By mark.wilcox on November 3, 2008 5:37 AM
A little late because of travel.
Secure database authentication in ADO.NET applications -- This article covers various options connecting to databases in the ADO.NET framework. I don't know if I completely agree with everything in the article, but I don't know enough about ADO.NET to give better alternatives.
Browser Security - bolt it on, then build it in -- This is a very good op-ed on the challenges of browser security - but focused more on the real challenges browser developers face. It will also be interesting to see if in the next 5 years as technologies like Infocards and OpenID and IGF are adopted -- do these make a real difference. My current hypothesis is that 10 years from now, there will still be malware but it will be much less. And that we'll look on today's Web security in the same way we look back at medicine prior to the acceptance of germ theory. Nasty place that thankfully we don't live in.
The Security Development Lifecycle: Sexy Development Lifecycle -- Another op-ed type piece. This one touches on the fact that most developer's who attend security conferences don't actually go there to learn security - they go to learn (or see) how to break things. In other words "coding as magic show". And the author wonders "is there a way to make this topic more exciting". I can answer him - "no". At least not to the average developer. The average developer wants to learn how to do something cool or useful. And frankly wouldn't expect it (or necessarily want it) any other way. I believe the real answer is to just make basic security practices a standard expected piece of developer training and combined with proper frameworks.
By mark.wilcox on November 3, 2008 6:31 AM
Greg Kelly has written a nice overview of the various ways PeopleSoft can leverage LDAP - including dynamic role creation.
I would like to add two additional points to his post in relation to PeopleSoft and OVD.
1 - While we have not yet done "official" certification of OVD with PeopleSoft, we have customers using this configuration and we have tested this combination internally with PeopleSoft support.
2 - For those who have access to Oracle Open World OnDemand (or bought the CDs) - check out our co-presentation with the State of Delaware on how they use OVD to expose PeopleSoft data using PeopleSoft's Web Service capabilities.
By mark.wilcox on November 8, 2008 10:51 AM
Why traditional security doesn't work for SOA -- This is a good article on security challenges in Service Oriented Architecture (SOA). Oracle does provide an excellent security product in the SOA Suite (Oracle Web Services Security Manager or OWSM aka "awesome").
Security vs Development -- Perhaps the best story I have ever read on discussing the real challenges facing software development. I think we need to focus security at developer education level but I think it needs to be done in a way where the actual focus is to adopt frameworks. For example if you are writing Java server applications - make sure at the very least adopt JAAS or Spring Security (if you are using Spring). If you are on .NET - leverage the .NET Security framework. And we're working hard now on making it even easier for developers to take advantage of the benefits identity virtualization can provide to simplify the developer lifecycle process (e.g. from dev, to test, to production).
By mark.wilcox on November 11, 2008 5:57 PM
Justin did a nice write-up of Oracle's participation at the recent Silicon Valley Code Camp.
This was my first trip to the conference. I was only able to make it to the Sunday event. I would say that overall it seemed like people had a nice time, met some new friends and learned a few things. To my surprise - there were even a few kids (even though I really don't relate well to human beings under age 8 - yes, I have no kids, only a wife & a dog). Apparently there were a couple of classes aimed at teaching kids to program.
I still remember learning to program myself with BASIC (even before I had a computer) and then LOGO. I can only imagine how cool it is now.
While there was a relatively small turn-out for my topic - I hope to present again next year. Hopefully I'll be able to demonstrate some of the more developer-centric bits we're working on now that I couldn't show this year.
By mark.wilcox on November 18, 2008 9:50 AM
It was a slow week for links, so a little delay. Also trying out a new layout.
"Top 10 Security Developments of the Last Decade"
This is an interesting article outlining some of the items that have really helped improve security. I don't think I would really quibble too much with the list. Some items are fairly well known such as X.509. Others less-so "The Jericho Forum" (which I think is also the name of the next James Bond movie). But I think the number one take-away from the list is how long things can take from "good idea" to ubiquity. For example X.509 is the #1 item but it took itself almost a decade to become widely used and really wouldn't have happened without SSL/TLS. And we're still constantly fighting rather simple things like certificate management that drive smart IT people batty and average people to give up.
"Evangelizing IT Security: Why is There a Need?" This is an op-ed discussing why we still need to get the word out on security. And it really comes down to two basic problems - security experts tend to talk in "code" and security problems/solutions are dynamic. So if you are wondering why you should pay attention to security - this is the article to read.
By mark.wilcox on November 21, 2008 12:36 PM
This week is all Oracle. Mostly because this was a week of interesting stories from us.
"OpenLiberty: Announcing Project Aristotle"
This week was a major achievement in the life of Identity Governance Framework (IGF) with the launch of Project Aristotle. Aristotle is the open-source project that is acting as the reference implementation of IGF. For the first time you are now able to actually get your hands dirty playing with real software. I will be following up with another post dedicated to demonstrating some of the capabilities.
"Authentication Challenges - Security versus usability - 'One Size Fits All' "
This is a post from our own Thomas Varghese that talks about how leveraging auditing, risk management with authentication process can provide for more secure processes. You can get a feel for this by checking our Oracle Adaptive Access Manager (OAAM).
"Dissecting all the buzz about Identity Assurance"
This is a post from Nishant Kaushik - where he talks about how our new partnerships for Identity Assurance Partner Alliance. Essentially Identity Assurance is about being able to establish the quality of claims about a person. Nishant goes into more detail about what this actually means but if you are dealing with any type of sensitive applications - you will be interested in this.
By mark.wilcox on November 24, 2008 7:26 AM
I have posted a set of viewlets designed in particular to help make it easier to understand configuring OVD when OVD is being used with Oracle Database to centralize user and role management (aka Enterprise User Security or EUS).
There are two sets.
The first set shows how to install OVD and OVD Manager on Windows & Linux. OVD server also runs on Solaris/HP-UX/AIX.
The second set actually shows how to do the EUS configuration including the database steps.
The steps are not that difficult but since many people who are exploring this technology might only have expertise in one of the components (e.g. database or LDAP) seeing a visual walk-through can make the instructions clearer.
