Do Bad Things To Code, such as being underpaid and disgruntled about it (why not stick a back door in code and threaten to shut down systems unless someone gives you a pay raise?).

Constraint 3: Commercial assurance is not "high assurance" and the commercial marketplace will not support high assurance software.

Discussion: Note that there are existing, internationally recognized assurance measures such as the Common Criteria (ISO-15408) that validate that software meets specific (stated) threats it was designed to meet. The Common Criteria supports a sliding scale of assurance (i.e., levels 1 through 7) with different levels of software development rigor required at each level: the higher the assurance level, the more development rigor required to substantiate the higher assurance level. Most commercial software can be evaluated up to Evaluation Assurance Level (EAL) 4 (which, under the Common Criteria Recognition Arrangement (CCRA), is also accepted by other countries that subscribe to the Common Criteria). Few commercial entities ask for or require "high assurance" software and few if any government customers ask for it, either.

What is achievable and commercially feasible is for a supplier to have reasonable controls on access to source code during its development cycle and reasonable use of commercial tools and processes that will find routine "bad code" (such as exploitable coding errors that lead to security vulnerabilities). Such a "raise the bar" exercise may have and likely will have a deterrent affect to the extent that it removes the plausible deniability of a malefactor inserting a common coding error that leads to a security exploit. Using automated vulnerability finding tools, in addition to improving code hygiene, makes it harder for someone to deliberately insert a backdoor masquerading as a common coding error because the tools find many such coding errors. Thus, a malefactor may, at least, have to work harder.

That said, and to Constraint 1, the COTS marketplace will not support significantly higher software assurance levels such as manual code review of 70 million lines of code, or extensive third party "validation" of large bodies of code beyond existing mechanisms (i.e., the Common Criteria) nor will it support a "custom code" development model where all developers are US citizens, any more than the marketplace will support US-only components and US-only assembly in hardware manufacturing. This was, in fact, a conclusion reached by the Defense Science Board in their report on foreign influence on the supply chain of software. And in fact, supply chain risk is not about the citizenship of developers or their geographic locale but about the lifecycle of software, how it can be corrupted, and taking reasonable and commercially feasible precautions to prevent code corruption.

Constraint 4: Any supply chain assurance exercise - whether improved assurance or improved disclosure - must be done under the auspices of a single global standard, such as the Common Criteria.

Discussion: Assurance-focused supply chain concerns should use international assurance standards (specifically the Common Criteria) to address them. Were someone to institute a separate, expensive, non-international "supply chain assurance certification," not only would software assurance not improve, it would likely get worse, because the same resources that companies today spend on improving their product would be spent on secondary or tertiary "certifications" that are expensive, inconsistent and non-leverageable. In the worst case, a firm might have to produce different products for different geographic locales, which would further divert resources (and weaken security). A new "regulatory regime" - particularly one that largely overlaps with an existing scheme - would be expensive and "crowd out" better uses of time, people, and money. To the extent some supply chain issues are not already addressed in Common Criteria evaluations, the Common Criteria could be modified to address them, using an existing structure that already speaks to assurance in the international realm.

Even in cases of "supply chain disclosure," any such disclosure requirement needs to ensure that the value of information - to purchasers - is greater than the cost to suppliers of providing such information. To that end, disclosure should be standardized, not customized. Even a large vendor would not be able to complete per-customer or per-industry questionnaires on supply chain risk for each release of each product they produce. The cost of completing such "per-customer, per-industry" questionnaires would be considerable, and far more so for small, niche vendors or innovative start-ups.

For example, a draft questionnaire developed by the Department of Homeland Security asked, for each development project, for each phase of development (requirement, design, code, and test) how many "foreigners" worked on each project? A large product may have hundreds of projects, and collating how many "foreigners" worked on each of them provides little value (and says nothing about the assurance of the software development process) while being extremely expensive to collect. (The question was dropped from the final document.)

Constraint 5: There is no defect-free or even security defect-free software.

Discussion: While better commercial software is achievable, perfect software is not. This is the case because of a combination of generally poor "security education" in universities (most developers are not taught even basic secure development practices and have to be retrained by the companies that hire them), imperfect development practices, imperfect testing practices, and the fact that new classes of vulnerabilities are being discovered (and exploited) as enemies become more sophisticated. Better security education, better development practices and better testing will improve COTS (and non-COTS) software but will not eliminate all vulnerabilities or even all security vulnerabilities -- people make mistakes, and its not possible to catch all of those mistakes.

As noted elsewhere, manual code inspection is infeasible over large code bases and is error prone. Automated vulnerability-finding tools are the only scalable solution for large code bases (to automate "error finding") but even the best commercially available automated vulnerability-finding tools find perhaps 50% of security defects in code resulting from coding errors but very few security design errors (e.g., an automated tool can't "detect" that a developer neglected to include key security functionality, like encrypting passwords or requiring a password at all).

Lastly, no commercial software ships with "zero defects." Most organizations ship production software only after a phase-in period (so-called alpha and beta testing) in which a small, select group of production customers use the software and provide feedback, and the vendor fixes the most critical defects. In other words, there is typically a "cut-off" in that less serious vulnerabilities are not fixed prior to the product being generally available to all customers.

It is reasonable and achievable that a company has enough rigor in its development practice to include, as part of a robust development practice, actively looking for security defects (using commercial automated tools), triaging them (e.g., by assigning a Common Vulnerability Scoring System (CVSS) score) and, for example, fixing all issues above a particular severity). That said, it is a certainty that some vulnerabilities will still be discovered after the product has shipped, and some of these will be security vulnerabilities.

There is a reasonableness test here we all understand. Commercial software is designed for commercial purposes and with commercial assurance levels. "Commercial software" is not necessarily military grade any more than a commercial vehicle - a Chevy Suburban, for example - is expected to perform like an M1 Abrams tank. Wanting commercial software to have been built (retroactively) using theoretically perfect but highly impractical development models (and by cleared US citizens in a secured facility, no less) might sound like Nirvana to a confluence of assurance agitators - but it is neither reasonable nor feasible and it is most emphatically not commercial software.

Book(s) of the Month

Strong Men Armed: The United States Marines vs. Japan by Robert Leckie

Robert Leckie was a Marine who served in WWII in the Pacific theater and also a prolific writer, much of it military history (another book, Helmet for My Pillow, was a basis for HBO's The Pacific). As much as I have read about the Pacific War - and I've read a lot - I continue to be inspired and humbled by the accounts of whose who fought it and what they were up against: a fanatical, ideologically-inspired and persistent foe who would happily commit suicide if he were able to take out many of "the American enemy." The Marines were on the front lines of much of that war and indeed, so many battles were the Marines' to fight and win. What I liked about this book was that it did not merely recap which battles were fought when, where and by which Marine division led by what officer, but it delves into the individuals in each battle. You know why Joe Foss received the Congressional Medal of Honor, and for what (shooting down 23 Japanese planes over Guadalcanal), for example. History is made by warriors, and everyone - not just the US Marines - should know who our heroes are. (On a personal note, I was also thrilled to read, on page 271 of my edition, several paragraphs about the exploits of Lt. Col Henry Buse, USMC, on New Britain. I later knew him as General Henry Buse, a family friend. Rest in peace, faithful warrior.)

I'm Staying with My Boys: The Heroic Life of Sgt. John Basilone, USMC by Jim Proser

One of many things to love about the US Marine Corps is that they know their heroes: any Marine knows who John Basilone is and why his name is held in honor. This book - told in the first person, unusually - is nonetheless not an autobiography but a biography of Sgt. "Manila" John Basilone, who was a recipient of the Congressional Medal of Honor for his actions at Lunga Ridge on Guadalcanal. He could have sat out the rest of the war selling war bonds but elected to return to the front, where he was killed the first day of the battle for Iwo Jima. In a world where mediocrity and the manufactured 15 minutes of fame are celebrated, this is what a real hero - and someone who is worthy of remembrance - looks like. He is reported to have said upon receiving the CMH: "Only part of this medal belongs to me. Pieces of it belong to the boys who are still on Guadalcanal. It was rough as hell down there."

The citation for John Basilone's Congressional Medal of Honor:

" For extraordinary heroism and conspicuous gallantry in action against enemy Japanese forces, above and beyond the call of duty, while serving with the 1st Battalion, 7th Marines, 1st Marine Division in the Lunga Area. Guadalcanal, Solomon Islands, on 24 and 25 October 1942. While the enemy was hammering at the Marines' defensive positions, Sgt. Basilone, in charge of 2 sections of heavy machineguns, fought valiantly to check the savage and determined assault. In a fierce frontal attack with the Japanese blasting his guns with grenades and mortar fire, one of Sgt. Basilone's sections, with its gun crews, was put out of action, leaving only 2 men able to carry on. Moving an extra gun into position, he placed it in action, then, under continual fire, repaired another and personally manned it, gallantly holding his line until replacements arrived. A little later, with ammunition critically low and the supply lines cut off, Sgt. Basilone, at great risk of his life and in the face of continued enemy attack, battled his way through hostile lines with urgently needed shells for his gunners, thereby contributing in large measure to the virtual annihilation of a Japanese regiment. His great personal valor and courageous initiative were in keeping with the highest traditions of the U.S. Naval Service."

Other Links

More than you ever wanted to know about sagebrush:

Oracle OpenWorld is just around the corner on Sept. 19-23, 2010 at Moscone Center in San Francisco, CA. It's our largest annual conference with over 1,800 sessions, 400 partner exhibits, almost 400 Oracle demos. This is your chance to hear about Oracle's strategy and roadmap from the experts who build the products.

I have included the links to the financials-related Focus On documents that provide a listing of must-attend sessions, demos, partners exhibits, and networking events related to financials:

• Oracle E-Business Suite Financials: This includes both E-Business Suite and Fusion Financials sessions.
• PeopleSoft Financial Management: This includes PeopleSoft sessions as well as sessions about how you can integrate PeopleSoft Financials with Oracle Fusion Financials
• Oracle Governance, Risk, and Compliance: I included this because I thought it would be of interest to financial users.

To view other Focus On documents, go to www.oracle.com/openworld.
Then select the Learn tab and choose the "Focus On" option.

I hope to see you all there!

This year, OpenOffice.org is celebrating its 10^th anniversary and an impressive success story, illustrating how open standards and community involvement can improve a product. The highlight of the celebrations are in Budapest at the annual OpenOffice.org Conference (photo). The Oracle Office team congratulates all community members, supporters and more than 100 Million users world wide!

NEWSLETTER ARCHIVES

Content Management News on Oracle's content management suite and platform, including Oracle Content Database and Stellent products.   Customer Relationship Management Oracle and Siebel CRM products, including Siebel CRM On Demand, focusing on sales, marketing, customer service, analytics, and call center topics.   Database Insider News on Oracle Database 11g, including interviews, market news, executive webcasts, and user group and tech guru analysis.   Enterprise Manager  Developments and product news highlighting Oracle Enterprise Manager's unique top-down approach to application management, including new releases, enhancements, blogs, podcasts, and video.   Enterprise Performance Management and Business Intelligence Oracle EPM and BI product news from both the technical and the applications perspective, with emphasis on Oracle Business Intelligence Suite Enterprise Edition, Oracle Business Intelligence Applications, Oracle Performance Management Applications, and Oracle Crystal Ball.   Executive Strategy The newsletter for Profit Online, offering the best of Oracle's executive content, blogs, podcasts, and in-depth articles from Profit.   Executive Strategy Weekly Bulletin The new Executive Strategy Weekly Bulletin covers the latest and greatest stories from Profit Online without the wait.   Financial Management Focused on content for CFO's, including product and event news, in-depth analysis from industry pundits, and Oracle executive content.   Financial Services Insightful looks at the global financial services market, including product news and reviews, special content from i-flex, and emphasis on regulation and security in the banking industry.   Fusion Middleware News, reviews, and insights on the continually evolving, industry-leading Oracle Fusion Middleware suite of products including Oracle WebCenter, Oracle SOA Suite, identity management, application integration, BPEL, and J2EE.   Human Capital Management The latest news on Oracle and PeopleSoft HCM applications from drill-downs into Release 9 and Web 2.0 innovations to interviews with industry pundits and analysts on major trends in HR.   Lean Supply Chain News and analysis from the fast-moving world of global manufacturing, with an emphasis on the growing movement in Lean philosophies and the importance of IT in goods production and distribution.   Linux News on Oracle's continuing contributions to the Linux community, including events, offers, and links to technical articles on OTN and in Oracle Magazine.   On Demand Articles on evolving trends in the growing world of software-as-a-service, including new services and technologies available from Oracle.   Oracle for Midsize Companies The latest developments and product news from Oracle's broad range of solutions for fast-growing companies, in addition to articles on business trends and news from Oracle executives and industry analysts.   Procurement Product news and industry analysis on managing, leveraging, and maximizing supplier relationships in a fast-moving global economy.   Public Sector News on Oracle solutions for government organizations and educational institutions, as well as news about how local, state, and federal agencies are embracing new technologies and best practices from private enterprise.   Retail Articles and product news that follow the latest developments in the highly competitive world of retail, including topics such as merchandising, the integration of SOA technologies, and global growth.

Good sample given in this blog http://cbhavsar.blogspot.com/2009/04/partial-page-ppr-navigation.html certainly PPN settings with on and onWithForcePPR helps a lot in memory usage.

Used same sample given in this blog and noticed total page size reduced from 9.3KB to 6.6KB with usage of "on" and "onWithForcePPR" settings, certainly this helps in reducing memory usage.