Last year, the technology maker bought more than a dozen companies. Now it's picking up tips from those operations and using them in a major overhaul of its business applications software, an initiative. Other products and processes are benefiting, too.
In return, Oracle is teaching its new employees something about security--literally. The Redwood Shores, Calif.-based, company found that none of the companies it bought required security-specific training for staff. But Oracle does. So employees brought in from, Retek and Oblix purchases, among others, are learning the ropes.
Oracle is using security expertise picked up in the acquisition of more than a dozen companies in the past year in a initiative called Project Fusion.
Oracle isn't saying much about security in the project, but in meetings with CNET News.com, company representatives lifted the veil on the software maker's endeavors to get all its security eggs into one basket.
All in all, Oracle hopes the security sum will be greater than its parts.
"To make the merged organization successful, we take the best of what they did and the best of what we do, and make it what the combined company does," Mary Ann Davidson, Oracle's chief security officer, said in an interview Tuesday.
Security has been a bugbear for the database specialist, which hasfor the time it takes to fix flaws and the quality of its patches. Experts will be watching closely to see what comes of any new effort. Moreover, Fusion is a hefty undertaking, with the aim of incorporating the technology of companies Oracle has acquired.
And security is only one element of Fusion. Oracle President Charles Phillips recently said the company, one year into the project, ison the next generation of its applications. Yet, Phillips said, the first Fusion applications won't be ready until 2008--a schedule that falls in line with previous promises.
Oracle isn't saying much about security in Fusion or in any of its other products, but in meetings with CNET News.com this week, company representatives lifted the veil on the software maker's endeavors to get all its security eggs into one basket.
One lesson Oracle has learned from PeopleSoft is that less customization equals fewer security risks. While Oracle has historically allowed developers to program on top of its applications, PeopleSoft took a more limited approach. Its software was mainly set up to let customers analyze their business processes, then build upon its applications.
"What you can do from a security perspective in PeopleSoft is limited, while Oracle is more fine-grained and more customizable," said John Heimann, director of security program management at Oracle. "Sometimes simplicity is good for security, because you can sometimes code yourself into a hole."
Oracle's buying spree
In 2005 alone, Oracle acquired more than a dozen companies. The security synchronization effort includes some of these:
Context Media (July)
Thor Technologies (November)
Oracle allows developers to define security roles with a lot of flexibility, increasing the risk of mistakes and thus the introduction of flaws. For example, it is possible to restrict which user can access a specific part of an application based on very detailed rules, Heimann said. PeopleSoft doesn't provide the same level of flexibility, he said.
"We're going to try and combine the simplicity and declarative nature of PeopleSoft and PeopleTools with the extensibility and flexibility of the Oracle applications framework," Heimann said.
As an indication of that, Oracle executives said a key person working on security for Fusion is Robert Armstrong, a former PeopleSoft security chief.
Another lesson partially learned from PeopleSoft is to ship products that have a high level of security out of the box, or at least provide an easy way to increase the security level--something Oracle calls the Secure Configuration Initiative. "In the past, our products have tended to be developer-friendly out of the box," Heimann said. "There were accounts with easy-to-remember passwords like 'Welcome1', demo code, and things were set with permissions that were wide open."
Oracle's , which shipped in 2004, delivered on some of the "secure by default" approach, Heimann said. Customers should see more of it in future products, including the next generation of the database family, he added.