Feed aggregator

Generating an EJB SDO Service Interface for Oracle SOA Suite

Edwin Biemond - Thu, 2012-08-09 13:51
In Oracle SOA Suite you can use the EJB adapter as a reference or service in your composite applications. The EJB adapter has a flexible binding integration, there are 3 ways for integrating the remote interface with your composite. First you have the java interface way which I described here this follows the JAX-WS way. It means you need to use Calendar for your Java date types and leads to one

Speaking at Enkitec Extreme Exadata Expo

Tyler Muth - Thu, 2012-08-09 09:18
I’ll be speaking at the Enkitec Extreme Exadata Expo (E4), August 13-14 in Dallas Texas (you can also attend virtually). They’ve recruited some of the top names from community including keynote speaker Andrew Mendelsohn, Arup Nanda, Cary Millsap, Jonathan Lewis, Karen Morton, Maria Colgan, Kerry Osborne and Tanel Põder. I left a lot of names off the list, many of which you probably […]
Categories: DBA Blogs, Development

OWB – ANSI and Oracle SQL code generation

Antonio Romero - Tue, 2012-08-07 10:56

There is a configuration property in OWB for switching between ANSI SQL code generation and Oracle SQL. It is under the ‘Code generation options’ in the mapping configuration. The join condition is expressed in Oracle SQL join syntax and OWB will reinterpret if generating ANSI SQL.

You can change the value to false, generate the code and inspect it inline within the mapping editor;

The 11gR2 release of OWB has changes in the join component to allow you to express the join type in a logical manner, so you can indicate outer join on a group for example.

Return a fault from an Asynchronous Web Service

Edwin Biemond - Thu, 2012-08-02 15:14
In an asynchronous web service we can't return a soap fault like a synchronous service but that does not mean you can't report back the fault to the calling asynchronous process. basically you got three options. Off course handle the fault in the error hospital and give back the response.  In the response message you can add a section ( a XSD choice with success and fault section) which can be

Book Released: "Oracle Database XE 11gR2 Jump Start Guide"

Asif Momen - Thu, 2012-08-02 08:59

I am pleased to announce my first book "Oracle Database XE 11gR2 Jump Start Guide" published by Packt Publishers. The book is available in two formats "Print Book" and "ebook".  


Please let your friends and colleagues know about the book. Have a look at the contents by following the below link:



The book is available for purchase from the publishers website (www.packtpub.com) and other leading consumer websites like Amazon, Barnes and Nobles, Waterstones etc. 

Thanks to all my readers who have encouraged me to write this book. 

Handling Large Payloads in SOA Suite 11g

Ramkumar Menon - Fri, 2012-07-27 02:45

I delivered this session at ODTUG '12 where I talked about various considerations and product features that you should know when you are working with processing large payloads with Oracle SOA Suite 11g. You can find the deck for the session at

http://www.oracle.com/technetwork/middleware/soasuite/learnmore/binarycontentlargepayloadhandling-1705355.pdf

You are also welcome to share your experiences in this area.

Handling Large Payloads in SOA Suite 11g

Ramkumar Menon - Fri, 2012-07-27 02:45

I delivered this session at ODTUG '12 where I talked about various considerations and product features that you should know when you are working with processing large payloads with Oracle SOA Suite 11g. You can find the deck for the session at

http://www.oracle.com/technetwork/middleware/soasuite/learnmore/binarycontentlargepayloadhandling-1705355.pdf

You are also welcome to share your experiences in this area.

Looping synonyms and transportable

Fairlie Rego - Thu, 2012-07-26 07:46
Whilst doing an export as part of TTS

> expdp directory=tmp_dir dumpfile=test_meta.dmp transport_tablespaces=tts_conv

Export: Release 10.2.0.4.0 - 64bit Production on Thursday, 31 May, 2012 11:03:50

Copyright (c) 2003, 2007, Oracle. All rights reserved.

Username: / as sysdba

Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, Real Application Clusters, OLAP, Data Mining
and Real Application Testing options
Starting "SYS"."SYS_EXPORT_TRANSPORTABLE_01": /******** AS SYSDBA directory=tmp_dir dumpfile=test_meta.dmp transport_tablespaces=tts_conv
ORA-39123: Data Pump transportable tablespace job aborted
ORA-01001: invalid cursor
ORA-06512: at "SYS.DBMS_SYS_SQL", line 902
ORA-06512: at "SYS.DBMS_SQL", line 19
ORA-06512: at "SYS.DBMS_TTS", line 838
ORA-01775: looping chain of synonyms

Job "SYS"."SYS_EXPORT_TRANSPORTABLE_01" stopped due to fatal error at 11:03:59


SYS > alter system set events '1775 trace name errorstack level 3';

System altered.

From the trace file generated

the failing SQL statement is

*** 2012-06-04 10:17:14.026
ksedmp: internal or fatal error
ORA-01775: looping chain of synonyms
Current SQL statement for this session:
SELECT DISTINCT p.name, x.xmlschema, u.name FROM dba_xml_tables x, obj$ o, tab$ t, ts$ p, user$ u WHERE x.table_name = o.name AND o.obj# = t.obj# AND t.ts# =
p.ts# AND u.user# = o.owner# AND u.name = x.owner
----- Call Stack Trace -----

So if you run the command manually you receive the same error.

SYS> SELECT DISTINCT p.name, x.xmlschema, u.name FROM dba_xml_tables x, obj$ o, tab$ t, ts$ p, user$ u WHERE x.table_name = o.name AND o.obj# = t.obj# AND t.ts# =
p.ts# AND u.user# = o.owner# AND u.name = x.owner 2
3 /
SELECT DISTINCT p.name, x.xmlschema, u.name FROM dba_xml_tables x, obj$ o, tab$ t, ts$ p, user$ u WHERE x.table_name = o.name AND o.obj# = t.obj# AND t.ts# =
*
ERROR at line 1:
ORA-01775: looping chain of synonyms



> sqlplus / as sysdba

SQL*Plus: Release 10.2.0.4.0 - Production on Thu May 31 11:04:03 2012

Copyright (c) 1982, 2007, Oracle. All Rights Reserved.


Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, Real Application Clusters, OLAP, Data Mining
and Real Application Testing options

SYS> select object_name,owner,object_type from dba_objects where object_name='DBA_XML_TABLES';

OBJECT_NAME
--------------------------------------------------------------------------------
OWNER OBJECT_TYPE
------------------------------ -------------------
DBA_XML_TABLES
PUBLIC SYNONYM

So lets drop the public synonym

SYS > drop public SYNONYM DBA_XML_TABLES;

Synonym dropped.

SYS@>
and Real Application Testing options
> expdp directory=tmp_dir dumpfile=test_meta.dmp transport_tablespaces=tts_conv

Export: Release 10.2.0.4.0 - 64bit Production on Thursday, 31 May, 2012 11:05:09

Copyright (c) 2003, 2007, Oracle. All rights reserved.

Username: / as sysdba

Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, Real Application Clusters, OLAP, Data Mining
and Real Application Testing options
Starting "SYS"."SYS_EXPORT_TRANSPORTABLE_01": /******** AS SYSDBA directory=tmp_dir dumpfile=test_meta.dmp transport_tablespaces=tts_conv
Processing object type TRANSPORTABLE_EXPORT/PLUGTS_BLK
Processing object type TRANSPORTABLE_EXPORT/TABLE
Processing object type TRANSPORTABLE_EXPORT/POST_INSTANCE/PLUGTS_BLK
Master table "SYS"."SYS_EXPORT_TRANSPORTABLE_01" successfully loaded/unloaded
******************************************************************************
Dump file set for SYS.SYS_EXPORT_TRANSPORTABLE_01 is:
/tmp/test_meta.dmp
Job "SYS"."SYS_EXPORT_TRANSPORTABLE_01" successfully completed at 11:05:35

As you can see the export completes successfully

You can re-create the public synonym by running the below

catxdbv.sql:86:create or replace public synonym dba_xml_tables for dba_xml_tables;

If you do a search on MOS for the string "ORA-01775 dbms_tts" you find
Problem on DBMS_TTS ORA-01775: Looping Chain Of Synonyms [ID 1340262.1]

This note indicates the synonym can be dropped













Oracle Database 12c - New Feature: Identity Columns

Asif Momen - Wed, 2012-07-25 05:20

Well, Oracle Database 12c is not yet available but new features seems to be popping out in MOS. While troubleshooting Oracle Enterprise Manager Cloud Control 12c startup issues I came across Oracle Database 12c new feature called “Identity Columns”.

An Identity Columns is auto-incremented at the time of insertion just like in SQL Server. Going forward, I think you will not use Oracle Sequence anymore to generate unique values instead use Identity Columns.

For more information on this read:



Happy reading!!!

InteliVideo is Ramping Up!

Bradley Brown - Wed, 2012-07-25 00:24
The rubber is starting to meet the road now!  We're getting some serious traction in the market wiith InteliVideo.  J.P. O'Brien, a long time friend has joined me as a co-founder and CEO.  We're signing up customers each week.  We have customers in 3 different categories: 1) Long tail videos - just like Amazon was originally focused on the long tail books, we're focused on the long tail video market.  2) Mid tail videos - these are our ideal customer who have videos.  These companies have the best potential for knocking it out of the park with a viral video.  3) Business who want to partner with other companies in the video and entertainment space.  More about this another time.

We now have APIs for anything you can imagine.  We have players for most every device.  We have a full digital rights management platform (we protect our customer's IP).  We keep track of detailed video viewing, previewing, and every click on our site.  In other words, we have extensive analytics about our customers and our prospects.  We have full support and feedback platforms built into our platform.  We allow people to watch videos pretty much anywhere they want - from their big screen TV (i.e. on Roku) to their iPhone, iPad, Android devices and more.

Last week I offered my Oracle Application Express class to the first 10 people that signed up for free.  That provided me with considerable valuable feedback.  Thank you beta users!  10 new people have some great ApEx skills now!  I started by offering my class at $300.  My thinking was that if you attended this class (which I planned to add to over time for added value), it would cost you about $300 per day for an in person class.  This class is at your own pace and you can refer back to the materials at any time.  If it's a 5 day class (I personally think I'll end up with at least 10 days of material)...that's a $1500 value for only $300!

What we need right now is to prove out our model.  In other words, we need to prove we can sell classes online.  I'm headed to Branson, MO for my yearly family reunion/vacation for the next couple of weeks.  So I'm going to put my class out there for just $49.99.  You can buy an unlimited number of seats (one seat is for one employee) and it's not a timed copy of the class - in other words, you'll be able to watch it as long as we're around...and you'll get all of the updates that I do to the class.  All of this just for being one of my first customers!  Hopefully you'll want to train a few hundred of your employees in ApEx...or maybe it's just you. But...please sign up, pay for the class and help make a difference with the future of InteliVideo!  Think of it as a "Kickstart-like" investment!  I can assure you that you won't regret it.  If you don't like the classes, you don't see the value or whatever your reason, I'll gladly refund your money.

This is a cool look at our videos.  Please buy other videos too!  But...PLEASE, PLEASE, PLEASE buy my ApEx class.  And...if there are other classes you would like to see offered out here...let me know!  If you want to deliver your own content and offer it up to the world just as I'm doing (at whatever price you want to offer it for -within reason), that's exactly what I built InteliVideo for...sign up as a content owner and we'll be happy to help you publish and sell your content.

Again, please...and thank you!


SOA Suite 11g advanced training experiences

Jornica - Sun, 2012-07-22 09:20
Read my report from Oracle Fusion Middleware Summer Camps in Munich: SOA Suite 11g advanced training experiences.

Using History Keys in SQL*Plus

Barry McGillin - Thu, 2012-07-19 13:57
I was working through a bug the other day and using SQL*Plus, which for the most part doesn't annoy me too much.  However, one of the things that does, is having to retype lots of stuff. (We dont have that problem in SQL Developer).

Having hunted around for a few minutes, I found rlwrap which is a GNU readline wrapper.  All this means is that when we use it on SQL*Plus, it give us keyboard history and user defined completion.  I've found a few posts about it too, which are referred to below, but I wanted to do this for our virtual machine.

We use our Oracle Developer Days VM a lot internally as its great for spooling a DB having a full environment ready to play with and test features.  I'm using that for this post.

You can download rlwrap from here.  There are also RPMs available too.  I pulled down the tar ball.   Expand it out and you have a bunch of files for a standard build

Firstly, we need to run the ./configure script to find all the dependencies.  You can see a cut down version of the output of that below.



checking for tgetent in -lcurses... no
checking for tgetent in -lncurses... no
checking for tgetent in -ltermcap... no
configure: WARNING: No termcap nor curses library found
checking for readline in -lreadline... no
configure: error:

You need the GNU readline library(ftp://ftp.gnu.org/gnu/readline/ ) to build
this program!


[root@localhost rlwrap-0.37]#

Running configure on my system flagged that I didnt have the readline package installed.   However, when I went to install it with

[root@localhost ~]# yum install readline
Loaded plugins: security
Setting up Install Process
Package readline-5.1-3.el5.i386 already installed and latest version
Nothing to do

I discovered it was already installed.  A quick look through the config.log tho, from the configure process shows that the -lreadline library dependency could not be satisfied.  It needed the development package to build.


[root@localhost rlwrap-0.37]# yum install readline-devel


Total download size: 202 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): libtermcap-devel-2.0.8-46.1.i386.rpm | 56 kB 00:00
(2/2): readline-devel-5.1-3.el5.i386.rpm | 146 kB 00:01
--------------------------------------------------------------------------------
Total 85 kB/s | 202 kB 00:02
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : libtermcap-devel 1/2
Installing : readline-devel 2/2

Installed:
readline-devel.i386 0:5.1-3.el5

Dependency Installed:
libtermcap-devel.i386 0:2.0.8-46.1

Complete!
[root@localhost rlwrap-0.37]#


Ok, Now to try configure again..

configure: creating ./config.status
config.status: creating Makefile
config.status: creating filters/Makefile
config.status: creating doc/Makefile
config.status: creating src/Makefile
config.status: creating doc/rlwrap.man
config.status: creating config.h
config.status: executing depfiles commands

Now do:
make (or gmake) to build rlwrap
make check for instructions how to test it
make install to install it

[root@localhost rlwrap-0.37]#


Running the configure again, succeeded creating my makefile. Great.  Now run the following to build it and install it in the right place and we should be getting places.


[root@localhost rlwrap-0.37]# make

and

[root@localhost rlwrap-0.37]# make install


Great. Now, rlwrap is installed in /usr/local/bin and we can use it in our oracle terminal window.


[oracle@localhost rlwrap-0.37]$ rlwrap
Usage: rlwrap [options] command ...

Options:
-a[password:] --always-readline[=password:]
-A --ansi-colour-aware
-b <chars> --break-chars=<chars>


Now we can use rlwrap to run SQL*Plus, which gets me back to what I wanted to do at the start.  I've kicked this off with the '-c' option.


[oracle@localhost ~]$ rlwrap -c sqlplus barry/barry

SQL*Plus: Release 11.2.0.2.0 Production on Thu Jul 19 17:51:51 2012

Copyright (c) 1982, 2010, Oracle. All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

BARRY@ORCL>

Now my up and down arrows work AND with the '-c' option for rlwrap, we get filename completion for free.

BARRY@ORCL> @re
remote.sql reset_imdbcache reset_xmldb
repos/ reset_sqldev reset_xmldb~
reset_OE.sql reset_svn
reset_apex reset_xdbPorts.sql
BARRY@ORCL> @re


So, now I'm a lot happier and can zip through loading files and getting my previous statements.

Now, I know there are issues with using this when we redirect files into SQL*Plus, on other blogs like this from Lutz Hartmann, but for me and working with plus in a terminal window, this will do nicely.

OWB 11gR2 – Parallelization using DBMS_PARALLEL_EXECUTE

Antonio Romero - Wed, 2012-07-18 10:08

As well as all of the parallel query and DML capabilities exposed in OWB, the 11gR2 release of OWB includes out of the box support for the DBMS_PARALLEL_EXECUTE package in 11gR2 of the Oracle database, there are various articles on how to do the grunt work manually coding it on the web (see here for example). The use cases for this range from Oracle techie stuff like managing roll back segments for large table updates to parallelizing your PLSQL mappings…whatever they may be. Here we will see how with a couple of configuration settings in OWB you can self parallelize mappings – divide and conquer the olde fashioned way.

The use case that is generally mentioned for using this is for doing large table updates – basically its dividing a BIG problem into smaller pieces, the package also exposes a resume capability for reprocessing failed chunks which is also exposed from OWB (when you execute a chunked mapping you can resume or start a mapping). The approach can also be utilized for parallelizing arbitrary PLSQL (support for set based, row based also the table being chunked can be the source or the target or an arbitrary SQL statement). The 11.2.0.3 patch is best for this.

Chunk by SQL Statement

The example below updates employees salaries, driving the parallel worker threads by the departments table. As you see below we the start and end department id are the same, we are doing a distinct, so all employees in a department will be updated in each chunk, so we can increase the salary within the EMPLOYEES table for each department in a chunk. We are using the department id to drive the chunking – each department if processed in its own thread. We will see how we can control the thread pool of workers.

Note above there are other options such as chunk by ROWID and an arbitrary SQL statement).

The mapping now using olde fashioned divide and conquer has new runtime properties which relate back to the DBMS_PARALLEL_EXECUTE package and include the resume functionality for processing failed chunks and the parallel level, so you can change at runtime whether 1,2 or n threads are used to process the chunks.

We are saying that we want 2 child processes processing the chunks, this is a runtime parameter. Its wise to think about the number of chunks and the number of child processes to ensure optimal execution plan. The image below depicts the code that gets generated with chunk parallel level 2, and parallel level 4 – essentially the package ‘main’ procedure uses DBMS_PARALLEL_EXECUTE to process the heart of the mapping in the child processes.

There is much more to the package than meets the eye the resume capability for example provides a way of reprocessing failed chunks, rather than reprocessing everything again. This is also exposed as a runtime parameter for the chunked OWB mapping so you can resume and reprocess only the failed chunks.

Chunk by ROWID

This is the classic Large Table Update example that typical divide and conquer is used for. This example updates employees salaries, driving the parallel worker threads by rows in the target employees table itself. With this example when we configure the mapping we pick chunk method as ROWID, the chunk table EMPLOYEES, chunk type BY_ROWS and size is 1000 for example. The EMPLOYEES table is set to perform and update, I define the target filter for update for the ON clause in the merge/update – so its the ‘how do I identify the rows to update within this chunk’ clause. The other thing I had to do was define a chunking expression – now in this case its kind of redundant since the chunk is being done in the ON clause of the update – so we can trick OWB by just saying ‘start=start and end=end’ using the variables. If you don’t specify this, OWB will complain that the chunking expression is invalid.

So the MERGE statement within the chunking code will increase the SALARY for the chunk, you will see the expression to increase salary by, the dummy chunking expression used in selecting from the source (DUAL) and which rows to match – the rows in this chunk.

This let’s us perform large table updates in chunks and drive the parallelized mapping using mapping input parameters.

The parallelization for PLSQL (or row based mappings) is an interesting case - for example for the likes of match merge which has an inherent divide and conquer strategy (in binning), with match merge out of the box the processing of the bins is serialized by default. Combining the chunk parallelization with the match merge binning lets you boost the performance of such mappings. So if you pair the chunking criteria with the binning you can substantially increase the performance of such mappings.

Summer Potpourri

Mary Ann Davidson - Tue, 2012-07-17 14:41

Its summer in Idaho, and how! (It was over 90 yesterday and people can say “it’s a dry heat” until the cows come home with heatstroke. My oven is dry, but I don’t want to sit in that, either.) The air is scented with sagebrush (the quintessential Idaho smell), the pine needles I am clearing from my side yard, the lavender and basil in my garden, and the occasional ozone from imminent thunderstorms. It’s those snippets of scent that perfume long, languid summer days here.  With that, I offer my own “literary potpourri” – thought snippets in security.
Digital Pearl Harbor
In the interests of greater service to my country, I would like to propose a moratorium on the phrase “digital (or “cyber”) Pearl Harbor.”  This particular phrase is beyond tiresome cliché, to the point where it simply does not resonate, if it ever did.  The people who use it for the most part demonstrate an utter lack of understanding of the lessons of Pearl Harbor.  It’s as bad as the abuse of the word “decimate,” the original meaning of which was to kill every  10th person (a form of military discipline used by officers in the Roman Army). Unless you were one of the ten, it hardly constituted “utter annihilation,” the now generally accepted usage of “decimate.”   The users and abusers of the phrase “digital Pearl Harbor” typically mean to say that we are facing the cyber equivalent of:

-- A sneak attack
-- That “destroys the fleet” – leaving something critical to our national defense or national well-being in a state of ruin/devastation
-- With attendant loss of life
Not to go on and on about the Pacific War – not that it isn’t one of my favorite topics - but Pearl Harbor turned out to be a blessing in disguise for the United States.  Note that I am not saying it was a blessing for the 2403 men and women who died in the attack (not to mention those who were wounded). In support of my point:
1) The Japanese attack on Pearl Harbor brought together the United States as almost nothing else could have. On December 6, 1941, there were a lot of isolationists. On December 8, 1941, nary a one.  (For extra credit, Hitler was not obligated to declare war on the United States under the terms of the Tripartite Agreement, yet he did so, which means – as if we needed one – we also had a valid excuse to join the European war.)
2) The Japanese did not help their cause any by – due to a timing snafu – only severing diplomatic relations after the attack had begun, instead of before. Thus, Pearl Harbor wasn’t just a sneak attack, but a sneak attack contrary to diplomatic norms.  
3)
Japan left critical facilities at Pearl Harbor intact, due to their failure to launch another attack wave. Specifically, Japan did not destroy the POL (petroleum, oil and lubricant) facilities at Pearl Harbor. They also did not destroy the shipyards at Pearl Harbor. Had the POL facilities been destroyed, the Pacific Fleet would have had to function out of San Francisco (or another West Coast port) instead of Hawai’i.  As for the dry-dock facilities, most of the ships that were sunk  at Pearl Harbor were ultimately raised, refurbished, and rejoined the fleet.  (Special kudos to the divers who did that work, who do not generally get the credit they deserve for it.) The majority of ships on Battleship Row were down on December 7 -- but far from out. 
4) The attack forced the US to rely on their aircraft carriers. Famously, the US carriers were out to sea during the attack, unfortunately for the Japanese, who truly wanted to sink carriers more than battleships.  Consequently, the US was forced (in the early months of the war) to rely on their carriers, and carriers were the future of war-at-sea.  (The Japanese ship Yamato, which, with her sister Musashi, were the largest battleships ever built, was a notable non-force during the war.) 
5) Japan was never going to prevail against the industrial might of the United States.  Famously, ADM Isoroku Yamamoto -- who had initially opposed the attack on Pearl Harbor -- said, "I can run wild for six months … after that, I have no expectation of success.” It was almost exactly six months between December 7, 1941 and the battle of Midway (June 4-6, 1942), which was arguably the turning point of the Pacific War.
December 7, 1941 was and always will be “a date that shall live in infamy,” but Pearl Harbor was not the end of the United States.  Far from it.
Thus, the people who refer to “Cyber Pearl Harbor” or “Digital Pearl Harbor”(DPH) are using it in virtually complete ignorance of actual history.  Worse, unless they can substantiate some actual “for instances”  that would encompass the basic “here’s what we mean by that,” they run the risk of becoming the boy who cried cyber wolf.  Specifically, and to return to my earlier points:
-- A sneak attack
With the amount of cyber intrusions, cyber thefts, and so on, would any cyber attack (e.g., on critical infrastructure) really be “a sneak attack” at this point? If we are unprepared, shame on us. But nobody should be surprised. Even my notably technophobic Mom reads the latest and greatest articles on cyber attacks, and let’s face it, there are a lot of them permeating even mainstream media. It’s as if Japan had attacked Seattle, Los Angeles and San Diego and pundits were continuing to muse about whether there would be an attack on Pearl Harbor. Duh, yes!
-- That “destroys the fleet” – leaving something critical to our national defense or national well-being in a state of ruin /devastation
If we know of critical systems that are so fragile or interdependent that we could be ruined if they were “brought down,” for pity’s sake let’s get on with fixing them. For the amount of time pundits spending opining on DPH, they could be working to fix the problem.  Hint: unless Congress has been taken over by techno-savvy aliens and each of the members is now supergeek, they cannot solve this problem via legislation. If a critical system is laid low, what are we going to say? “The answer is – more laws!” Yessirree, I had no interest in protecting the power grid before we were attacked, but golly jeepers, now there’s a law, I suddenly realize my responsibilities. (Didn’t we defeat imperial Japan with – legislation? Yep, we threw laws at the Japanese defenders of Tarawa, Guadalcanal, and Peleliu. Let’s give Marines copies of the Congressional Record instead of M4s.)
-- With attendant loss of life
It’s not inconceivable that there are systems whose failures could cost lives. So let’s start talking about that (we do not, BTW, have to talk about that in gory detail wherein Joe-Bob Agent-of-a- Hostile-Nation-State now has a blueprint for evil). If it -- loss of life -- cannot be substantiated, then it’s another nail in the coffin of using DPH as an industry scare tactic.
To summarize, I have plenty of concerns about the degree to which people rely on systems that were not designed for their threat environments, and/or that embed a systemic risk (the nature of which is that it is not mitigateable – that’s why it is “systemic” risk).  I also like a catchy sound bite as much as the next person (I believe I was the first person to talk about a Cyber Monroe Doctrine).  But I am sick to death of “DPH” and all its  catchy variants. To those who use it: stop waving your hands, and Put Up or Shut Up – read about Pearl Harbor and either map the digital version to actual events or find another CCT (Cyber Catchy Term) . Cyberpocalypse, Cybergeddon, CyberRapture – there are so many potential terms of gigabit gloom and digi-doom – I am sure we as an industry can do better.
Hand waving only moves hot air around – it’s doesn’t cool anything off.
Security Theater
I recently encountered a “customer expectations management” issue -- which we dealt with pretty quickly -- that reminds me of a Monty Python sketch.  It illustrates the difference between “real security” and “security theater” -- those feel-good, compliance-oriented, “everybody else does this so it must be OK” exercises that typically end in “but we can’t have a security problem -- we checked all the required boxes!”  
Here goes. I was told by a particular unnamed development group that customers requesting a penetration test virtually demanded a penetration test report that showed there were vulnerabilities, otherwise they didn’t believe it was a “real” report.  (Sound of head banging on wall.) I’d laugh if the stakes weren’t so high and the discussion weren’t so absurd.
If the requirement for “security” is “you have to produce a penetration test that shows there are vulnerabilities,” that is an easy problem to solve. I am sure someone can create a software program that randomly selects from, say, the oodles of potential problems outlined in the Common Weakness Enumeration (CWE), and produces a report showing one or more Vulnerabilities Du Jour. Of course, it probably needs to be parameterized (e.g.,  you have to show at least one vulnerability per X thousand lines of code, you specify primary coding language so you can tailor the fake vulnerabilities reported to the actual programming language, etc.).  Rather than waste money using a really good tool (or hiring a really good third party), we can all just run the report generator. Let’s call it BogusBreakIt. “With BogusBreakIt, you can quickly and easily show you have state-of- the-art, non-existent security problems – without the expense of an actual penetration test! Why fix actual problems when customers only want to know you still have them? Now, with new and improved fonts!”
With apologies to the Knights Who Say, “Ni,” all we are missing is a shrubbery (not too expensive). The way this exercise should work is that instead of hiring Cheap and Bad Pen Testers R Us to make your customers feel good about imperfect security (why hire a good one to find everything if the bar is so low?), you do the best you can do, yourselves, then, where apropos, hire a really good pen tester, triage the results, and put an action plan together to address the crappiest problems first. If you provide anything to customers, it should not be gory details of problems you have not fixed yet, it should be a high level synopsis with an accompanying remediation plan.  Any customer who really cares doesn’t want “a report that shows security problems,” but a report that shows the vendor is focused on improving security in priority order – and, of course, actually does so.  
Moral: It’s hard enough working in security without wasting scarce time, money, and people on delivering shrubberies instead of security.
CSSLEIEIO
I don’t think anybody can doubt my commitment to assurance – it’s been my focus at Oracle for most of the time I’ve worked in security, going on 20 years (I should note that I joined the company when I was 8). It is with mixed feelings that I say that while I was an early (grandfathered) recipient of the Certified Secure Software Lifecycle Professional (CSSLP) certification, I have just let it lapse. I’m not trying to bash the Information Systems Security Certification Consortium (ISC(2)), the developer and “blessing certifier” of the CSSLP, and certainly not trying to denigrate the value of assurance, but the entire exercise of developing this certification never sat well with me. Part of it is that I think it solves the wrong problem – more on which later. Also, my cynical and probably unfair comment when I heard that ISC(2) was developing the CSSLP certification was that, having saturated the market for Certified Information Systems Security Professionals (CISSPs), they needed a new source of revenue. (You do wonder when you look at the number of business cards with a multiplicity of alphabet soup on them: CISM, CISSP, CSSLP, EIEIO (Ok, I made that last one up).)
I let my CSSLP lapse because of a) laziness and b) the fact that I got nothing from it.  Having a CSSLP made no difference to my work or my “professional standing.” It added no value to me personally, or, more importantly, to assurance at Oracle. I started working in assurance before the CSSLP dreamer-uppers ever thought of Yet Another Certification, and my team (and many others in Oracle) have proceeded to continue to try to improve our practices. ISC(2) had no impact on that. None. I wondered why I was paying X dollars to an organization for them to “bless” work that we were doing anyway, that I was doing, anyway, that did not add one iota to our knowledge or practices?  (To be fair, some of the people who work for me have CSSLPs and have kept them current. I can’t speak for what they think they get out of having a CSSLP.)
We have an EIEIO syndrome in security – so many certifications, and really, is security any better? I don’t know. I don’t know how much difference many of these certifications make, except that job search engines apparently look for them as keywords. Many certifications across various industries are used as barriers to market entry, to the point that some forward- thinking states are repealing these requirements as being anti-competitive. (And really, do we need a certification for interior decorators? Is it that critical that someone know the difference between Rococo and Neoclassical styles? C’mon!) In some areas, certifications probably do make sense. Some of them might be security areas. But it doesn’t do any good if the market is so fragmented and we are adding more certifications just to add them. And it really doesn’t do any good if we have too many of them to the point where the next one is JASC – just another security certification. CSSLP felt like that to me.  
I certainly think assurance is important. I just do not know – and remain really, really unconvinced -- that having an assurance “certification” for individuals has done anything to improve the problem space. As I’ve opined before, I think it would be far, far, better to “bake in” security to the computer science and related degree programs than try to “bolt on” assurance through an ex post facto certification. It’s like an example I have used before: the little Dutch boy, who, in the story, put his fingers in leaks in a dike to prevent a flood. We keep thinking if only we had more little Dutch boys, we can prevent a flood. If we don’t fix the “builders” problem,  we – and all the Dutch boys we are using  to stem the flood – will surely drown.

I am not perfect. As good as my team is -- and they and many others in Oracle are the real builders of our assurance program -- they are not perfect. But I stand on our record, and none of that record was, in my opinion, affected one iota by the presence or absence of CSSLPs among our practitioners.
If I may be indulged:
Old MacDonald had some code
EIEIO
And in that code he had some flaws
EIEIO
With a SQL injection here and an XSS there
Run a scan, fuzz your code
Everywhere a threat model
Old MacDonald fixed his code
EIEIO*
Last Bits
I mentioned in an earlier blog, in a truly breathtaking example of self-promotion, that my sister Diane and I (writing as Maddi Davidson) had written and published the first in an IT Industry-based murder mystery series,  Outsourcing Murder. The two exciting bits of news about that are, first of all book 2, Denial of Service, is almost (OK, 90%) done.  Stay tuned. The second bit is that Outsourcing Murder made a summer reading list for geeks.  It’s probably the only time in my life I (or rather, my sister and I) will appear in a list with Kevin Mitnick and Neal Stephenson.
*Ira Gershwin would turn over in his grave – I know I’ll never make it as a lyricist.

Summer Potpourri

Mary Ann Davidson - Tue, 2012-07-17 14:41

Its summer in Idaho, and how! (It was over 90 yesterday and people can say “it’s a dry heat” until the cows come home with heatstroke. My oven is dry, but I don’t want to sit in that, either.) The air is scented with sagebrush (the quintessential Idaho smell), the pine needles I am clearing from my side yard, the lavender and basil in my garden, and the occasional ozone from imminent thunderstorms. It’s those snippets of scent that perfume long, languid summer days here.  With that, I offer my own “literary potpourri” – thought snippets in security.

Digital Pearl Harbor

In the interests of greater service to my country, I would like to propose a moratorium on the phrase “digital (or “cyber”) Pearl Harbor.”  This particular phrase is beyond tiresome cliché, to the point where it simply does not resonate, if it ever did.  The people who use it for the most part demonstrate an utter lack of understanding of the lessons of Pearl Harbor.  It’s as bad as the abuse of the word “decimate,” the original meaning of which was to kill every  10th person (a form of military discipline used by officers in the Roman Army). Unless you were one of the ten, it hardly constituted “utter annihilation,” the now generally accepted usage of “decimate.”   The users and abusers of the phrase “digital Pearl Harbor” typically mean to say that we are facing the cyber equivalent of:


-- A sneak attack

-- That “destroys the fleet” – leaving something critical to our national defense or national well-being in a state of ruin/devastation

-- With attendant loss of life

Not to go on and on about the Pacific War – not that it isn’t one of my favorite topics - but Pearl Harbor turned out to be a blessing in disguise for the United States.  Note that I am not saying it was a blessing for the 2403 men and women who died in the attack (not to mention those who were wounded). In support of my point:

1) The Japanese attack on Pearl Harbor brought together the United States as almost nothing else could have. On December 6, 1941, there were a lot of isolationists. On December 8, 1941, nary a one.  (For extra credit, Hitler was not obligated to declare war on the United States under the terms of the Tripartite Agreement, yet he did so, which means – as if we needed one – we also had a valid excuse to join the European war.)

2) The Japanese did not help their cause any by – due to a timing snafu – only severing diplomatic relations after the attack had begun, instead of before. Thus, Pearl Harbor wasn’t just a sneak attack, but a sneak attack contrary to diplomatic norms.  

3)
Japan left critical facilities at Pearl Harbor intact, due to their failure to launch another attack wave. Specifically, Japan did not destroy the POL (petroleum, oil and lubricant) facilities at Pearl Harbor. They also did not destroy the shipyards at Pearl Harbor. Had the POL facilities been destroyed, the Pacific Fleet would have had to function out of San Francisco (or another West Coast port) instead of Hawai’i.  As for the dry-dock facilities, most of the ships that were sunk  at Pearl Harbor were ultimately raised, refurbished, and rejoined the fleet.  (Special kudos to the divers who did that work, who do not generally get the credit they deserve for it.) The majority of ships on Battleship Row were down on December 7 -- but far from out. 

4) The attack forced the US to rely on their aircraft carriers. Famously, the US carriers were out to sea during the attack, unfortunately for the Japanese, who truly wanted to sink carriers more than battleships.  Consequently, the US was forced (in the early months of the war) to rely on their carriers, and carriers were the future of war-at-sea.  (The Japanese ship Yamato, which, with her sister Musashi, were the largest battleships ever built, was a notable non-force during the war.) 

5)
Japan was never going to prevail against the industrial might of the United States.  Famously, ADM Isoroku Yamamoto -- who had initially opposed the attack on Pearl Harbor -- said, "I can run wild for six months … after that, I have no expectation of success.” It was almost exactly six months between December 7, 1941 and the battle of Midway (June 4-6, 1942), which was arguably the turning point of the Pacific War.

December 7, 1941 was and always will be “a date that shall live in infamy,” but Pearl Harbor was not the end of the United States.  Far from it.

Thus, the people who refer to “Cyber Pearl Harbor” or “Digital Pearl Harbor”(DPH) are using it in virtually complete ignorance of actual history.  Worse, unless they can substantiate some actual “for instances”  that would encompass the basic “here’s what we mean by that,” they run the risk of becoming the boy who cried cyber wolf.  Specifically, and to return to my earlier points:

-- A sneak attack

With the amount of cyber intrusions, cyber thefts, and so on, would any cyber attack (e.g., on critical infrastructure) really be “a sneak attack” at this point? If we are unprepared, shame on us. But nobody should be surprised. Even my notably technophobic Mom reads the latest and greatest articles on cyber attacks, and let’s face it, there are a lot of them permeating even mainstream media. It’s as if Japan had attacked Seattle, Los Angeles and San Diego and pundits were continuing to muse about whether there would be an attack on Pearl Harbor. Duh, yes!

-- That “destroys the fleet” – leaving something critical to our national defense or national well-being in a state of ruin /devastation

If we know of critical systems that are so fragile or interdependent that we could be ruined if they were “brought down,” for pity’s sake let’s get on with fixing them. For the amount of time pundits spending opining on DPH, they could be working to fix the problem.  Hint: unless Congress has been taken over by techno-savvy aliens and each of the members is now supergeek, they cannot solve this problem via legislation. If a critical system is laid low, what are we going to say? “The answer is – more laws!” Yessirree, I had no interest in protecting the power grid before we were attacked, but golly jeepers, now there’s a law, I suddenly realize my responsibilities. (Didn’t we defeat imperial Japan with – legislation? Yep, we threw laws at the Japanese defenders of Tarawa, Guadalcanal, and Peleliu. Let’s give Marines copies of the Congressional Record instead of M4s.)

--
With attendant loss of life

It’s not inconceivable that there are systems whose failures could cost lives. So let’s start talking about that (we do not, BTW, have to talk about that in gory detail wherein Joe-Bob Agent-of-a- Hostile-Nation-State now has a blueprint for evil). If it -- loss of life -- cannot be substantiated, then it’s another nail in the coffin of using DPH as an industry scare tactic.

To summarize, I have plenty of concerns about the degree to which people rely on systems that were not designed for their threat environments, and/or that embed a systemic risk (the nature of which is that it is not mitigateable – that’s why it is “systemic” risk).  I also like a catchy sound bite as much as the next person (I believe I was the first person to talk about a Cyber Monroe Doctrine).  But I am sick to death of “DPH” and all its  catchy variants. To those who use it: stop waving your hands, and Put Up or Shut Up – read about Pearl Harbor and either map the digital version to actual events or find another CCT (Cyber Catchy Term) . Cyberpocalypse, Cybergeddon, CyberRapture – there are so many potential terms of gigabit gloom and digi-doom – I am sure we as an industry can do better.

Hand waving only moves hot air around – it’s doesn’t cool anything off.

Security Theater

I recently encountered a “customer expectations management” issue -- which we dealt with pretty quickly -- that reminds me of a Monty Python sketch.  It illustrates the difference between “real security” and “security theater” -- those feel-good, compliance-oriented, “everybody else does this so it must be OK” exercises that typically end in “but we can’t have a security problem -- we checked all the required boxes!”  

Here goes. I was told by a particular unnamed development group that customers requesting a penetration test virtually demanded a penetration test report that showed there were vulnerabilities, otherwise they didn’t believe it was a “real” report.  (Sound of head banging on wall.) I’d laugh if the stakes weren’t so high and the discussion weren’t so absurd.

If the requirement for “security” is “you have to produce a penetration test that shows there are vulnerabilities,” that is an easy problem to solve. I am sure someone can create a software program that randomly selects from, say, the oodles of potential problems outlined in the Common Weakness Enumeration (CWE), and produces a report showing one or more Vulnerabilities Du Jour. Of course, it probably needs to be parameterized (e.g.,  you have to show at least one vulnerability per X thousand lines of code, you specify primary coding language so you can tailor the fake vulnerabilities reported to the actual programming language, etc.).  Rather than waste money using a really good tool (or hiring a really good third party), we can all just run the report generator. Let’s call it BogusBreakIt. “With BogusBreakIt, you can quickly and easily show you have state-of- the-art, non-existent security problems – without the expense of an actual penetration test! Why fix actual problems when customers only want to know you still have them? Now, with new and improved fonts!”

With apologies to the Knights Who Say, “Ni,” all we are missing is a shrubbery (not too expensive). The way this exercise should work is that instead of hiring Cheap and Bad Pen Testers R Us to make your customers feel good about imperfect security (why hire a good one to find everything if the bar is so low?), you do the best you can do, yourselves, then, where apropos, hire a really good pen tester, triage the results, and put an action plan together to address the crappiest problems first. If you provide anything to customers, it should not be gory details of problems you have not fixed yet, it should be a high level synopsis with an accompanying remediation plan.  Any customer who really cares doesn’t want “a report that shows security problems,” but a report that shows the vendor is focused on improving security in priority order – and, of course, actually does so.  

Moral: It’s hard enough working in security without wasting scarce time, money, and people on delivering shrubberies instead of security.

CSSLEIEIO

I don’t think anybody can doubt my commitment to assurance – it’s been my focus at Oracle for most of the time I’ve worked in security, going on 20 years (I should note that I joined the company when I was 8). It is with mixed feelings that I say that while I was an early (grandfathered) recipient of the Certified Secure Software Lifecycle Professional (CSSLP) certification, I have just let it lapse. I’m not trying to bash the Information Systems Security Certification Consortium (ISC(2)), the developer and “blessing certifier” of the CSSLP, and certainly not trying to denigrate the value of assurance, but the entire exercise of developing this certification never sat well with me. Part of it is that I think it solves the wrong problem – more on which later. Also, my cynical and probably unfair comment when I heard that ISC(2) was developing the CSSLP certification was that, having saturated the market for Certified Information Systems Security Professionals (CISSPs), they needed a new source of revenue. (You do wonder when you look at the number of business cards with a multiplicity of alphabet soup on them: CISM, CISSP, CSSLP, EIEIO (Ok, I made that last one up).)

I let my CSSLP lapse because of a) laziness and b) the fact that I got nothing from it.  Having a CSSLP made no difference to my work or my “professional standing.” It added no value to me personally, or, more importantly, to assurance at Oracle. I started working in assurance before the CSSLP dreamer-uppers ever thought of Yet Another Certification, and my team (and many others in Oracle) have proceeded to continue to try to improve our practices. ISC(2) had no impact on that. None. I wondered why I was paying X dollars to an organization for them to “bless” work that we were doing anyway, that I was doing, anyway, that did not add one iota to our knowledge or practices?  (To be fair, some of the people who work for me have CSSLPs and have kept them current. I can’t speak for what they think they get out of having a CSSLP.)

We have an EIEIO syndrome in security – so many certifications, and really, is security any better? I don’t know. I don’t know how much difference many of these certifications make, except that job search engines apparently look for them as keywords. Many certifications across various industries are used as barriers to market entry, to the point that some forward- thinking states are repealing these requirements as being anti-competitive. (And really, do we need a certification for interior decorators? Is it that critical that someone know the difference between Rococo and Neoclassical styles? C’mon!) In some areas, certifications probably do make sense. Some of them might be security areas. But it doesn’t do any good if the market is so fragmented and we are adding more certifications just to add them. And it really doesn’t do any good if we have too many of them to the point where the next one is JASC – just another security certification. CSSLP felt like that to me.  

I certainly think assurance is important. I just do not know – and remain really, really unconvinced -- that having an assurance “certification” for individuals has done anything to improve the problem space. As I’ve opined before, I think it would be far, far, better to “bake in” security to the computer science and related degree programs than try to “bolt on” assurance through an ex post facto certification. It’s like an example I have used before: the little Dutch boy, who, in the story, put his fingers in leaks in a dike to prevent a flood. We keep thinking if only we had more little Dutch boys, we can prevent a flood. If we don’t fix the “builders” problem,  we – and all the Dutch boys we are using  to stem the flood – will surely drown.


I am not perfect. As good as my team is -- and they and many others in Oracle are the real builders of our assurance program -- they are not perfect. But I stand on our record, and none of that record was, in my opinion, affected one iota by the presence or absence of CSSLPs among our practitioners.

If I may be indulged:

Old MacDonald had some code

EIEIO

And in that code he had some flaws

EIEIO

With a SQL injection here and an XSS there

Run a scan, fuzz your code

Everywhere a threat model

Old MacDonald fixed his code

EIEIO*

Last Bits

I mentioned in an earlier blog, in a truly breathtaking example of self-promotion, that my sister Diane and I (writing as Maddi Davidson) had written and published the first in an IT Industry-based murder mystery series,  Outsourcing Murder. The two exciting bits of news about that are, first of all book 2, Denial of Service, is almost (OK, 90%) done.  Stay tuned. The second bit is that Outsourcing Murder made a summer reading list for geeks.  It’s probably the only time in my life I (or rather, my sister and I) will appear in a list with Kevin Mitnick and Neal Stephenson.

*Ira Gershwin would turn over in his grave – I know I’ll never make it as a lyricist.

Pages

Subscribe to Oracle FAQ aggregator