Oracle aims to tone security muscle with Fusion

Database giant is learning defensive moves from the more than one dozen companies it picked up in acquisition spree in the past year.

Joris Evers
Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
6 min read
REDWOOD SHORES, Calif.--Billions of dollars worth of acquisitions have bought Oracle a perhaps unexpected bonus: security lessons.

Last year, the technology maker bought more than a dozen companies. Now it's picking up tips from those operations and using them in a major overhaul of its business applications software, an initiative called Project Fusion. Other products and processes are benefiting, too.

In return, Oracle is teaching its new employees something about security--literally. The Redwood Shores, Calif.-based, company found that none of the companies it bought required security-specific training for staff. But Oracle does. So employees brought in from PeopleSoft, J.D. Edwards, Retek and Oblix purchases, among others, are learning the ropes.


What's new:
Oracle is using security expertise picked up in the acquisition of more than a dozen companies in the past year in a initiative called Project Fusion.

Bottom line:
Oracle isn't saying much about security in the project, but in meetings with CNET News.com, company representatives lifted the veil on the software maker's endeavors to get all its security eggs into one basket.

More stories on Project Fusion

All in all, Oracle hopes the security sum will be greater than its parts.

"To make the merged organization successful, we take the best of what they did and the best of what we do, and make it what the combined company does," Mary Ann Davidson, Oracle's chief security officer, said in an interview Tuesday.

Security has been a bugbear for the database specialist, which has drawn criticism for the time it takes to fix flaws and the quality of its patches. Experts will be watching closely to see what comes of any new effort. Moreover, Fusion is a hefty undertaking, with the aim of incorporating the technology of companies Oracle has acquired.

And security is only one element of Fusion. Oracle President Charles Phillips recently said the company, one year into the project, is already half done with its work on the next generation of its applications. Yet, Phillips said, the first Fusion applications won't be ready until 2008--a schedule that falls in line with previous promises.

Oracle isn't saying much about security in Fusion or in any of its other products, but in meetings with CNET News.com this week, company representatives lifted the veil on the software maker's endeavors to get all its security eggs into one basket.

One lesson Oracle has learned from PeopleSoft is that less customization equals fewer security risks. While Oracle has historically allowed developers to program on top of its applications, PeopleSoft took a more limited approach. Its software was mainly set up to let customers analyze their business processes, then build upon its applications.

"What you can do from a security perspective in PeopleSoft is limited, while Oracle is more fine-grained and more customizable," said John Heimann, director of security program management at Oracle. "Sometimes simplicity is good for security, because you can sometimes code yourself into a hole."

Oracle's buying spree

In 2005 alone, Oracle acquired more than a dozen companies. The security synchronization effort includes some of these:

PeopleSoft (January)

Oblix (March)

Retek (April)

TripleHop (June)

TimesTen (June)

ProfitLogic (July)

Context Media (July)

I-flex (August)

Siebel (September)

G-Log (September)

Innobase (October)

Thor Technologies (November)

OctetString (November)

TempoSoft (December)

Source: Oracle

Oracle allows developers to define security roles with a lot of flexibility, increasing the risk of mistakes and thus the introduction of flaws. For example, it is possible to restrict which user can access a specific part of an application based on very detailed rules, Heimann said. PeopleSoft doesn't provide the same level of flexibility, he said.

"We're going to try and combine the simplicity and declarative nature of PeopleSoft and PeopleTools with the extensibility and flexibility of the Oracle applications framework," Heimann said.

As an indication of that, Oracle executives said a key person working on security for Fusion is Robert Armstrong, a former PeopleSoft security chief.

Another lesson partially learned from PeopleSoft is to ship products that have a high level of security out of the box, or at least provide an easy way to increase the security level--something Oracle calls the Secure Configuration Initiative. "In the past, our products have tended to be developer-friendly out of the box," Heimann said. "There were accounts with easy-to-remember passwords like 'Welcome1', demo code, and things were set with permissions that were wide open."

Oracle's "5103713"="">10g database products, which shipped in 2004, delivered on some of the "secure by default" approach, Heimann said. Customers should see more of it in future products, including the next generation of the database family, he added.

"It will be there to a much greater extent in 11g, and it is a focus for Fusion," he said. "That is the future: Security by default, and delivering it so you don't have to be a sophisticated developer to implement security rules."

For example, Oracle is thinking of allowing a system administrator to change security settings using a simple user interface or with drag-and-drop capabilities, Heimann said.

Patchy record
Oracle, which has marketed its products as "unbreakable," has faced mounting criticism over its security practices. Security researchers have accused the company of fixing security flaws too late, releasing faulty security updates or not plugging holes at all.

"Oracle can no longer be considered a bastion of security," Gartner analyst Rich Mogull wrote in a research note after Oracle released a slew of security patches on Jan. 17. "Critical Oracle vulnerabilities are being discovered and disclosed at an increasing rate, and exploit tools and proof-of-concept code are appearing more regularly."

The database specialist has not yet experienced a mass security exploit, but this does not mean that one will never occur, Mogull said in his note. He advises database and application managers to protect and maintain Oracle systems more aggressively.

Becoming part of Oracle's line-up could intensify the security community's scrutiny of products previously sold by the companies it acquired. So, in addition to product development, the mergers have also had effects on security processes. For example, each unit has amended how it deals with reports of vulnerabilities and with publishing of security alerts, Oracle executives said.

The employees and products of the purchased companies have borne the brunt of changes, said Duncan Harris, the senior director for security assurance at Oracle.

"The acquired companies did not have very many vulnerabilities reported to them by external researchers. PeopleSoft was the exception," Harris said. "All were still very much using a manual tracking system like that we had five years ago."

As for public announcement of fixes, PeopleSoft and J.D. Edwards security updates are now part of Oracle's quarterly critical patch bulletins. That's a change from before the acquisition. Oracle's patch alerts offer only few details on specific flaws and their impact, while PeopleSoft's security bulletins had more information.

Bug handling for most companies Oracle acquired is now part of Oracle's automated system. However, PeopleSoft still maintains its own way of handling vulnerabilities, Harris said. While Oracle has people whose full-time job is dealing with flaws, PeopleSoft has a council of employees that discusses bugs as a team, he said.

Another change is that Harris' team of "ethical hackers" will now expand its scope and may scrutinize the newly acquired products. "We don't declare what products my team looks at, but clearly as Oracle acquires new products, then those are eligible for the hackers to have a look at and do an assessment against," he said.

Harris wouldn't say if people from any of the acquired companies have joined his hacking team, which is based in the U.K. He also declined to so how large the team currently is.

Still, former PeopleSoft employees appear to have a major role in charting the future of Oracle and will leave their marks, especially when it comes to security. "When I knew that we were going to go ahead and buy PeopleSoft, I immediately wanted to have dibs on certain people," Oracle's Davidson said.

Added Heimann: "Fusion is serious. We really learned some good things from them and we're really trying to capture the best of it."