Oracle aims to tone security muscle with Fusion

Database giant is learning defensive moves from the more than one dozen companies it picked up in acquisition spree in the past year.

REDWOOD SHORES, Calif.--Billions of dollars worth of acquisitions have bought Oracle a perhaps unexpected bonus: security lessons.

Last year, the technology maker bought more than a dozen companies. Now it's picking up tips from those operations and using them in a major overhaul of its business applications software, an initiative called Project Fusion. Other products and processes are benefiting, too.

In return, Oracle is teaching its new employees something about security--literally. The Redwood Shores, Calif.-based, company found that none of the companies it bought required security-specific training for staff. But Oracle does. So employees brought in from PeopleSoft, J.D. Edwards, Retek and Oblix purchases, among others, are learning the ropes.


What's new:
Oracle is using security expertise picked up in the acquisition of more than a dozen companies in the past year in a initiative called Project Fusion.

Bottom line:
Oracle isn't saying much about security in the project, but in meetings with CNET, company representatives lifted the veil on the software maker's endeavors to get all its security eggs into one basket.

More stories on Project Fusion

All in all, Oracle hopes the security sum will be greater than its parts.

"To make the merged organization successful, we take the best of what they did and the best of what we do, and make it what the combined company does," Mary Ann Davidson, Oracle's chief security officer, said in an interview Tuesday.

Security has been a bugbear for the database specialist, which has drawn criticism for the time it takes to fix flaws and the quality of its patches. Experts will be watching closely to see what comes of any new effort. Moreover, Fusion is a hefty undertaking, with the aim of incorporating the technology of companies Oracle has acquired.

And security is only one element of Fusion. Oracle President Charles Phillips recently said the company, one year into the project, is already half done with its work on the next generation of its applications. Yet, Phillips said, the first Fusion applications won't be ready until 2008--a schedule that falls in line with previous promises.

Oracle isn't saying much about security in Fusion or in any of its other products, but in meetings with CNET this week, company representatives lifted the veil on the software maker's endeavors to get all its security eggs into one basket.

One lesson Oracle has learned from PeopleSoft is that less customization equals fewer security risks. While Oracle has historically allowed developers to program on top of its applications, PeopleSoft took a more limited approach. Its software was mainly set up to let customers analyze their business processes, then build upon its applications.

"What you can do from a security perspective in PeopleSoft is limited, while Oracle is more fine-grained and more customizable," said John Heimann, director of security program management at Oracle. "Sometimes simplicity is good for security, because you can sometimes code yourself into a hole."

Oracle's buying spree

In 2005 alone, Oracle acquired more than a dozen companies. The security synchronization effort includes some of these:

PeopleSoft (January)

Oblix (March)

Retek (April)

TripleHop (June)

TimesTen (June)

ProfitLogic (July)

Context Media (July)

I-flex (August)

Siebel (September)

G-Log (September)

Innobase (October)

Thor Technologies (November)

OctetString (November)

TempoSoft (December)

Source: Oracle

Oracle allows developers to define security roles with a lot of flexibility, increasing the risk of mistakes and thus the introduction of flaws. For example, it is possible to restrict which user can access a specific part of an application based on very detailed rules, Heimann said. PeopleSoft doesn't provide the same level of flexibility, he said.

"We're going to try and combine the simplicity and declarative nature of PeopleSoft and PeopleTools with the extensibility and flexibility of the Oracle applications framework," Heimann said.

As an indication of that, Oracle executives said a key person working on security for Fusion is Robert Armstrong, a former PeopleSoft security chief.

Another lesson partially learned from PeopleSoft is to ship products that have a high level of security out of the box, or at least provide an easy way to increase the security level--something Oracle calls the Secure Configuration Initiative. "In the past, our products have tended to be developer-friendly out of the box," Heimann said. "There were accounts with easy-to-remember passwords like 'Welcome1', demo code, and things were set with permissions that were wide open."

Oracle's , which shipped in 2004, delivered on some of the "secure by default" approach, Heimann said. Customers should see more of it in future products, including the next generation of the database family, he added.

Featured Video