Monday, September 22, 2008

Oracle OpenWorld, day 1

The first day at Oracle OpenWorld 2008 was great. I arrived early at 8.30 AM, although my first session started at 10.00 AM, so I had the time to register, explore the territory and take some photographs. The cable to connect by camera to my laptop is left at home unfortunately. I will put some photographs here when I get back home. My first impressions are that it is a huge and very well organized event. The Moscone Center and the Marriot Hotel where the sessions are held are impressive buildings, especially inside, with their very high ceilings.


Here are some of the photos:

The first session I attended was by Tanya Baccam and was called "Oracle Security Risks" in my agenda, but the real title was "Application Vulnerabilities and the Oracle Database". I hadn't heard of the speaker before, but she was articulate - important for us non native speakers! - and very good at explaining the several security concepts. It gave me a nice overview of the things we should have in mind when developing applications. Often things you might not be aware of. Things like error messages shouldn't give too much details. If the error message on authentication is "Password is not correct", you are really saying to the hacker "You got the username right!". So better use "Login failed" or something like that. Or session identifiers. If the hacker knows this identifier, he can enter the application like someone else, so you'd better ensure you have a session identifier that cannot be acquired by doing a brute force generation of these identifiers. And of course, concepts like SQL injection and cross site scripting were also presented. Tanya also showed a way to exploit weaknesses in Oracle Forms applications. I will have to try that one at my client when I get back home, to see if they are vulnerable as well :-). Another nice tip for me was about using DBMS_ASSERT in validation checking code.

Next session was Tom Kyte's "All About Encryption". He started of powerpointing through several possibilities of doing encryption. dbms_obfuscation_toolkit is for version 8 and 9 and is now obsolete because it uses varchar2's which are vulnerable to changes in character sets. The dbms_crypto package from version 10 has binary output and is therefore better than the dbms_obfuscation_toolkit package. The other two concepts Tom explained were column level encryption and tablespace level encryption. And then the session turned from good into great: he opened up SQL*Plus and used several scripts to show how the encryption is done and comparing the alternatives on block consumption and performance. A thing to remember is watching out for index range scans on encrypted indexed columns: where last_name = 'KYTE' will be able to use an index because the optimizer will first encrypt the constant as well, but using where last_name like 'K%' will not be able to use an index range scan, since the "K" rows are scattered around the index due to the encryption. For me, this was the best session of the day. And be sure to watch Tom Kyte's blog, because he received an interesting question at the end of the session, asking if the information in temp is encrypted as well.

The third session was "BEA Aqualogic & Oracle Fusion Middleware Shootout" by Lonneke Dikmans and Ronald van Luttikhuizen. I missed this session during the Preview sessions in the Netherlands, but I heard good comments from a colleague who did attend the preview. The session was great for me in terms of catching up with the latest abbreviations and concepts in service oriented architecture. Both technology stacks had their strong points and weaknesses. One such weakness that was spotted is that repeating process steps in BPEL have to be copied; a circular reference was not possible, making it harder to communicate these process flows with end users. Another lesson learned - again - was not be overwhelmed by all the new terms; it's the same concept we've been knowing for years: workflow, just with a new coat. The thing that worries me though, is that performance and scalability is often discarded. This session was no exception. The amount of data that has to be processed in modern systems increases rapidly. Yet I see some really lengthy XML structures being passed back and forth for even the most simple tasks. And then there must be a lot of metadata that has to be dealt with under the covers, like recording where my process is now. How scalable will this be? Anyway, at the end of the session all pros and cons were listed. There wasn't a clear winner.

The remaining part of the afternoon was spent being a tourist in San Francisco, together with Chen Shapira. We had pre-arranged to do a walking tour, since she also had some time to kill until the bloggers meeting at 7PM. She lives in the Bay area, so I didn't have to worry about getting lost :-). It was a really nice tour, along the financial district, Embarcadero with its great views, little Italy and China Town. San Francisco is a beautiful city with lots of different styles all mixed up. It looks more like a European city to me than an American one.

Then it was time for the bloggers meeting. Seeing the faces and meeting the people behind the blogs I read was really nice. Here, at the other end of the world, I've finally met Nicolas Gasparotto, who currently lives only 30 kilometres from me in the Netherlands. And I've met Hans Forbrich and many more. Thanks Eddie, for the organization!

1 comment:

  1. Thanks for the review on our BEA versus Oracle shootout. You're absolutely right about the (lack of) attention for performance. It is such important and complex that you'll need a complete separate session to cover this. That's why we didn't include it in the shooutout. Good idea though for a next presentation!