First - make sure to read and check-back with Oracle Secure Technology Center.This is basically one-stop place for all of our security information. Oracle covers everything from OS to applications. And this location covers that breadth with links to deeper-dives.
Second - our Chief Security Officer Mary Ann Davidson has been trying to get developer education ecosystem (e.g. CS programs and their cousins) to do a better job of teaching secure coding. I believe she articulated the problem very well in her post - "The Supply Chain Problem".
Third - read this book (Mary Ann Davidson recommends it in her Supply Chain Problem) - Foundations of Security: What Every Programmer Needs to Know.
Fourth - if you do anything with the database- David Knox's Effective Oracle Database 10g Security by Design is still the go-to resource. It's book #2 on my tech shelf- after my own (me being first is mostly a vanity thing :)).
As an addendum - if you are writing code in ADF you should check out the new tutorial based on the new demo application - "Fusion Order Demo" . Besides learning all of the cool things ADF/JDev bring to the table - Chapter 28 covers how to leverage the external security framework. I hope to be able to use this application to demonstrate more of our capabilities - in particular OVD/IGF but possibly others too.
]]>One small correction: Microsoft did not start the Information Card
Foundation. A community of architects and designers including the creators
of the Higgins Project created the organization before inviting any
corporations to join. The consensus of this community was that the visual
metaphor of a digital wallet and cards shared by The Higgins Project
(which included open source components contributed by engineers from
Parity, Novell, Oracle, and IBM) Microsoft CardSpace, and other
researchers, is the best way to present controls for identity and personal
information to the widest possible user base. The merger of these efforts
along with other components that can benefit from standards protocols now
underway at OASIS, makes ICF a common effort by many forward-thinking
companies who want to make the Internet a safer and simpler environment for
all transactions. The decision by Microsoft to join the ICF was a great
step for the industry to advance toward a common unified way for users to
wield trusted verified claims.
Since comments don't usually get read - I wanted to make sure this correction was read.
]]>Crisis Begets accountability and transparency -- While not directly about software code it is an article that can be used as a "teachable moment" across many disciplines. From a programming perspective, the lesson to be learned here is that accountability and transparency helps to make for a more secure environment. Additionally we will likely see more monitoring across different systems and changing of organizational structures. Thus we're going to need more code in more places that interoperate with each other to help security become a cohesive whole. Thus make sure you are taking steps to integrate secure auditing (such as Oracle Audit Vault), logging and of course enabling external fine grain access control leveraging standards like XACML.
ISC2 To Offer Certification For Software Lifecycle Security -- The organization that provides CISSP certification is launching a new certification for developers. It is a rather explicit industry acknowledgement that developer's are not taught security as a core competency. And thus it's not ingrained into training or expectations. It also (IMHO) acknowledges that CISSP is not about dealing with code-level security. They are two different types of disciplines and just because one is competent in one discipline does not necessarily mean you will be competent in another even though they maybe related.
Upcoming PHP 5.3 beefs up security -- If you are writing code in PHP - you will want to learn more about a couple of changes being made that likely will make your code more secure but may break some of your scripts.
]]>On the good news side - the team knows they need "two-factor" authentication. A factor is normally based on the concept of something you know (aka a password or answer to a security question) or something you have (digital certificate, fingerprint).
However, apparently it's the cool thing to do for certain web-sites to have "dual-cookies". One is persistent to store simple profile information (like what page do you want to go to when you login) - nothing secure. The other is your session cookie. And the perception in this team (and maybe they learned it from some magazine/conference) is that this is a type of two-factor authentication. And in particular they thought this would help protect access from "new unknown machines".
Any security professional knows this is not the case. Session cookies are often used to enable Web-based SSO. The persistent cookie is really just used to help manage profile information that can't be stored elsewhere. And just because there are two-cookies it does not make it two-factor authentication.
However, the better way to solve this problem isn't two cookies. It's to use actual multi-factor authentication and knowledge-based authorization. And Oracle can provide this via Oracle Adaptive Access Manager (OAAM).
Here is how OAAM could help in this scenario as quoted by one of our PM's in the Access Management Suite team:
OAAM uses many contextual information to determine the risk factor of any users performing any an action, whether it be viewing a resource or performing an action or or initiating a transaction. The contextual information covers things like IP address, geo-location, time of day, day of week, device fingerprinting (which can be done as a persistent object on the client machine), and even user behavior.
If I drill down on the use case a little bit, I believe you guys are looking for a way to raise risk factors when a user is coming in from a machine that the user has never used. The raised risk factor will require the user to answer an additional challenge question before the system can trust them enough to allow access to some resource.
So how does OAM and OAAM help accomplish the above? One example would be as follows:
The first time a user attempts access to a protected resource, OAM initiates an authentication scheme that really calls OAAM in the backend. OAAM then determines if the device has ever been used before based on device fingerprinting and if the machine is never used, then username, password, and a knowledge based question must all be provided before the user gets access. Subsequently, the user attempts access again with the persistent object (or device fingerprint) that OAAM accepts, then only username and password is necessary. This provides the knowledge based question as an added security measure if the user is coming from a machine that is never seen before. Of course, this solution assumes that the knowledge based questions and answers has already been set up for all users.
I also pitched a couple of other options - in particular if OAAM adoption would be slow to update for budget or time constraints:
1 - On sensitive pages - simply prompt for the password again. This would at least help with preventing someone who got access because the original person left the room.
2 - On sensitive pages - not only ask for a password but perhaps require a different pin code for that page.
3 - You could also use other authentication types -like digital certificates but that has its own set of headaches.
Also you can read more about OAAM.
]]>So here for the enjoyment of the readers is my response:
Maybe you could share on your next posting exactly how allowing closed source Oracle databases on the Amazon grid is open source?
[MEW] I realize I should have clarified that point better. What I meant by this is that if you are a developer who needs to test your code against Oracle DB - there is not much easier way than using one of the pre-built EC2 images. Assuming you meet OTN requirements - you are probably only paying for EC2 fees. Which is still likely cheaper than having your own servers. I would think as an "enterprise architect" you would understand the value of this approach over having your developers having to become experts at installing Oracle database. And while sure you could have DBA's do that - it's still probably quicker/more flexible to do this (in particular for any research type work, or training on a new language/framework) than internally.
Likewise, there is a difference between open source and open specifications. Are you willing to say that all reference code will be of production quality?
[MEW] I don't know what you mean by production quality. I don't mean that to be sarcastically but rather a reflection that it is a relatively subjective question. What I can say is that code that we do contribute to OpenLiberty from our dev team will have gone through at least our base level software development process which includes design review, code review and automated regression tests. This is not to say that any identity attribute service on OpenLiberty will be 100% the same as Oracle's production version. Because we will be adding functionality to make it an actual product (such as UI and integration with Oracle audit/logging framework for example) that will not be part of the Project Liberty. But OpenLiberty is well, um, open - so you can participate as well.
Sun has open sourced LDAP. Would you as a product manager advocate the same for virtual directories?
[MEW] Let's take a step back here. Sun did not open-source LDAP :). They have an open-source project that wrote from scratch an open-source ,storage-based LDAP server in Java. It's not the first open-source LDAP (UMichigan & OpenLDAP have that claim), nor the first open-source Java LDAP (even Apache isn't the first, but it's the longest-running) and heck even their C-based version was effectively open-source via the Fedora Directory Project. I am not sure why anyone at Sun thought starting from scratch was a good idea. At the moment we are still able to grow the adoption of OVD (and OID), are able to improve upon the core product via customer feedback and have a plug-in API that allows for customers (whether themselves, partners or Oracle consulting) to extend the product to meet their needs - so I don't sense a valid reason to open-source OVD. I obviously cannot speak for any other virtual directory vendor/project.
OK, Kim Cameron of MS paid for implementations of Cardspace on other platforms in which MS is simply attempting to improve the ecosystem and won't make a cent off it. In many ways it actually competes with its own offerings. What is the Oracle equivalent?
[MEW] Microsoft has produced open specifications, a few examples and started the Information Card Foundation (which we are a member of) to help drive adoption of Information Cards. I would argue we are on the same path on IGF via Open Liberty. Except that since our work is done via Project Liberty we can avoid the need to create yet another foundation. The biggest difference is that since IGF is more middleware based, the visible bits have been slower to show though that is starting to change as you can see from Phil Hunt's (our lead technical person for IGF standard) DIDW presentation. And as mentioned in that presentation - we are releasing the IGF Attribute Service API as open-source (this is new code). The API will have at least 2 provider implementations - one using OVD (which I'm responsible for and is planned to be a core component of Fusion Middleware & Fusion Applications) and one based on Project Higgins. This is an open project - so you are welcome to go learn more.
]]>If you front-end data (or a data store) that you don't own (or don't have control of), then you need to replicate/sync data (instead of virtualizing the view).
And then asked if this is a litmus test for Meta vs Virtual.
My answer is that it depends.
This is because Sundaram's statement is a false assumption though it's a common belief.
It's a common belief because people want to be "in-control" of data and feel that unless they control everything, they are not truly in control.
This of course is patently false - we have mechanisms (such as contracts) to deal with boundary control issues without needing to actually directly control everything
And this is reflected in the fact that many (if not most) virtual directory deployments - the team that runs the virtual directory does NOT own the data sources they are connecting to. They systems they connect to are often run by different teams usually with different management chains. But virtualization works because those systems are already designed to be used by external client applications with proper level of Service Level Agreements & availability.
And virtualization is a way to make the most out of these existing capabilities.
Where "meta-directory" makes the most sense is really two cases:
1 - You want to reduce the number of storage systems in particular different LDAP servers. Thus you could collapse many ADAM, Sun, Novell, openLDAP, etc into a single enterprise-class storage system such as Oracle Internet Directory.
2 - You need a standardized, provisioning system to meet business process & compliance requirements. This is the environment which Oracle Identity Manager fills.
]]>9. I would use the same law and force Larry Ellison to make Oracle contribute more to open source.
First - why single out Ellison and Oracle? Does he feel others like Microsoft or IBM or CA have done enough? And if so - what have they done for comparison.
Second - I would like to point our Oracle's contributions to Open Source. Most people are probably not familiar to the work we have done.
Start with our Open Source Site.
But just to give a summary:
1 - Oracle contributes heavily to Linux to help the database in particular work better. This is why we were able to offer Oracle Enterprise Linux.
2 - We have put significant effort - in terms of drivers and related work to various projects including PHP, Ruby, Spring and of course EclipseLink (aka open-source of Toplink)
3 - We effectively donated our entire next-generation UI library (ADF) to Apache to help provider a richer platform for Web applications.
4 - We doing all of the reference work for IGF in the open at openLiberty.
5 - It's now possible to run Oracle software on Amazon EC2. This is particular useful when it comes to the database - you can now have a full EE database instance running in 5 minutes without having to fiddle with any kernel or related parameters.
So James -what specifically do you want Oracle to do more of? And what would be the value for you to do so? If you have specific items I'm happy to hear them & communicate them to the appropriate people.
]]>Pete Finnigan - Oracle [database] security information -- A page with various utilities to help test your local Oracle password security and tools to help with auditing the database.
]]>So for example:
alter user hr identified globally as 'cn=Mark Wilcox,cn=Users,dc=ovddemo,dc=com';
Should allow you to then login as Mark Wilcox using his uid value (e.g. mwilcox).
I'm sure I read that in Knox's book before but it didn't sink in until I was asked about this at OOW last week.
]]>Passwords -- This blog post from the "Blown to Bits" blog talks about problems with passwords. On a personal level - you should have a random password. No words. Just mix of characters. From a developer perspective - do not write your own login code. Almost all frameworks now have their own login subsystem - leverage that. It will allow you to focus on code that is actually core to your business application. Or as I would think - I would not want my friend Quan writing my UI but he knows how to write awesome security code. I know my friend Josh knows how to make awesome looking UI - he shouldn't be writing my security code. And from an enterprise level - make sure you are adopting comprehensive access products such as Oracle Access Manager suite.
"Using Yahoo! Login Mechanisms for Desktop Applications" -- If you want to use Yahoo! for user password management this might be useful to you.
Criminal probe of ex-Lottery employee Launched -- Basically another data leak problem. Remember - when writing apps to make sure you allow for proper auditing. Also make sure to put in hooks that can allow for access controls to be written using a standard like XACML (such as provided by Oracle Entitlement Server). And if you are storing data in a database make sure the application can work with strong security measures like Oracle Database Vault and Transparent Data Encryption. And - if you managing/installing database - make sure you enable these features if your applications can support them.
Schneier On Security -- Bruce Scheier who is the expert on security - has released a new book. I believe it's a collection of his columns, so if you are a regular reader probably nothing new. However, if you are new to this field - you should get a copy. As well as his previous book Beyond Fear. Or if you are up to speed on these books - then be sure to read The Unthinkable: Who Survives When Disaster Strikes - and Why.
]]>The purpose of that blog in compared to mine is that we will focus on customer stories and higher level use cases. While i continue to be more technical here.
]]>
"For Your Browser Only" -- Reminds developer's that if you are writing cookies from your server code to remember to mark them "HTTP Only". This dramatically reduces the surface area for cross-site scripting attacks. I would also add that other techniques - such as using a standards-based framework for authentication/session management and risk-based access control like Oracle provides via Fusion Middleware and the Access Management Suite will add extra protection.
Security Researches Uncover Spring Framework Vulnerabilities -- Some researchers have found vulnerabilities in the popular Spring framework.
What Californians Understand About Privacy Online -- A paper showing how big the gulf is between the average person's perception of how their privacy is protected and the reality . One could of course make a joke about what do you expect from people who elect "The Terminator" their governor but it is a real problem.
5 Features Your Login System Must Have -- An interesting article for those who are still "rolling their own system". Of course for an enterprise - I'm not sure of any valid use case where that would be a good idea - there's too many good products out there such as Oracle Access Management Suite that can do this for you without needing to become a SSO developer. If you are working on a consumer site - then at the very least, you should adopt something like OpenID or Infocards so that you are not managing passwords.
]]>| Session ID | Title | Date | Time | Room |
| S298531 | Three Things You Should Know About Managing Your Identity | Monday | 14:30 - 15:30 | Moscone West Rm 2003 |
| S298811 | Active Directory and Windows Security Integration with Oracle | Tuesday | 17:00 - 18:00 | Moscone South Rm 305 |
| S298925 | Using Oracle Virtual Directory to Integrate Microsoft Active Directory, Oracle Database, and Oracle Applications | Wednesday | 13:00-14:00 | Marriott Golden Gate C3 |
| S300044 | Integrating Microsoft Active Directory and Oracle Internet | Thursday | 12:00 - 13:00 | Marriott Nob Hill CD |
As I used to say to my "How to build web page" students when I taught - "The only difference between a novice and a guru is the number of people who know when you screw up".
Sorry for any confusion if you followed the earlier links.
]]>The database supports multiple models of authentication.
They are:
The first three are supported by EUS. The last - RADIUS is not.
Username and password is the easiest but does mean that in EUS we have to have a MD5 or SHA1 password stored in the enterprise directory. For Active Directory we have a DLL that uses Microsoft's Password Notifier API to do this for us since AD doesn't do this automatically. For Sun (and Fedora though we haven't officially certified it) the standard userpassword attribute is already hashed properly.
If you are using Kerberos the upside is that you don't need to exchange passwords. Instead the client gets a ticket from the KDC (these days that's likely to be Microsoft AD though I have run into MIT recently) and then the ticket can be used to validate their credentials against the database (this is a simplification of Kerberos. But if you really want to know more you can read the details ). In Kerberos the database verifies the credentials. It only uses EUS to map the user to a database schema and database role.
Now to answer some specific questions - which I can update later:
Q1 - the LDAP listener is not Kerberos ( authentication ) enabled?
A1 - Correct, OVD currently does not support Kerberos authentication. This is not generally a limitation since no common LDAP client application that I'm aware of requires Kerberos authentication. Also Kerberos protocol does not easily open itself up to virtualization. Perhaps this will change when the world starts to adopt STS technologies.
Q2 - the LDAP adapter act as a client and is Kerberos enabled?
A2 - Yes, OVD can take a simple bind (e.g. username and password) from an LDAP client application and verify that password against Active Directory using Kerberos. This is useful if a company doesn't have SSL enabled on AD (but has SSL on OVD) and wants to securely validate passswords against AD.
Q3 - I can't use my Kerberos ticket ( obtained while login in to a windows domain ) to authenticate to OVD and do a query" ?
A3 - This depends because LDAP is like database - most of the time end-users are not connecting directly to the system - they use client applications. If the client application is web-based and configured to do Windows SSO - then yes. If it's a 3rd party application that cannot, then you will need to re-type your credentials. Even if we could accept Kerberos tokens - OVD (just as ANY other Kerberos enabled application) is dependent upon the client application to support it as well. This is why Kerberos never took off in great numbers prior to the release of Active Directory (which gave everyone who ran Windows a KDC whether they wanted it or not) and the Web.
]]>