Database Security, Audit, Privacy and Support Blog

News, Infocus, Columns, Vulnerabilities, Bugtraq ...

Thinking Beyond the Ivory Towers

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909

Firing Up Browser Security

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909

Racing Against Reversers

Anti-Social Networking

Proactively Managing Security Risk

A Guide to Different Kinds of Honeypots

Integrating More Intelligence into Your IDS, Part 1

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909

Integrating More Intelligence into Your IDS, Part 2

I tend to agree with the outcomes of a recent Gartner’s Report on the top seven cloud-computing security risks. A related article, by Jon Brodkin, provides a nice overview and summary of the key taking points of this report:

 “Cloud computing is fraught with security risks, according to analyst firm Gartner. Smart customers will ask tough questions, and consider getting a security assessment from a neutral third party before committing to a cloud vendor, Gartner says in a June report titled “Assessing the Security Risks of Cloud Computing.”   Cloud computing has “unique attributes that require risk assessment in areas such as data integrity, recovery and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance and auditing,” Gartner says.” In particular I believe that the aspects related to “privileged user access”, “regulatory compliance” and “data location/data segregation/privacy management” are potential key issues that, if not properly addressed, can expose organizations (and users) to high risks.  

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

Just like Oracle software licensing, Microsoft has its complexities as well.

When using a Microsoft application, you must license each device in which you will access the software (locally and remotely). You can install any version of the application you prefer, for example many users currently will use Office 2003 instead of the newer 2007 version, but if both are installed, 2007 must be licensed. The same goes for a server installation - if computers in your office are using 2007, the server in which may house a remote connection must also be licensed for 2007.

For Operating Systems, you will need a license for each device that accesses the software but can only install one copy on each device (versus however many copies of Microsoft applications you want you may install). When we look at Volume licensing however, these are considered by Microsoft as an upgrade license.  More information on that can be found here, along with a list of qualifying operating systems, which you must already have licensed in order to acquire an upgrade license.

As highlighted in this recent article (called “FTC recruiting identity theft victims”), FTC is planning to conduct a wide-range study on identity theft victims: “In an effort to buttress its enforcement and better understand the scourge that is identity theft, the Federal Trade Commission said today its plans to conduct a wide-ranging study of victims of the crime.The FTC is looking for people harmed by the crime and said the survey will examine the remedies available to victims under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Among other things, the FACT Act gave consumers the right to place fraud alerts on their credit files if they are, or suspect they may become, victims of identity theft; block information on their credit reports that resulted from identity theft; and obtain copies of their credit reports free of charge.” More details are in the article mentioned above, including the URL of the FTC survey site (NOTE: at the moment of writing I tried to connect to this site but it does not work …). 

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---

The involvement of a broad range of talented and knowledgeable people has always been a great source of pride to The Institute of Internal Auditors (IIA). The IIA's 2007 Annual Report is dedicated to the people of The IIA, who have made The Institute and the global internal audit profession what they are today and what they are sure to become in the future. Download the reports.

The Institute of Internal Auditor's 2007 Annual ReportAvailable in English, French and Spanish The involvement of a broad range of talented and knowledgeable people has always been a great source of pride to The Institute of Internal Auditors (IIA). The IIA's 2007 Annual Report is dedicated to the people of The IIA, who have made The Institute and the global internal audit profession what they are today and what they are sure to become in the future. To download copies click here.

It’s no secret that Larry Ellison is in his business for the money. Therefore, his reason for laying low in the on-demand software industry — he says software-as-a service (SaaS) isn’t profitable enough — should come as no surprise.

It may also be easy to question Ellison’s reasoning given the way it’s been embraced by so many in the IT business,, including Oracle rival SAP.

SAP, which had a change of heart about SaaS last year (CEO Henning Kagermann called it “game changing” and “the better model”), hopes to have 1,000 subscribers to Business ByDesign, its SaaS-based ERP suite for SMBs by the end of 2008.

Ellison, on the other hand, seems to have dismissed SaaS, at least for the time being. In this recent Information Age article, he points to the low profits of on-demand CRM provider Salesforce.com.

“The entire on-demand industry has to get better at making money in selling on-demand software,” he says.

This isn’t the first time Ellison’s rejected the idea of SaaS, a model that requires less licensing and consulting fees than traditional software. In September, Ellison compared Oracle’s SaaS strategy (focusing on adding value to the large companies it already serves) with SAP’s (going after smaller companies with new products like Business ByDesign).

As ZDNet blogger Larry Dignan puts it:

“Here’s Ellison’s strategy: Let SAP figure SaaS out and crow if the rival fails. If SAP is successful–it probably will be over time–Ellison buys NetSuite [the SaaS ERP provider that Ellison owns a majority stake in] from himself.”

But does Ellison have the right idea?

Some people seem to think so. In his recent blog post, “Does Larry Ellison have the best SaaS strategy?”, Dingan credits Ellison for taking a step back in such a difficult, slow-growing market.

Others, however, have higher hopes for SaaS. Blogger Phil Wainewright has criticized what he calls “Oracle’s misconceived SaaS strategy,” and at the start of this year, Wainewright gave his “Eight reasons SaaS will surge in 2008.” Among these include a wider move to Internet-based services, the emergence of virtualization technology and a slowing economy that will make lower-cost options more appealing for customers.

So, maybe signs are pointing to this being a big year for SaaS. But if it is, how soon will Ellison pounce? Do you think it would be worth it for Ellison to take his customers–rather than his profits–into consideration sooner rather than later? And what does it all mean for NetSuite and Oracle’s existing SaaS-based application Oracle CRM OnDemand, a vestige of Siebel’s foray into the business? Could you benefit from a wider Oracle SaaS offering, or is Ellison right in his strategy?

Web surfers, it's time to patch

Here are some quick and helpful tips for software asset management (SAM).

• Set Goals for your company’s SAM
• Take an inventory
• Match Software with Licenses
• Organize licensing documentation (create a repository)
• Plan for the Long-Term
• Develop a set of rules and procedures to promote good SAM practices
• Create a SAM plan to keep licensing in line moving forward

Software licensing and compliance are extremely complex.  We specialize in Oracle licensing and software asset management (Microsoft, too).  Having a good software asset management program has prevented millions of dollars during surprise audits and during licensing re-negotiations. 

Good grief. You know SQL injection attacks are getting bad when Microsoft releases a KB article tha...

Good grief. You know SQL injection attacks are getting bad when Microsoft releases a KB article tha...

Apple closes holes in Mac OS X, Safari

It's been a while since my last post!, too much work, travel and not enough time for catching up I guess. I subscribe to the pentest list over at Security Focus and saw a post on their over the weekend....[Read More]

Posted by Pete On 30/06/08 At 05:01 PM

I have been asked to promote the survey on the IOUG site by the IOUG and Oracle to ask customers for feedback on the security and vulnerability remediation procedures implemented by Oracle customers. I would ask as many people as....[Read More]

Posted by Pete On 20/06/08 At 12:50 PM

I was down in London yesterday in some meetings and also speaking at the UKOUG Management And Infrastructure SIG on the subject of Oracle Security tools. I will post up the slides later. The discussion got around to the issue....[Read More]

Posted by Pete On 18/06/08 At 10:45 AM

I promised to create a short write up on Sentrigo's Hedgehog product some time ago when Tim Hall posted an entry on his blog titled Sentrigo Hedgehog… where he discussed meeting Slavik Markovich who is the CTO of Sentrigo who....[Read More]

Posted by Pete On 11/06/08 At 02:26 PM

I came across a site yesterday called Authority Base because it threw up an Oracle security presentation. I am always on the look out for any information related to Oracle Security of course. I was actually looking for something related....[Read More]

Posted by Pete On 05/06/08 At 06:43 PM

I saw a post on Paul's Blog the other day and made a note to take a look one evening. It specifically links to a post by Alex Gorbachev over at Pythian that is titled Exploiting SYSDBA Invoker Rights Using....[Read More]

Posted by Pete On 04/06/08 At 06:29 PM

I mentioned a couple of weeks ago in a post titled " Oracle Application Server 10g ORA_DAV basic authentication bypass " that i subscribe to the bugtraq mailing list over at Security Focus and that I recommend everyone else to....[Read More]

Posted by Pete On 02/06/08 At 04:37 PM

Okay, remember how we have been warning about the BSA and how they are after companies that have pirated software? Well…here is a prime example. They have just filed to court orders again RedPR Services and Overclockers in the UK, which could cost them thousands of dollars - all because they failed to complete an audit required by the BSA.

You’ll see a lot of these court orders in the coming year - and there will be many unheard of as well, those who have settled out of court and spent a pretty penny!

Keep your Oracle licensing, Microsoft, Adobe, etc in check people! 

Partitioned servers are commonly found in the corporate IT environment today due to cost savings and simplified management of running multiple operating systems — such as UNIX or Windows NT — on the same server.  Partitioned servers also improve the work load balancing and distribution. 

In the case of partitioning servers, Oracle licensing recognizes hardware partitioning for licensing purposes.  Meaning ….Oracle customers can license “only those processors that have been purchased from the hardware vendors.”  As more processor rights are bought, additional Oracle licenses must be purchased.

Note: Oracle Database Standard Edition can only be licensed under server with four sockets.  Customers cannot partition a larger server into four sockets and then license the database Standard Edition for that partition.