OracleMagazine May June

© Copyright 2015. LoadSpring is a trademark of LoadSpring Solutions, Inc. All Rights Reserved. loadspring.com Follow us on:

Construction project management at the next level

Many have been lost trying to reach the Cloud. If only they’d let us lead the way.

If conquering the cloud was easy, anyone could do it. Our Sherpas are standing by. Finding the route to your perfect Cloud can be treacherous. Okay, more like impossible.

Lucky for you we’ve done the impossible before—over 987,000 times before.

We know the best routes to get your project management software up, running

securely and in the Cloud fast. And no matter how big or specialized your project, we’ve

been there, done that, and have the parka to show for it.

Once you’re in your perfect Cloud, our proven SpringBoard™ portal helps you

consolidate applications, data, reports and more, making them accessible to your whole

team worldwide. You’ll get total control over project status, software licensing—

even user training.

Get all that, plus legendary support that won’t leave you up a mountain without a piton.

Call and let’s talk.

LS CorpAd_Construction_Oracle.indd 1 2/23/15 4:38 PM

GUARD THE CROWN JEWELSSecure your most important business data where it lives with Oracle Database security

BREAKAWAY SPEEDSpecialized Bicycles pulls ahead with Oracle engineered systems

MEMORABLE PERFORMANCEDie Mobiliar speeds business analytics with Oracle Database In-Memory

MAY/JUNE 2015

Get Mobile and Connected Consume enterprise web services from mobile apps with Oracle Mobile Application Framework / 33 Upload, Model, Analyze, and Report Quickly load information to Oracle Business Intelligence Cloud Service and share the reporting / 39 Dynamically Dangerous Code There’s a right time to use dynamic SQL, but there’s never a right time for SQL injection / 43 On More-Secure Applications Our technologist shows how to build security into application design / 51 Keeping Pace OAUG’s new president knows how to handle a changing environment / 56

MJ15_Cover_R2_1.indd 1 5/7/15 4:03 PM

CHANGES THE JOB FROMSOLARWINDS® DATABASE PERFORMANCE ANALYZER

FIGURING OUT WHAT TO FIX...

TO FIXING IT.– Chris M., Data Services Manager

solarwinds.com/dpa-oracle

Spend less time isolating performance problems and more time fixing them. Database Performance Analyzer lets you quickly pinpoint your toughest performance issues in Oracle SE & EE, Oracle Exadata, Oracle Real Application Clusters and Oracle E-Business. You can also monitor SQL Server, ASE SAP, and DB2 from the same interface. It’s the one tool that gives application and database professionals the visibility they need to quickly identify bottlenecks, fix problems, and make applications measurably faster.

VOLUME XXIX - ISSUE 3 3CONTENTS

ORACLE MAGAZINE MAY/JUNE 2015

BREAKAWAY SPEEDSpecialized Bicycle Components pulls ahead with Oracle engineered systems and software solutions. —David Baum/ 24

MEMORABLE PERFORMANCESwiss insurance leader Die Mobiliar deploys Oracle Database In-Memory to speed business analytics. —Philip J. Gill / 28

Cover: I-Hua Chen

Data breaches continue to make headlines. Secure your most important business data where it lives: in the database. —Tom Haunert / 21

GUARD THE CROWN JEWELS

EVENTS / 8Find out about upcoming technology and industry events.

RESOURCES / 10Your guide to the latest Oracle videos, webcasts, white papers, and more

BRIEFS / 12The latest product news

PARTNER NEWS / 14BOOK BEAT / 14COMMUNITY BULLETIN / 16Happenings in Oracle Technology Network —Roland Smart

ARCHITECT / 17Get Where You’re GoingTraining and certification decisions are key junctures on your career path. —Bob Rhubart

PEER-TO-PEER / 19Thinking GreenThree peers recall monochrome monitors, enjoy the outdoors, and optimize energy use. —Blair Campbell

IN THE FIELD / 56Keeping PaceOAUG’s new president knows how to handle a changing environment. —Kate Pavao

ORACLE MOBILE APPLICATION FRAMEWORK / 33Get Mobile and ConnectedConsume enterprise web services from mobile apps via data controls in Oracle Mobile Application Framework. —Chris Muir

BUSINESS ANALYTICS / 39Upload, Model, Analyze, and ReportQuickly load information to Oracle Business Intelligence Cloud Service and share the reporting. —Mark Rittman

At Oracle / 8

Community / 14 Technology / 33

Comment / 56

PL/SQL / 43Dynamically Dangerous CodeThere’s a right time to use dynamic SQL, but there’s never a right time for SQL injection. —Steven Feuerstein

ASK TOM / 51On More-Secure ApplicationsOur technologist shows how to build security into application design. —Tom Kyte

FROM THE EDITOR / 5Technology by ExampleGood sample data and real examples tell the story. —Tom Haunert

MASHUP / 6News, views, trends, and tools

Up Front / 5

MJ15_TOC_R1.indd 3 5/5/15 2:40 PM

4

MAY/JUNE 2015 ORACLE.COM/ORACLEMAGAZINE

SUBSCRIPTION INFORMATION Subscriptions are complimentary for qualified individuals who complete the form found at oracle.com/oraclemagazine. For change of address, mail in label with the new address to: Oracle Magazine, P.O. Box 1263, Skokie, IL 60076-8263.

MAGAZINE CUSTOMER [email protected] Fax +1.847.763.9638 Phone +1.847.763.9635

PRIVACY Oracle Publishing allows sharing of its mailing list with selected third parties. If you prefer that your mailing address or e-mail address not be included in this program, contact Customer Service at [email protected].

Copyright © 2015, Oracle and/or its affiliates. All Rights Reserved. No part of this publication may be reprinted or other wise reproduced without permission from the editors. ORACLE MAGAZINE IS PROVIDED ON AN “AS IS” BASIS. ORACLE EXPRESSLY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED. IN NO EVENT SHALL ORACLE BE LIABLE FOR ANY DAMAGES OF ANY KIND ARISING FROM YOUR USE OF OR RELIANCE ON ANY INFORMATION PROVIDED HEREIN. The information is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Oracle Magazine (ISSN 1065-3171) is published bimonthly with a free subscription price by: Oracle, 500 Oracle Parkway, MS OPL-3A, Redwood City, CA 94065-1600. Periodicals Postage Paid at Redwood City, CA, and additional mailing offices. • POSTMASTER: Send address changes to: Oracle Magazine, P.O. Box 1263, Skokie, IL 60076-8263.

Printed by Quad Graphics

RESOURCESOracle Products +1.800.367.8674 (US/Canada)Oracle Services +1.888.283.0591Oracle Press Books oraclepressbooks.com

EDITORIALEditor in Chief Tom Haunert [email protected] Editor Jan Rogers [email protected]

Associate Editor Patty WaddingtonContributing Editor and Writer Blair Campbell

Technology Advisor Tom KyteContributor Leslie Steere

DESIGNSenior Creative Director Francisco G Delgadillo

Design Director Richard MerchánContributing Designers Jaime Ferrand, Arianna PucherelliProduction Designers Sheila Brennan, Kathy Cygnarowicz

PUBLISHINGPublisher Jennifer Hamilton [email protected] +1.650.506.3794

Associate Publisher and Audience Development Director Karin Kinnear [email protected] +1.650.506.1985Audience Development Manager Jennifer Kurtz [email protected]

ADVERTISING SALESPresident, Sprocket Media Kyle Walkenhorst [email protected] +1.323.340.8585

Western and Central US, LAD, and Canada, Sprocket Media Tom Cometa [email protected] +1.510.339.2403Eastern US and EMEA/APAC, Sprocket Media Mark Makinney [email protected] +1.805.709.4745Recruitment Advertising, Sprocket Media Josie Damian [email protected] +1.626.396.9400, x200

Advertising Sales Assistant, Sprocket Media Cindy Elhaj [email protected] +1.626.396.9400, x201Mailing-List Rentals Contact your sales representative.

EDITORIAL BOARDIan Abramson, Karen Cannell, Andrew Clarke, Chris Claterbos, Karthika Devi, Kimberly Floss, Kent Graziano, Taqi Hasan,

Tony Jambu, Tony Jedlinski, Ari Kaplan, Val Kavi, John King, Steve Lemme, Carol McGury, Sumit Sengupta, Jonathan Vincenzo, Dan Vlamis

MJ15_TOC.indd 4 4/29/15 3:58 PM

5FROM THE EDITOR


Technology by ExampleGood sample data and real examples tell the story.

How do you learn? Do you look at a tech-nology concept description or formula

or code syntax and immediately see prac-tical applications? Do you go directly from hearing about a new technology to applying it successfully to real-world solutions?

Some people can get from technology concepts and syntax to solutions and results without a lot of information in between. Many more, I believe, don’t turn away when examples are offered to support complex concepts and syntax. For me, it’s the excel-lent examples that support, and often com-plete, the story of the underlying technology.

EXAMPLES OF SAMPLES An important part of many good information technology examples is a representative set of sample data—data that enables everyone who follows the example process to also see how that example could be applied to one’s own business and technology. Oracle Database, for example, has included sample data for many years, going back to the vener-able SCOTT schema and continuing with the HR (human resources), OE (order entry), PM (product media), SH (sales history), and IX (information exchange) schemas.

If you’re a regular reader of Oracle Magazine, you’ve seen these schemas or data derived from these schemas used often in the magazine’s hands-on how-to technology articles. Some of the magazine’s technology writers also create ad hoc sample data that provides what seems to be the exact amount of information required for an article in the shortest possible space. I respect that efficiency, and as an editor who has to make all content fit in pages, columns, boxes, and so on, I appreciate the brevity.

Longtime Oracle Magazine columnists Tom Kyte and Steven Feuerstein are masters of the brief example and brief sample data. If someone on the Ask Tom forum (asktom .oracle.com) asks Tom a question that calls for a sample database with thousands or tens of thousands or even more rows, Tom will create the right-size database in the fewest lines of code possible. Steven quickly creates multiple PL/SQL package specifica-tions, bodies, procedures, functions, and more, always using best practices for naming and coding while keeping the code volume to just what’s needed to explain the topic.

EXAMPLE ADDITIONIn addition to featuring hands-on how-to articles that are rich with examples, Oracle Magazine features stories of Oracle cus-tomers succeeding with Oracle technology. These customers demonstrate by example their own business and technology chal-lenges and solutions for other business and technology leaders to see. And in the same way a technologist can extrapolate a solution from the presentation of examples, business and technology leaders—visionaries—can see success and create their own new success strategies based in part on the expe-rience of a small sample of some of Oracle’s 400,000 customers.

You can see tens of thousands of Oracle customers and technologists, and hear their success strategies and stories in person, at Oracle OpenWorld 2015 in San Francisco, California, October 25–29. Register early. Be an example.

Tom Haunert, Editor in [email protected]

READ more about Oracle Database sample schemasbit.ly/1dazDlVREAD Oracle Magazine hands-on how-to articles oracle.com/technetwork/oramag/magazine/tech-articlesOracle Magazine customer stories bit.ly/1E09L50REGISTER for Oracle OpenWorld 2015 oracle.com/openworld

NEXT STEPS

CONNECT: bit.ly/orclmagcom bit.ly/orclmagfb twitter.com/oraclemagazine linkd.in/orclmag

Send your opinions about what you read in Oracle Magazine, and suggestions for possible technical articles, to [email protected]. You can also follow our @oraclemagazine Twitter feed or join us on Facebook at bit.ly/orclmagfb. Letters may be edited for length and clarity and may be published in any medium. We consider any communications we receive publishable.

SEND MAIL TO THE EDITORS

This “From the Editor” was inspired by an e-mail conversation with Oracle ACE Director and Oracle Magazine columnist Mark Rittman. In discussing Mark’s next article for Oracle Magazine, I ques-tioned his idea for introducing sample data into the hands-on how-to steps he was planning to describe. The article steps involved moving big data between systems, and Mark’s plan for using sample big data for the article was to load it quickly from a single file. When I questioned the idea of true sample big data coming from a single data file, Mark pointed out that a more realistic alternative to loading sample big data could be a long article all by itself. An excellent point.

Thanks, Mark, for the example explanation and editorial inspiration.

MJ15_EdNote.indd 5 4/29/15 3:47 PM

6


MashUp News. Views. Trends. Tools.A

PP

S: G

RE

AT

GE

TAW

AYS Planning your summer vacation? These helpful travel apps will make it even more enticing.

Source: Robert Half Technology, roberthalf.com/technology

GateGuruTurn the journey into a jaunt. GateGuru gives you up-to-date information on in-airport food, shops, and services, keeps you on top of gate changes, and even gives you estimated security wait times to help you make your flight. Free (Android, iOS, Windows Phone). gateguru.com

CitymapperBilling itself as “the ultimate urban transport app,” Citymapper does the work of navigating 14 major cities for you. Choose the subway, bus, train, car, bike, or walking. Citymapper plans routes, then gives you information about distance, times, and prices. Free (Android, iOS). citymapper.com

Time Out City GuidesInsider information takes on a new meaning with Time Out city guides covering more than 50 cities worldwide. Get highlights for history, food, art, entertainment, nightlife, and more, all informed by local expertise. Free (Android, iOS). timeout.com/city-guides

Image ItWhen your high school language skills desert you, Image It comes to the rescue by helping you communicate with pictograms. Combine a series of more than 400 images to free yourself from language barriers. US$.99 (Android, iOS). twitter.com/image_it

Power to GoHit the road this summer with the world’s smallest battery pack with a standard wall outlet. Power your laptop, tablet, phone, speakers, radio, televi-sion, lights, and more—

anything, in fact, that can charge by USB or by a standard wall plug. The ChargeAll Portable Power Outlet comes in two sizes and uses AC power for household appliances and DC power for 12V electronics. Starting at US$269.95. chargetech.com

1. In the term exabyte, the prefix exa- stands for __________ . a. A unit of measurement b. Multiplication by the sixth power of 1,000c. One quintilliond. A group of digits operated on as a unit

2. The movement behind the field of inquiry that gave rise to devices such as wearable fitness trackers is referred to as __________ .a. Quantified selfb. Fitness surveillancec. Wearable computingd. Humanism

3. In user interface design, a term associated with user-friendliness is __________ .a. Xerosereb. Xanthicc. Xeographicd. Xenodochial

DO YOU SPEAK TECH? QUIZ YOURSELF!

Been longing for your very own tricorder? SCiO, a molecular sensor that fits in the palm of your hand, is for anyone who wants instant information about the things they’re interacting with or con-suming. This tiny device reads the chemical make-up of materials such as food, plants, medication, plastics, and oils using a non-intrusive, no-touch optical sensor—and with every scan, the device gets smarter. Discover how much fat is in any salad dressing, how much sugar is in a particular piece of fruit, how pure an oil is, and more. US$249. consumerphysics.com/myscio/scio

Instant InspectionInstant Inspection

IT Security First Line of Defense: Employees

54%

45%

41%

41%

41%1%

More than 85 percent of CIOs in a recent survey say they’re currently taking steps or are planning to take steps in 2015 to improve IT security. Topping the list? Enhancing employee training on IT security issues. Responses came from 2,400 CIOs at US companies with 100 or more employees, and multiple responses were allowed.

CIOS’ CURRENT OR PLANNED MEASURES FOR ENHANCING IT SECURITY

Answers1. (b) The prefix exa- indicates multiplication by the sixth power of 1,000.2. (a) The history of quantimetric self-tracking using wearable computer devices is said to have begun in the 1970s, and the term quantified self is commonly attributed to Wired editors Gary Wolf and Kevin Kelly. 3. (d) Xenodochial describes something that is friendly to strangers and has become synonymous with accessible user interface design elements such as icons and universal symbols.

Enhance employee training on IT security issues

Enhance vetting fi rms with access to company data

Add IT security personnel

Contract with third-party vendors or add tools to enhance security

Implement multifactor authentication process

Other measures

MJ15_MashUp_R1.indd 6 5/5/15 11:58 AM

Untitled-4 1 5/5/15 9:45 AM

8


EVENTS

Technology EventsConferences and sessions to help you stay on the cutting edge

Women in Technology SummitMay 31–June 2, San Jose, Californiafbit.ly/1AE4lJCTech-savvy executives, entrepreneurs, and thought leaders gather to collaborate on solu-tions to common business challenges and explore new business opportunities that under-score how technology powers change.

Oracle HCM Users Group (OHUG) Global ConferenceJune 8–11, Las Vegas, Nevadafohug.org/ohug2015Oracle Human Capital Management (HCM) users learn about Oracle E-Business Suite and Oracle’s PeopleSoft solutions, plus get the latest updates about Oracle’s HCM cloud solutions.

infoShareJune 11–12, Gdansk, Polandftheinfoshare.orgThe ninth annual free infoShare IT and new media conference brings together tech leaders, entrepreneurs, and investors to discuss IT, mobile technology, security, innovations, trends, new media, startups, and project and team management.

SANSFIREJune 13–20, Baltimore, Marylandfbit.ly/1F3AmR5This event features hands-on, immersion-style cybersecurity training courses aimed at security professionals at all levels, plus bonus sessions, evening presentations, and special events.

Gigaom StructureJune 17–18, San Francisco, Californiafbit.ly/1zte42QAttendees at this annual conference explore trends in cloud computing, including public versus private cloud, cloud security, and innova-tive cloud computing use cases.

MobileBeatJuly 13–14, San Francisco, Californiafbit.ly/1Adm8rrMore than 1,000 attendees focus on using mobile technologies for growth. Key themes this year include personalized advertising, customer nurturing, big data, user acquisition and moneti-zation, mobile apps, industries, and analytics.

MozConJuly 13–15, Seattle, Washingtonfmoz.com/mozconAttendees get three days of forward-thinking sessions covering search engine optimization, social media, community building, content marketing, brand development, conversion rate optimization, the mobile technology landscape, analytics, and more.

ODTUG KscopeJune 21–25, Hollywood, FloridaODTUG’s annual gathering includes content for developers, administrators, and business users on developer toolkit essentials, Oracle Essbase, Oracle Application Express, Oracle Business Intelligence, Oracle Enterprise Performance Management, Oracle Application Development Framework, Oracle Fusion Applications development, Oracle Database, and more. Register at kscope15.com.

ORACLE USER GROUPS

Mid-Atlantic Regional Higher Education User Group ConferenceJune 2, Baltimore, Marylandbit.ly/1KPBuYM

DOAG (German Oracle User Group) 2015 Business Solutions ConferenceJune 9–11, Darmstadt, Germanybit.ly/1Mho6yk

Southern California Users Group Quarterly MeetingJune 10, Huntington Beach, Californiabit.ly/17p8qcL

New York Oracle User Group Summer General MeetingJune 11, New York, New Yorknyoug.org

Bulgarian Oracle User Group Spring ConferenceJune 12–14, Plovdiv, Bulgariabgoug.org/en

New England Oracle Applications User Group ConferenceJune 15, Worcester, Massachusettsneoaug.org

DEVOXX United KingdomJune 17–19, London, Englanddevoxx.co.uk

Eastern Canada Regional User Group ConferenceJune 22–23, Toronto, Ontario, Canadabit.ly/1LT7J81

UKOUG Database Server Special Interest Group MeetingUKOUG RAC Cloud Infrastructure and Availability Special Interest Group MeetingJuly 1, Reading, Englandukoug.org

The Chartered Institute for IT, BCS Berkshire Branch, Committee MeetingJuly 7, Reading, Englandbit.ly/1Ja0kmc

Twin Cities Java User Group MeetingJuly 13, Eagan, Minnesotabit.ly/1r3gQyD

Oracle Transportation Management Special Interest Group Quarterly WebinarJuly 14, online eventotmsig.com

Southwest Regional Oracle Applications User Group MeetingJuly 23, Irvine, Californiabit.ly/1pxm5AM

GETT

Y IM

AGES

Oracle Eventsoracle.com/eventsLocate User Groupsoracle.com/technetwork/community

EVENTS LOCATOR

MJ15_Events.indd 8 4/23/15 10:22 AM

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates.

cloud.oracle.com/databaseor call 1.800.ORACLE.1

…or Back to Your Data Center

Push a ButtonMove Your Databaseto the Oracle Cloud

Same DatabaseSame StandardsSame Architecture

Fonts: Univers LT Std. 75 Black, 65 Bold, 55 Roman, 45 Light, 67 Bold Condensed, 57 Condensed

PRODUCTION NOTES

PUB NOTE: Please use center marks to align page.

Please examine these publication materials carefully. Any questions regarding the materials, please contact Darci Terlizzi (650) 506-9775

READER

01LASER% RELEASED

4/242015

Resize

8” x 10.875”Job #:Ref #:

Headline:Live:Trim:

Bleed:

415M_CLD00300_PushButton_DBM_415M_CLD00282_PushButton_DBPush a Button - Move Your DB to the O Cld 7” x 9.875”8” x 10.875”8.25” x 11.125”

10


RESOURCES

CONNECT: oracle.com/blogs facebook.com/oracle twitter.com/oracle linkedin.com/company/oracle bit.ly/plusOracle

What’s New at OracleThe latest videos, webcasts, e-books, and more

VIDEOSSecuring Cloud Data Is Not a Gamefbit.ly/1Dpzdj1Not all cloud providers are created equal when it comes to security. Find out how a modern cloud can help you reduce risk and keep your data secure.

Engineered for Innovationfbit.ly/1B2R15ZDiscover what differentiates Oracle’s engineered systems from other integrated systems, and how they help customers focus on business innovation.

. WEBCASTS“ The Next Generation of Oracle’s

Engineered Systems”fbit.ly/15aEQFESee Oracle Executive Chairman and Chief Technology Officer Larry Ellison and other Oracle executives introduce Oracle’s X5 generation of engineered systems.

“Cloud Platform Online Forum”fbit.ly/1zaSG3GWatch an analyst keynote featuring International Data Corporation (IDC) Analyst Robert Mahowald and sessions that teach you how to rapidly build, deploy, manage, and secure rich applications using an integrated cloud plat-form built on the industry’s #1 database and #1 application server.

“ Delivering Next-Generation Digital Experiences”fbit.ly/1DlDHZCGet an in-depth look at how enterprise-level marketing technology unlocks breakthrough inno-vations for audience engagement and connects experiences to business outcomes.

“ Accelerate Your Cloud Journey with Oracle Enterprise Manager 12c”fbit.ly/1zaTtlfFind out how to deliver top-quality database

and application platform services in your private cloud.

E-BOOKSOracle Cloud Solutions Overviewfbit.ly/1DlJ7niLearn how Oracle’s modern cloud solutions can help your business thrive in the digital age.

SaaS for Dummiesfbit.ly/1EG501PAs a business manager, how can you be sure you’re doing software as a service (SaaS) right? Learn how to select modern cloud services that are personalized, connected, and secure.

WHITE PAPERS“ How Efficient IT Shapes High Tech Success”fbit.ly/1CjoC9jLearn how seamlessly integrated IT addresses the challenges of converging global markets, increasing customer demands, greater supply chain complexity, and unprecedented strain on existing IT infrastructures.

RESOURCE CENTERS Oracle Private Platform as a Service (PaaS) Online Assessment fbit.ly/paasassessmentTake this assessment to find out your private PaaS adoption maturity relative to your peers, and identify next steps to help drive your strategy.

Oracle FS1: A Cost-Effective Flash Storage Systemfbit.ly/1yqYlRXVisit this resource center to access videos, demos, and more that will help you learn how to speed queries by up to 5 times and reduce storage requirements by up to 90 percent with the Oracle FS1 Series flash storage system.

Ensure Your MySQL Databases Are Securefbit.ly/1DlLCpRAccess this resource kit to learn about the advanced MySQL authentication, auditing,

and encryption features in MySQL Enterprise Edition.

INFOGRAPHICSFive Best Practices for Platform as a Service (PaaS) Successfbit.ly/paasinfographic Maximize the business value of your PaaS solu-tion with techniques based on best practices derived from a survey of more than 300 IT practi-tioners worldwide.

PODCASTS“ Infinity Insurance Secures Sensitive

Personally Identifiable Information”fbit.ly/1AsdXu5Infinity secures sensitive data, such as social security, payment card, and driver’s license numbers, with Oracle Advanced Security.

“ DBA Security Superheroes: With Great Power Comes Great Responsibility”fbit.ly/1rTMH5vMichelle Malcher discusses the “2014 IOUG Enterprise Data Security Survey Report,” and confirms that, more than ever, organizations need database administrators with comprehen-sive security knowledge.

Oracle Consultingoracle.com/consultingOracle Events and Webcastsoracle.com/eventsOracle Newslettersoracle.com/newslettersOracle Podcast Centeroracle.com/podcastsOracle Universitybit.ly/ouoramagOracle Supportoracle.com/supportMy Oracle Supportmyoraclesupport.comMy Oracle Support Communities communities.oracle.com

WEB LOCATOR

MJ15_Resources.indd 10 4/23/15 2:14 PM

YOUR DESTINATION FOR ORACLE AND JAVA EXPERTISE!

Written by leading technology professionals, Oracle Press books offer the most definitive, complete, and up-to-date coverage of Oracle products and technologies available.

Available in print and eBook formats.

OCA/OCP Oracle Database 12c All-in-One Exam Guide

(Exams 1Z0-061, 1Z0-062 & 1Z0-063) John Watson, Roopesh Ramklass, Bob Bryla

This comprehensive exam preparation tool covers all objectives for all

three exams. Electronic practice exam questions are included.

Available August

Running Applications on Oracle Exadata: Tuning Tips & Techniques

Joyjeet Banerjee

An enterprise architect specializing in migration to Oracle’s engineered systems reveals how to configure and tune Oracle Exadata to achieve

peak results from applications.

Oracle Database Upgrade, Migration & Transformation Tips & Techniques

Edward Whalen, Jim Czuprynski

Learn best practices from two Oracle ACEs for an effective, efficient,

and secure database transition.Available June

Oracle SQL Developer Data Modeler for Database Design Mastery

Heli Helskyaho

An Oracle ACE Director shows how to design, deploy, and maintain high-performance enterprise databases on

any platform with this powerful, free tool.

www.OraclePressBooks.com @OraclePress

12


Press Headlines

Oracle Advances Vision for Enterprise Big DataOracle recently unveiled new big data solu-tions that simplify information access and discovery. New offerings include Oracle Big Data Discovery, Oracle GoldenGate for Big Data, Oracle Big Data SQL 1.1, and Oracle NoSQL Database 3.2.5. These additions further Oracle’s efforts to enable Hadoop, NoSQL, and SQL technologies to work together and be deployed securely in any model—whether public cloud, private cloud, or an on-premises infrastructure.

Oracle Big Data Discovery is designed to be the visual face of Hadoop, making it easier to find, explore, transform, discover, and share big data insights. The product makes big data assets more accessible to a broader group of business analysts and helps reduce risks and improve time to value for big data projects.

Oracle GoldenGate for Big Data is a Hadoop-based technology that enables customers to stream real-time data from heterogeneous transactional systems into big data systems, including targets such as Apache Hadoop, Apache Hive, Apache HBase, and Apache Flume. Customers can use it to enhance big data analytics initia-tives by incorporating existing real-time architectures into big data solutions, while ensuring that their big data reservoirs are up to date with production systems.

Oracle Big Data SQL 1.1 extends Oracle SQL to Hadoop and NoSQL with the security

of Oracle Database. It enables a single fast query, written in Oracle SQL, to transpar-ently access data in Hadoop, NoSQL, and Oracle Database. Oracle Big Data SQL 1.1 provides tighter integration between Hadoop and Oracle Database, while increasing query performance by up to 40 percent from previous versions.

Oracle NoSQL Database 3.2.5 is an adapt-able solution that allows developers to build high-performance, next-generation applica-tions. The latest release provides predict-able low latency, a RESTful application programming interface (API), and an Apache Thrift–based C API, and is integrated with the Oracle Big Data platform. Building on Oracle Big Data SQL, Oracle NoSQL Database 3.2.5 also supports data definition language, making it even easier to use SQL to query NoSQL data.

“Data is a new kind of capital, and enterprises must invest their data capital strategically to create the best return,” says Neil Mendelson, vice president of big data at Oracle. “Oracle gives customers an inte-grated platform that helps simplify access

to all their data, dis-cover new insights, predict outcomes in real time, and keep all their data gov-erned and secure.”

bit.ly/1EPwMHU

I-HU

A CH

EN

Oracle Announces Release of Java Development Kit 8, Update 40 Demonstrating its continued investment in the world’s #1 programming language, Oracle announced the release of Java Development Kit 8, Update 40 (JDK 8u40). This latest release brings improvements to performance, scalability, and administra-tion, making it easier for Java developers, partners, and IT decision-makers to inno-vate faster in a simple, easy manner and improve application services. The release also includes new updates to JavaFX.

Among the features and benefits of the new release are G1 enhancements, dynamic enablement of Java Flight Recorder, improvements to the native packager, a new time zone updater tool, Nashorn support, Java Virtual Machine reaction to

memory pressure, the Java Mission Control 5.5 feature, lambda form reduction and caching, native memory tracking scalability, and enhanced cryptographic performance of secure hash algorithms.

“The proliferation of mobile devices and the Internet of Things has led to an increas-ingly connected world, but none of this would be possible without underlying foundational technology like Java,” says Georges Saab, vice president of development, Java Platform at Oracle. “With these updates, we continue to usher in the next era of Java to enable devel-opers and enterprises alike to cement Java’s role as the backbone of today’s and tomor-row’s revolutionary business solutions.”

bit.ly/18VEyVt

New Oracle Consumer Study Challenges Retailers to Adapt to Modern Retail Marketplace fbit.ly/1c1kdQm

Oracle Communications Advances Network Function Virtualization by Delivering Carrier-Grade Data Center Performance fbit.ly/1Ikw2yo

Genie Retail Energy Improves Operations and Increases Efficiency with Oracle Utilities Load Profiling and Settlement fbit.ly/1DcAM61

Dombivli Nagari Sahakari Bank Chooses Oracle FLEXCUBE as Its Core Banking Solutionfbit.ly/1yPyXGW

Boise State University Selects Oracle Enterprise Resource Planning Cloudfbit.ly/1CLLD5p

Newfield Supports Employee Performance with Oracle Human Capital Management Cloud fbit.ly/1y3eNZs

Epsilon Deploys Oracle Linux and Oracle VM to Deliver Solutions up to 20 Times Faster at a 35 Percent Lower Total Cost of Ownership fbit.ly/1y3eXju

Oracle Data as a Service for Marketing Connects B2B Marketers with Millions of Business Professionals and Decision-Makers fbit.ly/1EEZzwi

Oracle’s Netra Modular System Brings Converged Infrastructure to the Communications Industry fbit.ly/1N5Yzrv

New Oracle and Forbes Insights Study Shows Companies Moving Toward Modern Customer Service fbit.ly/19wZvXa

Oracle’s MICROS Workstation 6 Point-of-Service Terminal fbit.ly/1I0OlIH

MJ15_Briefs.indd 12 4/24/15 2:03 PM

13BRIEFS


Primavera Launches Project Portfolio Management Cloud Services Accelerators for Financial Services, Public Sector, and Engineering and Construction Industries Oracle has launched three new cloud services accelerators for enterprise project portfolio management (EPPM) in the financial ser-vices, public sector, and engineering and construction industries. Combining Oracle’s Primavera products with Oracle’s cloud technology expertise, these purpose-built accelerators enable organizations to address the challenges associated with managing project, program, portfolio, and contract life-cycles in their respective industries.

“Gone are the days of one-size-fits-all project and contract management tools. Our customers need cloud-based, specialized

solutions that fit how they do business, get them up and running quickly with industry best practices, and provide the flexibility and power to change and grow with their needs. That’s why we have launched these three process- and industry-specific accel-erators. With this announcement, we are looking to the cloud as the catalyst that will enable our customers to use EPPM to transform their organizations at the speed that they demand,” says Mike Sicilia, senior vice president and general manager, Oracle Primavera Global Business Unit.

bit.ly/1CsVKvUI-HU

A CH

EN

Oracle Introduces Oracle Data as a Service for Customer Intelligence To help organizations increase customer understanding and uniquely extract mean-ingful insights from any form of indirect or direct customer feedback, Oracle recently announced Oracle Data as a Service for Customer Intelligence. Part of Oracle Data Cloud, the new product is designed to help organizations extract and unify insights from a growing number of unstructured data assets. These insights can be used to capture a more complete view of cus-tomer input across social and enterprise channels, identify and manage customer issues, understand how customer voice (expectations, preferences, aversions, and more) is affecting sales, and ultimately arm businesses with the intelligence to create happier customers.

“Knowing more about your customers and prospects—what they do, say, and buy—is key to driving competitive business insights and actions,” says Omar Tawakol, group vice president and general manager, Oracle Data Cloud. “With the release of Oracle Data as a Service for Customer Intelligence, businesses can tap into what customers ‘say’ by unifying and analyzing the growing world of unstructured data across social messages, chat logs, reviews, surveys, and transcripts into digestible and actionable customer insights.”

bit.ly/1EEZdWr

Oracle’s New Ethernet Switches and Virtual Network Services Target Software-Defined Data Centers and Cloud

Oracle is addressing two major networking requirements for cloud-enabled data centers with new high-performance, low-cost 10 Gb/40 Gb Ethernet switches and the addition of virtual network services to Software Defined Networking (SDN). The new networking technologies provide the flexibility and scal-ability for both enter-prise data centers and network function virtualiza-tion infrastructure.

“Cloud-enabled data centers are only as fast or as agile as their networking allows, which makes the convergence of software-defined networking and network services a next logical step in the evolution of the software-defined data center,” says Raju Penumatcha, senior vice president, Netra systems and networking at Oracle. “Oracle’s new Ethernet switches and virtual network services in Oracle SDN help clear the way for enterprises to deploy key network services faster and gain high performance at the lowest cost.”

bit.ly/MvGNTK

MySQL Cluster 7.4 ReleasedMySQL Cluster 7.4, now generally available, delivers greater performance, high avail-ability, advanced management capabilities, and more.

“With digital proliferation generating more data than ever before, businesses need online transaction processing to be as efficient and performant as possible,” says Tomas Ulin, vice president, MySQL engineering at Oracle. “With no single point of failure, MySQL Cluster 7.4 provides high performance to a wide range of application requirements for a user base that spans administrators of major telecommunica-tions subscriber databases to providers of next-generation web, cloud, social, and mobile applications.”

bit.ly/1JOgDIq

Oracle Marketing Cloud Helps Higher Education Institutions Improve Student Engagement and Retention To help higher education institutions enhance student engagement and reten-tion, Oracle has announced Oracle Marketing Cloud for student engagement. The new solution provides advanced tar-geting and segmentation capabilities, as well as prebuilt data models and customized campaign templates designed for student outreach and retention initiatives.

“The higher education landscape is rapidly transforming, thanks in part to shifting student demographics, diminishing

enrollment, rising expectations, escalating dropout rates, and new funding criteria imposed by local governments,” says Mark Armstrong, vice president, Oracle Higher Education. “At Oracle, we are committed to leveraging our extensive insights across a range of verticals to deliver the industry-specific, multichannel marketing solutions that reduce marketing complexity and enable more effective and meaningful audi-ence engagements.”

bit.ly/1NdhcI7

MJ15_Briefs.indd 13 4/24/15 2:04 PM

14 Book Beat


I-HU

A CH

EN

Partners Achieve Oracle PartnerNetwork Specialized Status for Oracle Cloud SolutionsThree partners have achieved Oracle PartnerNetwork Specialized status for their Oracle Cloud solutions. Specialized status spotlights the strengths and special skills of experienced and committed Oracle partners.

Kaygen, an Oracle Platinum Partner, achieved Oracle PartnerNetwork Specialized status for Oracle Fusion Customer Relationship Management Cloud Service, part of Oracle Sales Cloud. Kaygen is a professional services firm specializing in information manage-ment with expertise spanning master data management, data quality, busi-ness intelligence, analytics, and enter-prise integration.

Performance Architects, an Oracle Platinum Partner, achieved Oracle PartnerNetwork Specialized status for Oracle Business Intelligence Cloud Service. Performance Architects is a business and technology consulting company that partners with clients to improve enter-prise performance.

Quarry Integrated Communications, an Oracle Gold Partner, achieved Oracle PartnerNetwork Specialized status for Oracle Eloqua and Oracle Content Marketing Cloud Service, both part of Oracle Marketing Cloud. Quarry is a buyer experience agency that helps organizations accelerate brand growth, reignite brand innovation, and redefine brand advantage.

kaygen.comperformancearchitects.comquarry.com

Expert Oracle Exadata, Second Edition

By Andy Colvin, Karl Arao, Martin Bach, Frits Hoogland, Kerry Osborne, Randy Johnson, Tanel PõderApressapress.com

Expert Oracle Exadata, Second Edition, covers the mechanics that underlie Oracle Exadata to help readers understand how its hardware and software work together to create a superior platform for running Oracle Database. The authors share their real-world experience with Oracle Exadata and introduce readers to new performance-enhancing concepts such as offloading SQL processing to the storage layer. The book provides a roadmap to laying out the Oracle Exadata platform to best support existing systems.

Oracle SQL Developer Data Modeler for Database Design Mastery

By Heli HelskyahoOracle Pressoraclepressbooks.com

In Oracle SQL Developer Data Modeler for Database Design Mastery, Oracle ACE Director Helskyaho

reveals how to design world-class databases on any platform using the full capabilities of this powerful, free tool. She provides best practices for planning, executing, installing, deploying, and maintaining a database of any size, and approaches the subject of database design from concept to the details of documenting code.

Advanced WebLogic Server Automation

By Martin HeinzlRampant TechPressrampant-books.com

Advanced WebLogic Server Automation covers how to automate all aspects of Oracle WebLogic

Server in both small and very complex environments by using powerful applica-tion programming interfaces. The book includes tips based on lessons learned during the author’s more than 15 years of experience with Oracle WebLogic Server. It also offers many practical examples and a comprehensive code download of powerful WebLogic Scripting Tool and Java Management Extension scripts.

Look for other Oracle books at bit.ly/oraclebookstore.

Partners Earn Oracle Validated IntegrationsSix partners have earned Oracle Validated Integrations, demonstrating that their solu-tions are designed in a reliable way, have been tested as functionally and technically sound, and perform as documented.

Crawford Technologies, an Oracle Gold Partner, achieved Oracle Validated Integration status with integration of PRO Transform Plus Version 3.0 and Oracle WebCenter Content 11g. Crawford Technologies offers print-stream transfor-mation, document re-engineering, workflow, document accessibility, and archiving soft-ware solutions.

ITCROSS, an Oracle Gold Partner, achieved the status with a set of applica-tions designed for integrating Oracle’s JD Edwards 9.1 and Edicom software for elec-tronic invoices in Mexico. ITCROSS provides JD Edwards consulting services worldwide.

Kaba Workforce Solutions, an Oracle Gold Partner, achieved the status for integrating B-COMM for Oracle Time and Labor 7 with Oracle E-Business Suite 12.2. Kaba Workforce Solutions is a wholly-owned operating sub-sidiary of Kaba Holding, a global provider of enterprise workforce management and access control solutions with a focus on time and attendance, workforce scheduling, data

visualization and analytics, regulatory com-pliance, and more.

Transcepta, an Oracle Gold Partner, achieved the status for integrating Transcepta E-Invoicing and Supplier Onboarding Service Version 4.1 with Oracle E-Business Suite 12.2. Transcepta provides accounts payable and procurement profes-sionals with cloud-based procure-to-pay solutions, including e-invoicing, spend man-agement, VAT compliance, supplier informa-tion management, and supplier enablement.

Ventureforth, an Oracle Platinum Partner, achieved the status for integrating vAudit 7.0 with Oracle E-Business Suite 12.2. Ventureforth’s technologies extend Oracle Applications to mobile users.

VoltDelta, an Oracle Gold Partner, achieved the status with integration of its DeltaACD 2.0 Cloud Contact Center with Oracle Service Cloud. VoltDelta is a global cloud-based contact center provider special-izing in data-driven contact management.

crawfordtech.comit-cross.comkaba-benzing-usa.comtranscepta.comventureforth.comvoltdelta.com

MJ15_partner.indd 14 4/24/15 11:21 AM

15PARTNER NEWS


Two Partners Achieve Oracle Exastack Ready StatusTwo partners have achieved Oracle Exastack Ready status for their solutions. Oracle Exastack Ready status indicates that these partners support their applications with Oracle Exadata Database Machine, Oracle Exalogic Elastic Cloud, Oracle Exalytics In-Memory Machine, Oracle SuperCluster, Oracle Database Appliance, Oracle Big Data Appliance, or Oracle Virtual Compute Appliance, and the latest major releases of their component products.

Oracle Diamond Partner Capgemini’s OCommerce achieved Oracle Exadata Ready, Oracle SuperCluster Ready, Oracle Exalogic Ready, Oracle Exalytics Ready, Oracle Database Appliance Ready, and Oracle Big Data Appliance Ready status. OCommerce is a new solution, co-architected with Oracle, to help streamline customer inter-

actions across all channels with a focus on increasing conversion rates and loyalty through proactive targeting and marketing to customers.

Oracle Gold Partner MicroStrategy achieved Oracle Exadata Ready, Oracle Exalogic Ready, Oracle SuperCluster Ready, Oracle Database Ready, Oracle WebLogic Ready, Oracle Linux Ready, Oracle Solaris Ready, and Oracle VM Ready status for MicroStrategy Analytics Platform 9. MicroStrategy Analytics Platform helps orga-

nizations transform big data into intui-tive dashboards and reports for greater analytical insights.

capgemini.commicrostrategy.com

Kalido Achieves Oracle Exastack Optimized StatusOracle Gold Partner Kalido has achieved Oracle Exastack Optimized status for its Kalido Information Engine, a development and deployment platform for analytics. Kalido is a provider of business-driven data governance software. The Oracle Exastack Optimized program enables Oracle partners to develop, test, and tune their applications on Oracle Exadata Database Machine, Oracle Exalogic Elastic Cloud, Oracle Exalytics In-Memory Machine, Oracle SuperCluster, Oracle Database Appliance, and Oracle Big Data Appliance engineered systems.

kalido.com

Partners Achieve Oracle Gold Partner StatusFour Oracle partners have achieved Gold membership in Oracle PartnerNetwork.

ConnectLeader, the developer of Personal Dialer and Team Dialer sales dialing solu-tions, is recognized for its commitment to establish Oracle-related knowledge in deliv-ering sales dialing technology and solutions, and for uniquely addressing the challenges of joint customers.

Continuity Software, a provider of service availability risk management solutions, is recognized for its commitment to establish Oracle-related knowledge in delivering solu-tions that mitigate downtime and data-loss risks across the enterprise IT environment—including disaster recovery, high availability, and cloud environments, and for uniquely addressing the challenges of joint customers.

MAXIMUS, an operator of government health and human services programs in the United States, United Kingdom, Canada, Australia, and Saudi Arabia is recognized

for its commitment to establishing Oracle-related knowledge in delivering Electronic Work Opportunity Tax Credit prescreening I-9/E-Verify management, and solutions that uniquely address the challenges of joint customers who seek to maximize their tax credit potential and maintain hiring compli-ance requirements.

Talentoday, creator of an online social career guidance solution, is recognized by Oracle as an international and reli-able test editor and for its commitment to deliver assessment tools to professionals. Talentoday’s solution provides a free assessment for individuals and a cloud-based framework with which career and HR experts can scale and optimize effective job placement.

connectleader.com continuitysoftware.commaximus.comtalentoday.com

MorganFranklin Consulting Achieves Oracle Platinum Partner Status Washington DC–based professional advi-sory, business consulting, and technology solutions company MorganFranklin Consulting recently announced it has achieved Oracle Platinum Partner status in Oracle PartnerNetwork. Oracle recognizes

MorganFranklin for its expertise using Oracle products to help companies improve their business agility and resiliency, as well as for uniquely addressing the challenges of joint customers.

morganfranklin.com

I-HU

A CH

EN

Partner Offerings Available on Oracle Cloud MarketplaceTo meet the growing demand for business applications that leverage cloud, mobile, and social technologies, and to create new opportunities for its partners, Oracle offers the Oracle Cloud Marketplace, where appli-

cations and services developed by Oracle partners and lever-aging Oracle Cloud platform services and Oracle software-as-a-service applica-tions are available.

Customers can browse, evaluate, and buy solutions to address their business needs. Offerings include

Data8 Advanced Company Information, part of Oracle Gold Partner Data8’s data validation offerings. Data8 provides data quality solutions including comprehensive data cleansing, real-time data validation, and data supply services.

Peloton CloudAccelerator for Oracle Planning and Budgeting Cloud Service, developed by Oracle Platinum Partner Peloton Group. Peloton offers advisory, implementation, and outsourcing services to aid business transformation in the areas of business planning, financial consolida-tion and reporting, business analytics, data integration, and technology infrastructure.

data-8.co.ukpelotongroup.com

MJ15_partner.indd 15 4/24/15 11:21 AM

16


Community Bulletin News, People, and Happenings in the Oracle Technology NetworkHappenings in Oracle Technology Network BY ROLAND SMART

I-HUA

CHE

N

Community Bulletin

Available Now: MySQL Cluster 7.4Designed to deliver 99.999 percent availability, MySQL Cluster 7.4 provides improved performance for both read-only workloads and read/write operations. It also includes a host of new geographic redundancy features, enabling update-anywhere replication between distant clusters.

MySQL Cluster 7.4 is avail-able in both open source and commercial editions. Download the quick start guide, evaluation guide, and complete software package at bit.ly/download-MySQL-Cluster.

PODCAST ROUNDTABLE ON API MANAGEMENTA four-part Oracle Technology Network (OTN) ArchBeat podcast series, featuring Oracle Fusion Middleware and service-oriented architecture (SOA) experts, examines the rise of API management lifecycle solutions. As the interviewees point out, increasing API adoption across the organization is just one reason to invest in an API manage-ment strategy. Other reasons include the opportunity to track developer usage of different APIs, as well as replacing outdated methods of gathering API documentation (such as spreadsheets) with more developer-friendly resources.

Stream the entire podcast series at bit.ly/api-management-podcast. Then, visit Oracle Community to discuss API man-agement and SOA governance with other OTN members at bit.ly/api-management-chat.

Get Certified in Oracle Mobile DevelopmentIf you have solid experi-ence in Oracle mobile development solutions, consider getting certi-fied via the Oracle Mobile Development 2015 Essentials Exam. Offered by Oracle PartnerNetwork, a comprehensive exam with more than 100 ques-tions verifies your knowl-edge of a number of key competencies, including Oracle Mobile Application Framework, mobile user interface design, and application security across multiple mobile platforms. Learn more about the exam requirements and specialist certification at bit.ly/omd-cert-2015. You can also prepare for your test day by consulting the official study guide at bit.ly/omd-study-guide.

Data Visualization for Oracle Business Intelligence 11g, written by Oracle ACE Director Dan Vlamis and data visualization design expert Tim Vlamis, provides an end-to-end guide to using graphs, pivot tables, and rich multivariable dashboards to unlock immediate business value.

Among other best practices, you’ll learn how to choose the most effective graph type (bar, waterfall, histogram, radar, and so on) for your data sets, how to incor-

porate advanced visualizations (such as jQuery sparklines) into your Oracle Business Intelligence 11g dashboards, and how to create interactive business intelligence reports and scorecards for both technical and nontechnical decision-makers.

Published by McGraw-Hill and Oracle Press, Data Visualization for Oracle Business Intelligence 11g is available in both paperback and e-book formats. Read a sample chapter and buy the book at bit.ly/obi-book.

Deploying Oracle Database 12c on Oracle Solaris 11A new how-to guide from Oracle Solaris experts Glynn Foster and Ginny Henningsen provides detailed instructions for install-ing Oracle Database in a non-global Oracle Solaris Zone.

The authors present the five key steps for installing Oracle Database 12c on Oracle Solaris 11, covering server installation, zone configuration, software prerequisites, Oracle Database installation, and final validation.

Find the step-by-step instructions and explanatory screenshots at bit.ly/12c-five-steps, and review the full direc-tory of Oracle Solaris how-to articles at bit.ly/Solaris-articles.

Roland Smart is vice president of social and community marketing at Oracle.

NEW BOOK:

Data Visualization for Oracle Business Intelligence 11g

MJ15_Community_R1_gtxcel.indd 16 5/12/15 4:03 PM

17ARCHITECT BY BOB RHUBART


CONNECT: blogs.oracle.com/archbeat facebook.com/brhubart twitter.com/brhubart linkedin.com/in/bobrhubart

Look around you. How did you arrive at the spot you currently occupy? I’m not

talking about your GPS coordinates. I’m talking about where you are in your career. Somewhere along the timeline that con-nects the latest version of you with your various prior releases are points at which you made certain decisions—among them choices about training and certification to enhance your skills and your marketability.

Curious about how community members approach those decisions, I set up a thread in a discussion forum on the Oracle Communities website and sent out an open invitation for people to tell their stories.

Andre Araujo, senior system engineer at Oi S.A., a Brazilian telecommunications company, has earned certifications as an Oracle WebCenter Content 11g Presales Specialist, Oracle WebCenter Portal 11g Presales Specialist, and Oracle Service-Oriented Architecture Presales Specialist, among others. This year he plans to add Oracle Certified Associate, Oracle Certified Java Professional, and Linux Professional Institute certifications. “My goal is to achieve excellence in everything I’m doing,” he says. “As a systems and operations engi-neer, every day comes with a new challenge. To meet these challenges, I must know a little bit of everything.”

Antón R. Yuste, a solutions archi-tect at Optare Solutions, holds Oracle Communications Services Gatekeeper Implementation Specialist, Oracle Communications Converged Application Server Implementation Specialist, and Oracle Communications WebRTC Session Controller Sales Specialist certifications. “The imple-mentation specialist certifications are the best I’ve achieved,” he says. The courses were instrumental in increasing his understanding of how to deploy those products. The certifi-cations “help raise the visibility of my skills,

increase access to industry opportunities, and also help my company on its path to gaining Oracle PartnerNetwork Specialized status.” Next up on his list to pursue are Oracle Communications Session Border Controller Certified Implementation Specialist and perhaps Cisco Network Programmability Design Specialist certifications.

Oracle ACE Associate Rodrigo Radtke de Souza is a consultant, solution architect, and software development advisor at Dell. “For me, certifications were always a very good way to consolidate my knowledge around a specific technology. Back in the days when I was a Java developer, I wanted to be sure that I knew the details and nuances of that tech-nology.” He credits the Sun Certified Java Programmer (SCJP 6) and Sun Certified Web Component Developer (SCWCD 5) certifica-tions as essential in achieving that goal. But his journey didn’t end there.

“When I migrated to Oracle develop-ment, Oracle Database SQL Expert certifica-tion helped me to create a solid knowledge-base around the basic principles of SQL,” he says. His latest certification is Oracle Data Integrator 11g Certified Implementation Specialist. “Having a certification,” he says, “allows you to demonstrate to others that your knowledge is compatible with market expectations for that technology.” For his next round of certifications, Souza has his sights set on Oracle Hyperion Planning, Oracle Essbase, and Oracle Business Intelligence Enterprise Edition.

The stories of these three individuals

represent their specific interests and strate-gies. Architect Enterprise Applications with Java EE and SOA Adoption and Architecture Fundamentals are the most popular courses among Oracle University’s architecture-related offerings. Not surprisingly, database courses are the most popular overall.

Oracle ACE Director Eric Helmer, vice president of Global IT Services at ADI Strategies and a board member of the Oracle Applications Users Group’s Oracle Hyperion special interest group, highly recommends database certification as a starting point. “Every enterprise solution has a database back end,” he explains. “I guarantee it will not be long before you will grow into corporate systems and solutions that could catapult your career in myriad directions. It happened to me.”

If you plan to load yourself into the career catapult, what target will you aim for? What skills, certifications, or other enhancements do you plan to add to You 2.0? Join the discus-sion and share your plans: bit.ly/1EyeYhN.

“My goal is to achieve excellence in everything I’m doing.”—Andre Araujo, Senior System Engineer, Oi S.A.

Get Where You’re GoingTraining and certification decisions are key junctures on your career path.

READ training/certification storiesbit.ly/1EyeYhN

EXPLORE Oracle University’s architecture-related training/certification resourcesbit.ly/1EyfPiq

LEARN about the Oracle PartnerNetwork Specialized programoracle.com/partners

NEXT STEPS

Bob Rhubart ([email protected]) is manager of the architect community on Oracle Technology Network, the host of the

Oracle Technology Network ArchBeat podcast series, and the author of the ArchBeat blog.

MJ15_Architect.indd 17 4/21/15 1:16 PM

• Get the latest issue early• Share your favorite content• Bookmark your favorite articles• Get exclusive video and content

Act now to convert to digital and continue to receive your Oracle Magazine subscription and…

We hope you enjoy the digital magazine and will elect to continue your free subscription!

Convert to Digital!

Copyright © 2015, Oracle and/or it’s affi liates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affi liates. Other names may be trademarks of their respective owners.

Sign up for digital today!Go to bit.ly/omagdigital

OMAGPrintAd.indd 1 2/25/15 12:30 PM

19PEER-TO-PEER BY BLAIR CAMPBELL


Learn more about the Oracle ACE program at bit.ly/OracleAce.

Thinking GreenThese peers recall monochrome monitors, enjoy the outdoors, and optimize energy use.

How did you get started in IT? It was in high school, with those 5¼-inch floppies, green-lettered screens, and keyboards you could pound on. It sort of felt like you were engraving things in stone using a hammer and chisel. It certainly gave a great feeling once the code actually executed, and even did the things that you intended. What’s your favorite tool on the job? I like tools that give good insight into what a Java Virtual Machine is doing. One great example is the Java Mission Control feature of Java Platform, Standard Edition. When it’s used with the Oracle WebLogic Server plugin, you can trace a request from a servlet to Enterprise JavaBeans to JDBC—so you can show developers where things are going wrong, and that Oracle WebLogic Server is not to blame.Which new features in Oracle technolo-gies are you finding most valuable? All the features that make the configuration of an environment easier—such as the dynamic clusters, server templates, and Oracle Coherence integration in recent Oracle WebLogic Server releases.

What advice do you have about getting into application development? I always recom-mend downloading the software from Oracle Technology Network and trying out your own installation. Creating your own little “Hello, World” example is much more valuable than following dozens of pages of course instructions. Learning is try, fail, improve, repeat—without any silver bullet. What technology has most changed your life? The omnipresence of the internet, which will be driven even further with the Internet of Things. The metadata of your pictures stored in the cloud, taken by that tiny camera in your phone, will disclose to your grandparents the location on Google Maps of that perfect little beach that you discovered in New Zealand many years ago. We live in an amazing world!What’s your favorite thing to do that doesn’t involve work? Traveling and exploring. Last year after Oracle OpenWorld San Francisco, we went to Yosemite. After an intense week of Oracle ACE Director briefings and conference talks, it was a fabulous experience to leave the city behind. Driving into the rugged green beauty of the national park and climbing some waterfalls was such a pleasant contrast.

How did you get started using Oracle technologies? I started my career as an OS engineer. At one point early on, when I was creating a customer management system, I was asked by the customer to propose a system configuration. I suggested that we go with Oracle7 and Visual Basic. Which new Oracle Database features are you finding most valuable? Support for Entity Framework 6 Code First and Code First migrations in Oracle Data Access Components 12c is my favorite new feature. I also like that I can install Oracle Data Provider for .NET by using NuGet. How are you using mobile computing these days? I use mobile for everyday information gathering and social net-working. In addition, I’ve developed mobile apps at hackathons.What green initiatives are you focusing on in your software architecture work? I’m working on a project that aims to opti-mize household power usage through the use of carbon reduction support systems. I think the appropriate use of power is the key to protecting our environment. t

Company: Axis into ICT, a firm offering support services to users of Oracle technologiesJob title/description: Middleware specialist, helping companies set up their software infrastructure, including the design of high-availability architectures, capacity planning, and troubleshooting Location: Utrecht, the NetherlandsLength of time using Oracle products: Seven years

RENÉ VAN WIJK

Company: munz & more, an IT consulting firm with a focus on service-oriented architecture and cloud computing Job title/description: Director, responsible for handling all consulting tasks, running workshops, and speaking at conferencesLocation: Munich, GermanyLength of time using Oracle products: 15 years

FRANK MUNZ

Company: Fujitsu Social Science Laboratory Limited, part of the Fujitsu Group offering system consulting and integration servicesJob title/description: IT architect/engineer, responsible for designing, implementing, and supporting systems Location: Kanagawa, JapanOracle credentials: Oracle Master Platinum (a certification level available only in Japan), with 23 years of experience using Oracle products

TOSHIKAZU FUKUOKA

MJ15_Peer_R1.indd 19 5/5/15 2:33 PM

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates.

oracle.com/databaseor call 1.800.ORACLE.1

Built forthe Cloud

Database 12c

Use Less Hardware

Lower Operating Costs

Manage Many as One

No Application Changes


PRODUCTION NOTES



READER

01LASER% RELEASED

4/242015

Resize

8” x 10.875”Job #:Ref #:

Headline:Live:Trim:

Bleed:

415M_DB00301_DB12cBltforCldM_415M_MTL00250_DB12cBltforCldDatabase 12c - Built for the Cloud 7” x 9.875”8” x 10.875”8.25” x 11.125”


21

I-HU

A CH

EN

SECURE YOUR MOST IMPORTANT BUSINESS DATA WHERE IT LIVES: IN THE DATABASE.

GUARD THE CROWN JEWELS

Data breaches continue to make headlines, and they are not just about stolen credit card information anymore. Data breaches are now targeting different industries and different types of

information. What’s going on, and what can organizations do to protect their corporate data?

Oracle Magazine sat down with Vipin Samar, vice president of Oracle Database security, to talk about the latest data breaches, how data breach threats are evolving, and how to work with the wide variety of data that needs protection in the enterprise.

BY TOM HAUNERT

MJ15_Security_R1.indd 21 4/29/15 4:29 PM


22

BOB

ADLE

R/GE

TTY

IMAG

ES

Oracle Magazine: Data breaches continue to make news, but they also seem to be changing. What patterns do you see in recent company data breaches? Samar: The last 12 to 18 months have seen data breaches grow in size, number, and scope. Whether attacks are against retail, telecom, financial services, or entertainment, tens of millions of users are getting breached directly or indirectly. And the attackers are no longer going after just credit card information. Attackers are after the PII—the personally identifiable information—including name, address, e-mail, and so on. And now more than ever before, attackers are going after the IP of the company under attack—which can include e-mail messages, for example, as it did recently with a media company.

Oracle Magazine: Who and where are the attackers, and what are their strategies? Samar: The attackers are different types of people with different motivations: they may be curious insiders, criminals, “hacktivists,” or even nation-states. But just as the attackers are diverse, the attack vectors—how the attackers attempt to break in—are many and varied. There is no one way to attack information technology. Looking at the common data breach themes over the last 18 months, however, a key strategy of many recent successful attacks has been to get inside the company network not by brute force, but through the use of social engineering, a phishing attack, or some malware to gain access to the company network or endpoints as an authorized user. And once an attacker is inside the network, the company assets are only as safe as the remaining IT security.

Once an attacker has become an insider, that attacker can map the network; read unencrypted, or clear, network traffic; mine the operating system for passwords stored in clear text; and finally get to database targets.

Oracle Magazine: Why are databases the target of attacks? Samar: Businesses and public sector organizations store much of their customer, partner, employee, and citizen data in databases. And a lot of that data is quite sensitive, ranging from names and addresses to transaction, credit card, supply chain, and customer relationship information. Databases organize this information very well, not only for applications, but also for attackers—if they can get in. Databases store a company’s IP crown jewels, and hence they have become the target of attacks.

When network and endpoint security are breached and the attackers are inside the company gates, they can try different techniques to get at databases. They can attack a database from the network or the operating system, attempt to steal database passwords, or try to bypass database security controls in improperly

Encryption is an important level of defense for digital assets in general and databases in particular. But there’s one big challenge with encryp-tion: how do you manage and protect the encryption keys?

“Oracle Key Vault manages your encryption keys, wallets, and creden-tials, all in one single centralized location. It allows those credentials to be shared—safely—across trusted servers,” says Vipin Samar, vice presi-dent of Oracle Database security.

Learn more about Oracle Key Vault at bit.ly/orclkeyvault.

Encryption Is Key

“ All data is not equal. Organizations should start by classifying their database data and assigning priorities to it.” —Vipin Samar, Vice President of Oracle Database Security

MJ15_Security_R2.indd 22 5/5/15 2:41 PM


23

configured databases. Attacks can also come from the web, through SQL injection attacks that exploit application design flaws.

Oracle Magazine: Organizations may have dozens to thousands of databases. How can they develop a comprehensive—and practical—database security strategy for so many databases? Samar: All data is not equal. Organizations should start by clas-sifying their database data and assigning priorities to it. Then they should assign security controls proportional to the value of the data.

Lowest-priority data includes internal information portal content, internal organization directories, test/development system data, and other nonsensitive content. Attackers often target

this information because the host database systems are rarely secured or monitored. Attackers can use these systems to under-stand more about your security infrastruc-ture, and they can use that understanding to launch subsequent attacks. For this level of data, focus on making sure the latest security patches have been applied, the databases are properly configured, and privileged user database auditing is in place. I call this bronze-level security.

The next data priority level includes cor-porate internal information, such as order tracking and transaction data. For this level of data, confirm that you have bronze-level secu-rity, and then secure your data with encryption on production databases and on the network. And because sensitive production data ends up on unsecured test and development systems, mask the data on those unsecured systems. I call this silver-level security.

The next data priority level includes infor-mation that has specific regulatory require-ments, such as PII, credit card, or health

information. For this level of sensitive data, confirm that you have silver- and bronze-level security and then focus on restricting access. For example, you can redact sensitive fields for call centers, restrict privileged users from accessing sensitive data, and monitor SQL traffic for unauthorized use. I call this gold-level security.

The last and highest data priority level includes the corporate IP crown jewels—quarterly report information, M&A plans, source code, and so on. For this level of data, confirm that you have gold-, silver-, and bronze-level security and then focus on command and control by controlling database operations, analyzing and revoking unused privileges, blocking unauthorized SQL traffic, and auditing comprehensively.

This platinum-level security minimizes database attack vectors and helps secure your databases from attacks—whether they are coming from operating systems, internal privileged users, or even SQL injection.

Oracle ACE Director and PL/SQL evangelist Steven Feuerstein explores when to use and not to use dynamic SQL in his column for this issue:

“Dynamically Dangerous Code” (see page 43). As part of that journey, Feuerstein looks at how to protect your company’s data by protecting against SQL injection.

In this issue’s “On More-Secure Applications” (see page 51), database evangelist and Oracle Magazine technology advisor Tom Kyte addresses a question about how to maximize security in database application design. Kyte’s answer features multiple security design priorities (including least privilege, multiple schemas, and bind variables), pointers to several Oracle Database security references, and a discussion of different levels of defense available for Oracle Database.

Read more about Oracle Database security at bit.ly/sqlinjproof, bit.ly/2daysecure, and bit.ly/odsavdf.

IN THIS ISSUE

LEARN more about Oracle Database securityoracle.com/database/security oracle.com/technetwork/database/security

WATCH a discussion of Oracle Database security solutionsbit.ly/omagdbsecvid

NEXT STEPS

Tom Haunert is editor in chief of Oracle Magazine.

Database data is assigned four different priority levels and prescribed four levels of data protection.

PRIORITIZE DATA AND SECURITY

ALL DATA IS NOT EQUAL

BRONZENonsensitive: �Data in internal portals, organization directories, and test/dev systems

SILVERCorporate/Internal:�Data in business �transactions and orders

GOLDRegulatory: Customer facing, personally identifiable information subject to compliance and other regulation

PLATINUMHighly Sensitive/Restricted:�Corporate intellectual property includes data in quarterly results, M&A plans, and source code

MAP SECURITY CONTROLS TO DATA

BRONZESecure Configuration: �Scan and patch softwareSecure database configurationAudit sensitive activities

SILVERSecure Data:�Encrypt stored dataEncrypt network tra�cMask and subset data

GOLDSecure Access: Redact application dataRestrict DBA accessMonitor SQL tra�c

PLATINUMCommand and Control:�Control database operationsAnalyze runtime privilegesBlock unauthorized SQL tra�cAudit comprehensively

MJ15_Security.indd 23 4/28/15 2:23 PM


24

ROBE

RT B

IRNB

ACH

BREAKAWAY SPEEDSpecialized Bicycle Components pulls ahead with Oracle engineered systems and software solutions.

BY DAVID BAUM When Ron Pollard joined Specialized Bicycle Components in 1996, the company was already growing fast. A pioneer in

e-commerce, Specialized had implemented a B2B web portal to take online orders from its dealers. But as the years passed and the business grew—from 6 subsidiaries throughout North America to 40 subsidiaries throughout the world by 2015—it became clear that Specialized lacked the hardware infrastructure it needed to keep up with escalating customer demands.

MJ15_Specialized.indd 24 4/23/15 10:12 AM


“Thanks to what we can learn from social media, relationships are getting tighter between manufacturers and consumers,” says Ron Pollard, CIO at Specialized Bicycle Components. “New types of data are supplementing traditional datasources to help us gain insight and connect with our customers.”

Oracle SuperCluster engineered systems are ideal for Oracle Database and DBaaS implementations. Oracle ZFS Storage Appliance delivers enterprise-class network-attached storage. Through coengineering and integration with Oracle Database, Oracle ZFS Storage Appliance complements the extreme performance of engineered systems, including Oracle SuperCluster.

Super and More

Pollard, who now serves as CIO for the Morgan Hill, California–based company, found himself at a cross-roads when Specialized’s order-entry system started to bog down under the crushing load of 20,000 dealers in 40 countries.

“It used to take seconds to submit an order, but we reached the point where it sometimes took minutes,” he recalls. “We were getting crippled by order volume as our business expanded. We did have very reliable hardware, but after adding three or four subsid-iaries every year for eight years, it was time to upgrade to a more powerful platform.”

In addition to difficulty supporting the growing transaction volume, Specialized’s legacy infrastructure lacked the availability, virtualization, and scalability that management needed to move forward with plans for expansion in Asia and elsewhere. There was no redundancy or failover for the company’s core information systems, so if a critical application or hardware component failed, the B2B portal would go down.

STREAMLINING IT WITH ENGINEERED SYSTEMSAs Pollard and his team set out to address these performance and availability issues, they didn’t just want to upgrade to a more powerful server. They sought a transformative solution that would



26

simplify IT and modernize the data center. After a thorough evaluation, they decided to replace legacy servers with an Oracle SuperCluster T5-8. Specialized also pur-chased an Oracle ZFS Storage ZS3-2 appli-ance and a StorageTek SL150 modular tape library to replace a legacy NetApp system, providing a more modern environment for development, production, disaster recovery, and archiving.

Today the Oracle SuperCluster and attached storage environment anchors Specialized’s B2B portal, which handles 70 percent of corporate revenue. The Oracle SuperCluster system also runs the company’s enterprise resource planning applications, Oracle Taleo Enterprise Cloud Service applications, and production Oracle Database. The hardware/software platform optimizes performance while mini-mizing complexity in the data center.

“When we went to Oracle SuperCluster from the legacy system, we saw a night-and-day difference for our dealer base,” Pollard reports. “We benchmarked 60 critical processes, and the performance was an average of 17 times faster—in some cases much more—with Oracle SuperCluster. For example, our account reconciliation report used to take 20 hours to run and now it takes 20 minutes.”

Specialized also experienced marked improvements with the new Oracle ZFS storage environment, which currently holds 60 TB of data. For example, the average time to back up production databases dropped from 8 hours to 9 minutes. In addition, system administrators saw a 12-fold increase in the speed with which they could clone databases in their dev/test environment.

The interoperability between Oracle SuperCluster’s embedded ZFS storage system and the external Oracle ZFS Storage ZS3-2 appliance enables direct replication of data, allowing for identical capabilities among the production and dev/test environments. InfiniBand network connections between the two systems ensure exceptional performance for data transfer and load activities.

“I really have to hand it to the Oracle engineers who assisted

with our implementation,” Pollard says. “We expected a 3x performance improvement for our critical information systems, but Oracle wasn’t satisfied with that. They kept working with us and tuning the system until we had achieved much more.”

USING INFORMATION TO TIGHTEN THE SUPPLY CHAIN Specialized depends on Oracle Applications and Oracle technology products to run its business, including Oracle E-Business Suite, Oracle’s Agile solutions, Oracle Hyperion solutions, Oracle Business Intelligence, and Oracle Database. Because this software runs

so well on the Oracle SuperCluster platform, Specialized has had no trouble ramping up its order processing capacity from 10,000 to 40,000 transactions per hour. Its Oracle-based information systems have also enabled the accounting department to reduce the average financial book closing from seven days to five.

The inherent synergy among Specialized’s Oracle-based business processes enables a lean manufacturing environment in which order entry, inventory management, supply chain plan-ning, and assembly operations are tightly integrated. Sharing real-time information between assemblers and dealers removes waste from the supply chain and eliminates repeated queries about product availability.

“We are constantly posting availability dates from our assem-blers so our dealer base knows what is available, and we can assess our monthly order quantities to regional distribution centers,” Pollard explains, adding that without these real-time status updates Specialized would end up with “too much inventory in the wrong places.”

Specialized is in the process of setting up automated replen-ishments at its global distribution center in Hong Kong to create a pull-based replenishment system for its inventory. Once this system is online, instead of front-loading inventory at the regional distribution centers, Specialized will be able to monitor daily

As part of its evolving business intelligence (BI) strategy, Specialized Bicycle Components plans to use its Oracle Exalytics engineered system with Oracle Business Intelligence for a wide range of analytic activities. For example, Specialized plans to analyze customer feedback from social media channels by gathering information from social media feeds, tweets, blog entries, search indexes, and click streams to gain greater insight into customer preferences, purchase patterns, and service histories.

Specialized CIO Ron Pollard sees this type of BI initiative as an important step for the manufac-turing sector. “Thanks to what we can learn from

social media, relationships are getting tighter between manufacturers and consumers,” he explains. “For example, we are very interested in learning more about our customers’ riding habits. What do you like about your bike? Are you getting the best use out of the product? When do you need a tune-up?”

Analysts at Specialized are starting to gather data from the company’s enterprise applica-tions and combine it with the data from social networks to better understand customer atti-tudes. Specialized is also forming tighter online relationships with its riders and athletes, both on the road and at its test facility, where the

company has a highly advanced wind tunnel to test Specialized bikes and components under all types of conditions.

In a related effort, Specialized plans to collect and analyze data from sensors that measure the performance of certain bicycle components in conjunction with the riding performance of participating cyclists, both on the road and in the wind tunnel. “The Internet of Things allows us to pull together data about everybody’s riding activ-ities and ultimately make the community much tighter,” Pollard notes. “New types of data are supplementing traditional datasources to help us gain insight and connect with our customers.”

Big Data, Social Analytics, and the Internet of Things

Specialized Bicycle Componentsspecialized.comHeadquarters: Morgan Hill, CaliforniaIndustry: ManufacturingEmployees: 300Oracle products and services: Oracle E-Business Suite, Oracle’s Agile solutions, Oracle Business Intelligence Enterprise Edition, Oracle Hyperion solutions, Oracle Database, Oracle SuperCluster T5-8, SPARC T4-2 servers, Oracle Exalytics, Oracle ZFS Storage ZS3-2, StorageTek SL150, Oracle Consulting

SNAPSHOT



inventory depletion and automatically replenish the regional dis-tribution centers from the global distribution center. Over time, Pollard expects that this system will shorten lead times and speed up inventory turns for the burgeoning Asian market, especially for items that have relatively constant demand.

“This system will make us much more efficient and ensure that dealers receive their fair share of inventory each month,” Pollard explains. “Our long-term goal is to give dealers visibility clear back to the assembly phase. They will know the delivery dates by which we will have inventory replenished. Having accurate visibility into inventory gives us a huge competitive advantage.”

CRAFTING A BI STRATEGY TO GUIDE THE FIRMSpecialized is the #1 bike brand in the world, and arguably one of the most popular bike brands in history. To ensure that the company can continue to deliver the products its customers demand, Pollard and his team are defining an advanced analytics strategy based on Oracle Business Intelligence software and an Oracle Exalytics engi-neered system.

“The Oracle Business Intelligence implementation will give us real-time information that people can react to daily, rather than reports that are often a week old,” says Pollard. “With our current BI system, our inventory is moving so fast that by the time somebody pulls together a report the situation may have changed and the data may be out of date.”

By contrast, the new Oracle Exalytics system will enable man-agers to drill into real-time inventory and sales data, from high-level summaries to low-level details. This type of analysis is espe-cially important for demand planning. Specialized has 900 types of bikes and thousands of equipment SKUs. Demand planners have to create monthly forecasts so the factories can adjust their capacity

to meet dealer expectations. Previously, it was nearly impossible for dealers to analyze their inventory positions and submit their orders on time.

“In the past, data analysis was very inefficient,” confirms Pollard. “We believe Oracle Business Intelligence will give us the insight we need to better interact with our dealer base about current inventory.”

The evolving BI environment will also help Specialized’s mar-keting department allocate funds among social media, advertising, direct response, and other marketing campaigns.

“Oracle Applications tie directly into Oracle Business Intelligence so the data flows naturally, without a lot of setup on our part,” con-cludes Pollard. “Now that we are running our business on one cohe-sive infrastructure, we have not only improved performance but also dramatically simplified maintenance and administration. That’s the real selling point of Oracle engineered systems.”

David Baum is a freelance writer who specializes in the intersection of science, technology, and culture.

WATCH Specialized in actionbit.ly/1IEkEuELEARN more about Oracle SuperClusteroracle.com/engineered-systems/superclusterOracle Exalytics In-Memory Machine oracle.com/engineered-systems/exalyticsOracle ZFS Storage Applianceoracle.com/storage/nas

NEXT STEPS

ROBE

RT B

IRNB

ACH

At the company headquarters in Morgan Hill, California, Specialized Bicycle Components analyzes rider position and bicycle performance in its state-of-the-art wind tunnel.



28

MEMORABLE PERFORMANCESwiss insurance leader Die Mobiliar deploys Oracle Database In-Memory to speed business analytics.

BY PHILIP J. GILL

Founded in 1826, Die Mobiliar is the oldest insurance firm in Switzerland. From its head-quarters in Berne, the national capital, the

company’s network of 160 offices and more than 4,000 employees provides home, car, accident, and risk management insurance and other financial services to more than 1.6 million individuals and businesses throughout the Alpine country’s 26 cantons. In late 2014, Mobiliar found itself with a database inventory not uncommon to firms with long histories and technology acquired via mergers and acquisitions. The company’s IT included IBM mainframe and DB2 database technology, Microsoft SQL Server, and Oracle Database, as well as a raft of legacy COBOL applications.

“As you can imagine, it’s very difficult to deliver three different database systems simultaneously,” says Paolo Kreth, team leader for database man-agement systems at Mobiliar. “You need different

technicians for each, you need different hardware for each, and you need different licensing for each.”

Management at Mobiliar realized that maintaining three databases was no longer feasible, nor did that fit the company’s long-term plans. “We had decided to get off the mainframe and move toward Java and open systems,” explains Jochen Maas, head of base service, IT operations, at Mobiliar. “The key to getting off the mainframe was finding the right database to support that strategy.”

Mobiliar was running several instances of Oracle Database 11g, including one that supports its call center’s Siebel Customer Relationship Management (Siebel CRM) applica-tions from Oracle, and the company decided its new strategic database platform going forward would be

SalesROWRow format is best for fast processing of few rows and many columns.Use case: Insert or query one sales order.

COLUMNColumn format is best for fast accessing of few columns and many rows.Use case: Report on sales totals by region.

Sales

Database Storage: Row Format Versus Column FormatTransactions run faster in row format. Analytics run faster in column format.

MJ15_DieMobiliar.indd 28 4/27/15 12:47 PM


29

Management at Die Mobiliar decided to move off the mainframe. “The key to getting off the mainframe was finding the right database to support that strategy,” explains Jochen Maas, head of base service, IT operations, at Mobiliar.

Oracle—specifically, Oracle Database 12c with the Oracle Database In-Memory option.

“We chose Oracle to become our strategic database,” says Kreth. “We plan to stop using DB2 over the next 10 years. We need that time frame because all our core applications on the mainframe are written in COBOL.”

Oracle’s stewardship of Java was one factor in the database deci-sion, says Kreth. “Going with Oracle Database will closely align us

with Java technology,” he notes. But more important in the database decision were the perfor-

mance improvements that the Oracle Database In-Memory option offered to existing applications without changes or fine-tuning. “With the Oracle Database In-Memory option, we can improve an application’s performance in minutes,” says Kreth.

Oracle Database In-Memory adds a new in-memory column store to Oracle Database’s existing row format. The row format provides DA

RRIN

VAN

SELO

W/G

ETTY

IMAG

ES



30

optimal performance for online transaction processing (OLTP), and the in-memory column format delivers the best performance for analytics. (See the “Best of Both Worlds” sidebar for information on Oracle Database In-Memory.)

THREE SCENARIOSTo prove the performance benefits of the Oracle Database In-Memory option, Kreth and his team set up a proof of concept to test three different database scenarios that are typical of the firm’s current operations.

For the first test, the team chose a recur-ring business operation. “We selected a typical business case at Mobiliar today,” says Kreth. “When we sell to a new customer, that customer’s information is entered in a DB2 database, but that data isn’t visible to the sales data warehouse until the contract is signed. But that happens later, and we can’t go back two days after a customer has signed a contract and say, ‘Hey, if you also bought car insurance from us, we could give you this extra discount.’”

Oracle Database 12c (Release 12.1.0.2) was installed on a seven-blade, Intel Xeon–based server with 384 GB of main memory per blade and the Linux operating system. It was then populated with the same data that

ran on the firm’s sales data warehouse. For the first test, the team enabled Oracle Database In-Memory

on the seven-blade server and essentially tested the system “as is,” changing only one table partition. Says Kreth, “We wanted to see what would happen if we just took the data, activated the Oracle Database In-Memory option, and did nothing.”

The answer confirmed the company’s new database strategy, he says. “Some queries were faster, some were slower, but overall the Oracle Database In-Memory option increased query performance,” he notes. “Our management was very happy. They did not have to

Jochen Maas, head of base service, IT operations (left), and Paolo Kreth, team leader for database management systems at Die Mobiliar, directed a move from the mainframe to Java, open systems, and Oracle Database 12c with the Oracle Database In-Memory option.

DARR

IN V

ANSE

LOW

/GET

TY IM

AGES

The Oracle Database In-Memory option is a tech-nology whose time has come, thanks to the avail-ability of inexpensive RAM and a new generation of 64-bit operating systems, says Maria Colgan, master product manager at Oracle.

“Organizations are demanding to be able to analyze their data in real time—without having a negative impact on OLTP [online transaction processing] performance and without having to wait for the classic ETL [extract, transform, and load] process to load into the data warehouse,” says Colgan. “Analytic queries tend to hit a subset of columns out of a table with millions or billions of rows, whereas OLTP applications

hit all the columns for a very small number of rows. Having the data structured automatically for both—column-wise for analytic queries and row-wise for OLTP—is a capability that businesses demand.”

To provide the best performance for both OLTP and analytics, the Oracle Database In-Memory option adds a new in-memory column store that allows data to be simultane-ously populated in memory in both the tradi-tional row format for OLTP and an in-memory column format for analytics. The new column format complements but does not replace the existing buffer cache, so the data can be held in

memory in both column and row formats.The Oracle Database query optimizer auto-

matically routes queries to the correct format—the column format for analytic queries and the row format for OLTP queries—transparently delivering best-of-both-worlds performance. Oracle Database automatically maintains full transactional integrity and consistency between the formats. And because the new in-memory column format is purely in memory and not per-sistent on disk, there remains only a single copy of the table in storage (in row format), so there are no additional storage costs or synchroniza-tion issues.

Best of Both Worlds

Die Mobiliarmobi.chHeadquarters: Berne, SwitzerlandIndustry: Financial servicesEmployees: More than 4,000Revenue: CHF 596.4 million in 2014Oracle products: Oracle Database 12c, Oracle Database In-Memory option, Oracle Database 11g, Siebel Customer Relationship Management applications

SNAPSHOT



31

worry about a loss of performance because of the change in our database strategy.”

In the second scenario, the team tested the Oracle Database In-Memory option on a new executive data warehouse that was under construction. “We worked with the executive data ware-house team to come up with some simulated queries that probably will happen,” explains Kreth. “For some queries, we saw very big improvements—for instance, we had one report that was running in 200 to 300 seconds and it now runs in a second.”

For the third scenario, the test team wanted to see how the com-pany’s 20-year-old risk management system, dubbed RICO, would perform on Oracle Database In-Memory. The team made only a few changes to the partitioning schema of the application, which has its own 1 TB database. “On average, the Oracle Database In-Memory option improved RICO’s application performance between 50 and 200 times,” says Kreth.

IN-MEMORY FOR ALL As a first step, Mobiliar is upgrading all its existing Oracle Database 11g installations to Oracle Database 12c, and from there, it will acti-vate the Oracle Database In-Memory option on all its Oracle data-bases over time. The first application to go into production with the

Oracle Database In-Memory option was Mobiliar’s new enterprise data warehouse, in April 2015. The new data warehouse runs on the same blade server hardware used for the proof of concept; four blades are being used for development, testing, and integration.

“Currently we have licenses for two blade servers for the Oracle Database In-Memory option,” says Kreth. “But we have signed a contract to license the Oracle Database In-Memory option for even more blades, and over the next year we intend to activate the Oracle Database In-Memory option for all our other production databases.”

“With the current performance results, the Oracle Database In-Memory option has proven its worth,” says Kreth. “We will now be looking to optimize our database designs to work more effec-tively in memory.”

Philip J. Gill is a San Diego, California–based technology writer and editor.

LEARN more about Oracle Database In-Memory bit.ly/1G3MoWvblogs.oracle.com/in-memory

NEXT STEPS


Data centers are being pushed to their limits by a number of recent ad-vances in infrastructure

technologies. The escalating deploy-ments of servers with multicore processors, aggregation of applica-tions on virtualized servers, and convergence of data and storage infrastructures, along with demand-ing, high-traffic applications such as

database clusters, video-on-demand, and other mission-critical, high-throughput applications, are driving the need for high-bandwidth net-working infrastructures and faster server input/output (I/O) solutions.

QLogic offers complete solu-tions to some of the most complex and newest issues facing the data center. Now, QLogic and Oracle have teamed up to offer virtual-

ization in servers and storage. Michael Geroche, senior OEM sales manager at QLogic, discusses the benefits of single root input/out-put virtualization (SR-IOV) and the Oracle/QLogic partnership.

What is the most pressing challenge businesses currently face with storage?Our customers’ enterprise storage workloads require both the high-est level of performance and the highest level of availability. These workloads must have bare-metal input/output (I/O) performance that is multipathed, without exception.

What is SR-IOV, and how does it help deliver performance and availability? SR-IOV is a standards-based archi-tecture for high-performance I/O in virtual environments. Storage I/O resources are made available to each virtualization instance, and these resources are managed by the adapter hardware, not the virtu-alization Hypervisor. This reduces I/O overhead, maintaining high performance—throughput and low latency—while at the same time scaling to the demands of cus-tomers with the highest workload consolidation environments.

What is the importance of I/O resiliency? I/O resiliency ensures that these virtualized storage connections are available via multiple server

resources, and that the highest level of reliability, availability, and service (RAS) is maintained. The storage I/O is resilient to errors and problems that might occur. I/O resiliency greatly improves avail-ability in an SR-IOV environment, and our customers accept nothing less. Multipathing alone is not suf-ficient to guarantee availability of SR-IOV-based storage. I/O resiliency ensures virtualized storage connec-tions are available when elements of the storage server infrastructure are no longer available, resulting in the highest level of RAS for enter-prise storage in a virtualized server architecture.

How are QLogic and Oracle working together to provide cutting-edge innovation in storage? Oracle and QLogic have partnered to bring networking virtualization techniques to both the server domain, with Oracle VM Server for SPARC, and the storage domain. This is very innovative—we’ve all heard of SR-IOV on the network side of the server, but now we are bringing it to storage. QLogic and Oracle’s development of advanced storage I/O technologies for the virtual enterprise data center has brought cutting-edge, standards-based solutions to the most demanding customer environments. Together, we are adding unique value for our most demanding enter-prise customers, in areas of high performance and extreme RAS.

Achieving High Performance and AvailabilityQLogic and Oracle provide uncompromising availability and native performance in virtualized systems.

A D V E R T I S I N G S U P P L E M E N T

For more information, please visit www.qlogic.com.

PARTNER Q&A[

OMAGMJ15_Qulogic.indd 22 5/4/15 10:47 AM

Mobile Developer 33ORACLE MOBILE APPLICATION FRAMEWORK BY CHRIS MUIR


Get Mobile and ConnectedConsume enterprise web services from mobile apps via data controls in Oracle Mobile Application Framework.

O racle introduced Oracle Mobile Application Framework in early 2014,

with the goal of making the mobile develop-ment experience as simple as possible. As you start creating applications for enter-prise users with Oracle Mobile Application Framework, small development projects can help you quickly build up your skills while supplying immediate value to those users.

For example, mobile workers might need to contact a fellow employee urgently when traveling but not have that colleague’s information on their smartphone’s contact list. In this column’s hands-on exercise, you’ll solve that problem by using the Oracle Mobile Application Framework extension in Oracle JDeveloper to build a corporate phone book app for users of iOS or Android devices. The app taps into an existing HR employee web service to retrieve employee contact data and populate the phone book.

With the basic skills and Oracle Mobile Application Framework features you learn from this exercise, you’ll be well equipped to start building more-sophisticated apps that can help on-the-go workers be more productive.

GETTING STARTEDEnsure that you’re using the studio edition of Oracle JDeveloper 12c (12.1.3)—available as a free download on Oracle Technology Network—with the Oracle Mobile Application Framework v2.1 extension. You also need either Apple Xcode 6.1 or the Google Android SDK with API 21, con-figured for deploying and testing Oracle Mobile Application Framework from Oracle JDeveloper. Apple Xcode is available for Macs only; the Android SDK is available for both Mac and Windows PCs. The Oracle Mobile Application Framework documenta-tion provides relevant setup instructions at bit.ly/mafinst.

Download the sample application at bit.ly/omagmaf1, and save the o35maf-2432441.zip file to a local folder on your computer. (Do not use spaces in the folder name.) Unzip the o35maf-2432441.zip file, and then unzip each of the two extracted files. The local folder now contains two subfolders, each containing an Oracle JDeveloper workspace: • The HrServicesSubset folder contains a

demonstration REST HR web service that

you’ll run on your PC. (For a real-world application, the web service would be deployed from your corporate infrastruc-ture, not on your local PC, and would be reachable behind the company firewall.) The web service will provide the employee data for your mobile phone book applica-tion to retrieve.

• The PhonebookStarterApp folder con-tains a prebuilt Oracle Mobile Application Framework application workspace that is partially configured to save you time. Items such as the application name, icons, and a hook to the web service—a data control—are prebuilt for you.

Data controls are a major productivity booster for developers that you’ll learn about in detail in a future column.1. In Oracle JDeveloper, select File -> Open

and navigate to the directory containing the unpacked zip file content.

2. Open the PhonebookStarterApp folder, and select the Phonebook.jws file. Click Open to load the workspace.

3. Open the HrServicesSubset folder, and open the HrServices.jws workspace. You’ll work with this workspace first, so

ORACLE MOBILE APPLICATION FRAMEWORK, ORACLE JDEVELOPER

Figure 1: ViewEmployees.amx page and the initial state of the phone book app in the iOS SimulatorI-HU

A CH

EN

MJ15_MAF.indd 33 4/27/15 12:51 PM

34 ORACLE MOBILE APPLICATION FRAMEWORK


leave it open in the Application Navigator.4. In the Application Navigator, expand

RestServices -> Application Sources -> oracle.hr.rest, right-click the RestService .java file, and select Run.

5. If you are running Oracle JDeveloper for the first time, you’ll be presented with the Create Default Domain dialog box. Create a password for the default Oracle WebLogic Server domain associated with Oracle JDeveloper, leave the other fields as they are, and click OK. Oracle JDeveloper then creates the default domain and configures it.

6. When the service is up and running, you should see a message like the following in your Oracle JDeveloper log window:

Target URL -- http://127.0.0.1:7101/

HrRestServices/

Copy the target URL into your browser, and add the /employees suffix:

http://127.0.0.1:7101/HrRestServices/

employees

The page should return a payload of employee data, proving that your web service works as expected.

Next, ensure that your environment is set up correctly for mobile development: 7. In Oracle JDeveloper, switch to the

Phonebook workspace.8. For iOS development only:

a. Select Run -> Choose Active Run Configurations -> Manage Run Configurations -> Edit Shared Settings -> iOS Simulator -> Edit -> Mobile Run Configuration, and change the Simulator option to iPhone 5S.

b. Close all the dialog boxes by clicking OK.

c. In the Application Navigator, expand ViewController project -> Web Content -> oracle.phonebook .employees, right-click the ViewEmployees.amx page, and select Run.

The app is now deployed to the iOS Simulator, where it has a heading of Employees and a message that makes it

clear that you still have work to do, as shown in Figure 1.9. For Android development only:

a. Set up and start the Android emu-lator, by following the instructions in the Oracle Mobile Application Framework documentation, at docs.oracle.com/middleware/maf210/mobile/install/ mafig_setup.htm#MAFIG164.

b. Select Run -> Choose Active Run Configuration -> Android Emulator.

c. In the Application Navigator, expand ViewController project -> Web Content -> oracle.phonebook .employees, right-click the ViewEmployees.amx page, and select Debug.

d. Start the app, and look for the Employees blank page.

e. In the Application Navigator in Oracle JDeveloper, select Application Resources -> Connections -> REST, right-click the HrServiceConn con-nection, and select Properties.

f. In the Edit REST Connection dialog box, replace 127.0.0.1 in the URL Endpoint field with 10.0.2.2. (This value enables the Android emulator to access the web service running on your PC—a change that isn’t required for the iOS Simulator.)

If you encounter any issues, again refer to the Oracle Mobile Application Framework installation documentation. You can also search or post to the Oracle Mobile Application Framework forum, at community.oracle.com/community/oracle-mobile/oraclemaf.

BUILDING THE PHONE BOOK APPThe app’s Employees page is where you’ll build a vertical list of employee names and contact details derived from the external HR web service:10. If the Employees page isn’t open

already, reopen it, by first expanding the ViewController -> Web Content -> oracle .phonebook.employees nodes.

11. Double-click the ViewEmployees.amx file, which contains the source code for the Employees page, to open its editor.Each AMX file is a page (or a view) in

your Oracle Mobile Application Framework application, made up of UI components represented by XML tags at design time. At the moment, the Employees page is made up of a parent-level amx:view tag and then an amx:panelPage tag with an amx:facet header (a named placeholder of the panelPage tag) displaying the “Employees” text as an amx:outputText tag. (Note that the tag names themselves describe the behavior of each component fairly well to help flatten the developer learning curve.)

To meet the requirement to display employee data in the app, you could take a code-centric approach by working in the editor—adding XML tags to represent the list of employee details—and then somehow wire the components to the external web service. But Oracle Mobile Application Framework data controls give you a quicker way to construct pages based on data, whether the data is from an external data-source such as a web service, plain old Java objects (POJOs), or other datasources:12. On the ViewEmployees.amx page, delete

the amx:outputText tag with the value This page intentionally

left blank.

Figure 2: Drilling down into a data control

MJ15_MAF.indd 34 4/27/15 12:52 PM

35ORACLE MOBILE APPLICATION FRAMEWORK


13. In the Application Navigator, expand the Data Controls panel and then HrServiceDataControl.

14. Note the getEmployees() method, which represents the external HR REST web service. Expand the method to see the Return object and then the employees resource. Expand employees to see that the method returns individual Employee objects, as shown in Figure 2.

15. Drag the Employee object into the ViewEmployees.amx source code, drop-ping the object immediately after the closing </amx:facet> tag and before the closing </amx:panelPage> tag. The resulting menu—a good indicator of the productivity boost that data controls provide—lists all UI layouts and com-ponents to which you can wire the web service datasource.

16. Select MAF List View to open the ListView Gallery, shown in Figure 3, where you can choose among several predefined list layouts. Leave the default Simple option selected in the List Formats section. In the Variations section, select the second option from the left, in which the list items are grouped by dividers. Click OK to open the Edit List View dialog box.

17. The Edit List View dialog box determines which data to show in the list and con-figures the dividers. For the first (and only) element under List Item Content, change Value Binding from EmployeeId to LastName. Then change Divider Attribute from EmployeeId to LastName, and set Divider Mode to First Letter. These selections cause employees to be displayed alphabetically by last name.

18. Click OK, and then select File -> Save All.Note the new XML tags added to

your page, including amx:listView, amx:listItem, and amx:outputText, rep-resenting the list of employee last names to display. Each tag has its own properties representing what the tag should do at runtime. Among the properties, you can see code such as

#{bindings.Employee.collectionModel}

This is an expression that binds back to

the web service data control that was created for you in the initial application. Data controls and the expression language eliminate the need for you to wire up the components to the data yourself, helping you avoid having to write repetitive, error-prone boilerplate code.

You’re now ready to rerun the app to see the results in the iOS Simulator or the Android emulator: 19. For iOS, right-click the ViewEmployees

.amx page and select Run. For Android, right-click the ViewEmployees.amx page and select Debug.

20. Note the employee names, the alphabet-ical dividers, and the alphabetical selec-tors down the right side. Try flicking the list up and down to watch how the list view works at runtime, including how the index on the right builds itself as more rows are fetched and displayed.

ADDING FIRST NAMES Your app now contains a list of employees fetched from the remote web service, but because it displays only last names, employees with the same surname are indistinguishable from one another. Modify the list to include the employees’ first names, too:21. With the ViewEmployees.amx page open,

select the Bindings tab at the bottom of the editor. The bindings page reveals the app’s plumbing—the bindings that connect the UI components with the data objects read from the web service. Note

the getEmployees() method you used earlier and the Employee object that was returned as a result.

22. Select the Employee object and then the pencil icon to open the Edit Tree Binding dialog box. At the bottom of the dialog box are the attributes of the Employee object that are available for your page to use. Currently only LastName is on the Displayed Attributes list. Shuttle FirstName, Email, PhoneNumber, and ImageBase64 from the Available Attributes list to the Displayed Attributes list, in any order. Click OK.

23. Return to the editor, and select the Source tab at the bottom.In the code, note that the

amx:outputText component has the value property whose value is the #{row .LastName} expression. Looking at the parent amx:listView and its value prop-erty, note that, via the expression, listView works with a collection of employees, stamping out its child tags for every element in the employees collection—in this case, the amx:outputText component. You can think of the listView components as a UI “for loop.” To reference each element, amx:listView defines var="row"—which you see is used in the amx:outputText value for the current row.24. Change the expression for the value

property to

value="#{row.FirstName +

' ' + row.LastName}"

Figure 3: ListView Gallery selections

MJ15_MAF.indd 35 4/27/15 12:52 PM

36 ORACLE MOBILE APPLICATION FRAMEWORK


25. Save all your changes, and run your app again—remembering to select Run for iOS and Debug for Android—to check the changes.

PUTTING FACES TO THE NAMESRemember that a few steps back, in the Bindings tab of the ViewEmployees.amxpage, one of the attributes from the web

service you added was ImageBase64. In the external web service, this Base64-encoded string contains an image of each employee. Because you’ve already made this attribute available to the page, it’s trivial to add an image component to the app:26. On the ViewEmployees.amx page,

change the amx:listItem tag so that it now also includes an amx:image tag, as shown in Listing 1.

27. Save everything and then run your app (Run for iOS, Debug for Android). Now you can see the (mostly) smiling faces of your colleagues.

“YOU NEVER WRITE, YOU NEVER CALL” A phone book application on a mobile device isn’t of much use unless its users can call or send e-mail to contacts through the app. So now you’ll add buttons to invoke the device’s native phone and e-mail apps via the phone book.28. Along with the ImageBase64 attri-

bute, you also made the PhoneNumberand Email attributes of the remote web service available to the page.

Figure 4: Employee phone book app layout

<amx:listItem id="li1"> <amx:image id="im1" styleClass="Avatar" source="data:image/png;base64,#{row.ImageBase64}"/> <amx:outputText id="ot2" value="#{row.FirstName + ' ' + row.LastName}" id="ot2"/></amx:listItem>

Code Listing 1: amx:image tag added to amx:listItem

<amx:listItem id="li1"> <amx:image id="im1" source="data:image/png;base64,#{row.ImageBase64}"/> <amx:outputText id="ot2" value="#{row.FirstName + ' ' + row.LastName}" id="ot2"/> <amx:goLink id="gl1" url="tel:#{row.PhoneNumber}"> <amx:image id="im2" styleClass="Icons" source="/images/phone.png" /> </amx:goLink> <amx:goLink id="gl2" url="mailto:#{row.Email}"> <amx:image id="im3" styleClass="Icons" source="/images/email.png" /> </amx:goLink></amx:listItem>

Code Listing 2: amx:goLink tags added to amx:listItem

<amx:listItem id="li1"> <amx:tableLayout id="tl" width="100%"> <amx:rowLayout id="rl1"> <amx:cellFormat id="cf1" width="20%" halign="start" valign="middle"> <amx:image id="im1" styleClass="Avatar" source="data:image/png;base64,#{row.ImageBase64}"/> </amx:cellFormat> <amx:cellFormat id="cf2" width="55%" halign="start" valign="middle"> <amx:outputText id="ot2" value="#{row.FirstName + ' ' + row.LastName}" /> </amx:cellFormat> <amx:cellFormat id="cf3" width="12%" halign="start" valign="middle"> <amx:goLink id="gl1" url="tel:#{row.PhoneNumber}"> <amx:image id="im2" styleClass="Icons" source="/images/phone.png"/> </amx:goLink> </amx:cellFormat> <amx:cellFormat id="cf4" width="12%" halign="end" valign="middle"> <amx:goLink id="gl2" url="mailto:#{row.Email}"> <amx:image id="im3" styleClass="Icons" source="/images/email.png"/> </amx:goLink> </amx:cellFormat> </amx:rowLayout> </amx:tableLayout></amx:listItem>

Code Listing 3: Three tags added to amx:listItem

MJ15_MAF.indd 36 4/27/15 12:52 PM

37ORACLE MOBILE APPLICATION FRAMEWORK


To hook them into the page, add the two amx:goLink tags as children to the amx:listItem tag after the amx:outputText component, as shown in Listing 2. Note that the amx:goLink components

use a URL with the tel: and mailto: prefixes. On mobile devices, these URL schemes enable one application to call another and pass values for the other app to use. In this case, you invoke the phone and mail apps on your mobile device, passing in the phone number and e-mail address, respectively. (Your apps can use the same mechanism to call other apps, such as Twitter or LinkedIn, with their respective URL schemes.)

Now make a few final changes to the layout so that all the information for each employee is on a single line in the phone book, as shown in Figure 4. 29. Add amx:tableLayout, amx:rowLayout,

and amx:cellFormat tags, as shown in Listing 3.

30. Run (use Debug for Android) your app one more time, and view the results.

31. If you’re using the Android emulator, select one of the contacts and then the phone or mail icon for that contact to see the results. (The iOS Simulator doesn’t emulate invoking either the phone or e-mail app from your Mac.)In the Android emulator, the phone

and e-mail apps open with the preseeded contact details. (Ensure that you’ve set up an e-mail account on the e-mail app before-hand, so that the e-mail app doesn’t fail with a nonaccount error.)

CONCLUSIONThis column introduced you to some of the basic concepts and features in Oracle Mobile Application Framework: AMX pages, web service consumption through data controls,

arranging components on a page, and more. You are now on the path to building mobile applications to help others do their everyday jobs without being tied to their desks.

DOWNLOAD the sample application for this articlebit.ly/omagmaf1READ more about Oracle Mobile Application Frameworkoracle.com/maf

WATCH Oracle Mobile Application Framework YouTube training channelyoutube.com/user/OracleMobilePlatformJOIN the Oracle Mobile Application Framework Google+ community bit.ly/1A4h5sd

NEXT STEPS

Chris Muir is a senior principal product manager of mobility and development tools at Oracle.

MJ15_MAF.indd 37 4/28/15 12:25 PM

TOGETHER ORACLE AND

NATIONAL GEOGRAPHIC EDUCATION ARE

Leading the Wayin Ocean Educationand Marine Research

National Geographic is a 501(c)(3) organization. PHOTOGRAPH BY ENRIC SALA

National Geographic Education supports themission of the National Geographic Society toinspire people to care about the planet bycreating compelling educational materials foryoung people and the adults who teach them. NG Education provides unique learningexperiences to educators and advocates forimproved education in geography, theenvironmental sciences, and other disciplines that are critical to understanding our world.

With support from Oracle, National GeographicEducation is engaged in a major project todevelop teacher leaders in marine ecology andcreate materials about ocean science andgeography for students, families, the oceanrecreation community, and the general public.

Support our work today. Visit nationalgeographic.org/education.

12711 NGS Education Ad_Select 1_Layout 1 8/30/11 12:26 PM Page 1

Cloud Developer 39BUSINESS ANALYTICS BY MARK RITTMAN


Oracle Business Intelligence Cloud Service brings the analysis and dash-

board capabilities of Oracle Business Intelligence to Oracle Cloud, along with a new self-service interface that makes it easy for nontechnical users to upload and report on departmental data sets. In this article, I’ll demonstrate how to upload a spreadsheet containing sales data to Oracle Business Intelligence Cloud Service, model the data into a dimensional star schema, and then create analyses and a dashboard to be used in a department.

ORACLE BUSINESS INTELLIGENCE CLOUD SERVICE: BRINGING ORACLE BUSINESS INTELLIGENCE TO THE CLOUDOracle Business Intelligence Cloud Service, part of the Oracle Cloud platform as a service (PaaS), gives users the ability to upload spreadsheet, file, and other data sets to a secure cloud-based database environ-ment, create simple data models, and then use these to build rich interactive analyses and dashboards that can be secured and shared within a department. Data can be uploaded with Oracle SQL Developer; the Oracle Application Express web services API; or, as I will describe in the article example, Oracle Business Intelligence Cloud Service’s web-based data upload service.

A typical use case for Oracle Business Intelligence Cloud Service is departmental knowledge workers who want to take a set of data they are working on and make it avail-able to others in the organization quickly, without having to involve the IT department in the process.

The example, which uses a Microsoft Excel spreadsheet document as the data-

source, steps through the process, from data upload to the final dashboard. To follow along with the example in this article, you will require access to an Oracle Business Intelligence Cloud Service instance, and you will need to download the spreadsheet file I’ll be using from bit.ly/omagbics1.

UPLOAD THE SPREADSHEET AND CREATE THE DATA MODELTo upload the spreadsheet and create a simple data model to present its data to report developers, follow these steps:1. Using your web browser, navigate to

your Oracle Cloud login page and enter your User Name, Password, and Identity Domain details. After you have logged in, go to the Oracle Business Intelligence Cloud Service home page and click Load Data, as shown in Figure 1.

2. On the Select Data page of the data loader, click Load Data at the top of the

page to start the upload process. When prompted, click Upload and select the product_sales_100_rows.xls file from your local file system. After the file con-tents have uploaded, check the details shown in the preview pane to confirm that the file contents look correct. (There should be rows of transaction data, and the transaction elements should be sepa-rated by commas.) Leave the The first line contains header names checkbox checked to tell the data loader that the first row of the file contents contains the column header names, and click Next to continue.

3. On the Select Destination page of the data loader, select New Table for Data Destination and name the table SALES_TRANS_DATA. Then click Next, Next, and OK to accept the upload defaults and complete the upload process.

4. Now that you have uploaded the spread-sheet containing rows of transaction

ORACLE BUSINESS INTELLIGENCE CLOUD SERVICE

Upload, Model, Analyze, and Report Quickly load information to Oracle Business Intelligence Cloud Service and share the reporting with your coworkers.

Figure 1: The Oracle Business Intelligence Cloud Service home pageI-HU

A CH

ENI-

HUA

CHEN

MJ15_BA.indd 39 4/22/15 10:04 PM

40 BUSINESS ANALYTICS


data, you can use the Model feature of Oracle Business Intelligence Cloud Service to create a simple star schema data model for report users to employ when accessing the spreadsheet data. To create this model, return to the Oracle Business Intelligence Cloud Service home page and this time click Model.

5. When the Data Modeler page is dis-played, first click Lock to Edit to lock the model so that only you can make changes to it. Then select the SALES_TRANS_DATA table in the Database panel on the left side of the page and click the Table Actions icon to the right of the table name. Select Add to Model -> as Fact and Dimension Tables, as shown in Figure 2.

6. A dialog box displays the columns from your source table, SALES_TRANS_DATA, on the left and areas for the fact table and dimension tables on the right. Update the fact table name to SALES, change the existing dimension table name to CHANNELS, and click Add (next to the Dimension Tables area) to add two more dimension tables, and name them CUSTOMERS and PRODUCTS. Then drag and drop the Source Table columns into the following data model table areas to create your initial data model:

SALES: AMOUNT_SOLD, QUANTITY_SOLD, TIME_IDCHANNELS: CHANNEL_ID, CHANNEL_DESC, CHANNEL_CLASSCUSTOMERS: CUST_ID, CUST_CITY, CUST_STATE_PROVINCEPRODUCTS: PROD_ID, PROD_DESC, PROD_CATEGORY

Then, within each of the dimension table areas, check the checkbox next to the primary key columns—CHANNEL_ID, CUST_ID, PROD_ID—to designate them as primary keys and automatically add those same columns to the SALES fact table; the dialog box looks like Figure 3. Click Next, Create, and Done to create the initial data model and the database view objects.

7. There are two more steps you will want to carry out before creating reports

against this data, the first of which is mandatory and the other optional. The mandatory step is to set the default aggregation method for the measures in your fact table. To do this, click the fact table name (SALES) on the New Data

Model page (which is now showing). In the Aggregation column for each fact table column, set the aggregation method to Sum for the AMOUNT_SOLD and QUANTITY_SOLD columns, and then click Done.

Figure 2: Adding the table to the data model

Figure 3: Creating the initial data model

MJ15_BA.indd 40 4/22/15 10:04 PM

41BUSINESS ANALYTICS


8. The final data modeling step, which is optional but recom-mended, is to create a time dimension table containing dates over the usual business period—with attributes to identify the month, quarter, and year for each of those dates—and link the table back to the SALES fact table. To create this table automati-cally, click the Model Actions icon (next to Publish Model at the top right of the page) and select Create Time Dimension from the menu. Then in the Create Time Dimension dialog box, name the Database Table DATE_TRANS; check the Year, Quarter, and Month Hierarchy Levels checkboxes; and then click Next and Create. When the dialog box reports that the time dimension was created success-fully, click Done.

To join this time dimension table to the fact table, click Create Join on the New Data Model page and join the two tables on SALES.TIME_ID = Time.Date Timestamp. When the join is complete, click the green Save Changes icon (next to the join definition) and then, to complete the data model definition process, click Publish Model to save your changes and make the data model shown in Figure 4 avail-able to other users.

CREATING YOUR ORACLE BUSINESS INTELLIGENCE CLOUD SERVICE ANALYSES AND DASHBOARDTo create a set of sample analyses and include them in a new dashboard, follow these steps that use the data model you created in the previous set of steps:1. On the Oracle Business Intelligence

Cloud Services home page, click Create an Analysis. Using the list of tables and columns displayed in the Subject Areas panel, double-click the CHANNELS ->

CHANNEL_DESC column to add it to the Selected Columns area on the right, and then do the same for the SALES -> AMOUNT_SOLD column, so that both columns are listed in the Selected Columns area.

2. Click the Results tab at the top left of the page, and you will see the Amount Sold measure listed by channel name. To show these results graphically, click New View (above the Compound Layout area) and select Recommended Visualization for -> Comparing Percentages to see

the Oracle Business Intelligence Cloud Service set of recommended graph types for this type of analysis, as shown in Figure 5.

From the list of visualization types displayed, choose Pie (Recommended) from the list and click the Remove View from Compound Layout icon (“x”) within the Table view to leave just the pie graph. Save this analysis to the catalog by clicking Save Analysis at the top right of the page. Then, using the Save As dialog box, first create a new folder called

Figure 4: The completed data model

Figure 5: Creating graphs with recommended visualization types

MJ15_BA.indd 41 4/22/15 10:04 PM

42 BUSINESS ANALYTICS


First Reports within the Company Shared folder and then save the analysis into this new folder, using the name Sales by Channel Breakdown.

3. Now repeat these steps to create a second analysis called Quantity Sold Over Time using the Time -> Date and SALES -> QUANTITY_SOLD subject area columns, and use the Recommended Visualization for menu to create a time-series line graph that graphs the amount sold over time.

4. Create a third analysis, using this same approach, that shows SALES -> AMOUNT_SOLD broken down by PRODUCTS -> PROD_CATEGORY, and use the Recommended Visualization for menu again to select the best graph type for comparing values, the bar graph. Save this third analysis to the First Reports folder as Product Sales.

5. Finally create a performance tile to show the sales for the last month in the data set. To do this, create a new analysis using the SALES -> AMOUNT_SOLD and Time -> Month columns, and use the Filter menu item for the Time -> Month column in the Selected Columns area to filter the returned values with Month is equal to / is in 1998 / 03.

Then, on the Results tab, click Add View to add a new Performance Tile view to the analysis, and when it is added

to the compound layout, click Edit Analysis in the view to change the label to NEW SALES and the tile style to the second style (which uses white text on a gray background). Click Done and the Results tab, and then click the Remove View from Compound Layout button in the Title and Table views to remove these from the compound layout of the analysis. Save the analysis to the First Reports folder as Amount Sold Tile. All that’s left now is to create a dash-

board to hold these analyses. To do this, from the Oracle Business Intelligence Cloud Service home page, click Create a Dashboard and name the dashboard Sales Dashboard. Save the dashboard in the /Company Shared/First Reports/Dashboards folder, and click OK to start adding content.

With the dashboard editor now open, drag and drop two column objects from the Dashboard Objects panel to create two vertical columns in your dashboard, and use the Catalog panel under the Dashboard Objects panel to add the Amount Sold Tile and Product Sales analyses to the left-hand column and the Quantity Sold Over Time and Sales by Channel Breakdown analyses to the right-hand column. Save the dashboard, which should look like Figure 6.

You have now created your first Oracle Business Intelligence Cloud Service dash-

board. You can use it to view and interact with the analyses displayed within it, and you can create additional analyses, dashboard pages, and dashboards as well as upload and add new data to your data model. Other users within your Oracle Business Intelligence Cloud Service instance can view the analyses and dashboards you have created, and you can set up roles to control access to data and reports. Refer to the Oracle Business Intelligence Cloud Service online help, videos, and tutorials at bit.ly/oraclebicshelp for more information.

CONCLUSIONOracle Business Intelligence Cloud Service makes it possible to quickly deploy analyses and dashboards as part of the Oracle Cloud platform without the need for on-premises software installs or the help of the IT department. In this article, you’ve seen how to quickly create reports and a dashboard that can be shared with coworkers within your department, using simple self-service tools and the ability to upload spreadsheets and other files to create your reporting data set.

LEARN more about Oracle Business Intelligence Cloud Service bit.ly/1Cft0Dcbit.ly/oraclebicshelpbit.ly/oraclebicsollREAD more RittmanRittman Mead blogrittmanmead.com/blogOracle Magazine business intelligence columnsbit.ly/omagbi

DOWNLOAD sample data for this articlebit.ly/omagbics1

NEXT STEPS

Mark Rittman is an Oracle ACE Director and cofounder of Rittman Mead, an Oracle Gold Partner based in the UK, with offices in the US,

India, and Australia. Rittman has worked with Oracle’s business intelligence, data integration, and data warehousing products for more than 15 years, and he writes for the Rittman Mead blog, at rittmanmead.com/blog.

Figure 6: The Oracle Business Intelligence Cloud Service dashboard

MJ15_BA.indd 42 4/22/15 10:05 PM

Database Application Developer 43


PL/SQL BY STEVEN FEUERSTEIN

Dynamically Dangerous CodeThere’s a right time to use dynamic SQL, but there’s never a right time for SQL injection.

I got a call last week from Bob at extremememe.info. He sounded a little

bit irritated. “I’ve got a real problem on my hands,

Steven,” he said. “I followed your advice to create reusable program units rather than one-offs with similar functionality. But now my program is raising errors that I can’t sort out and doing things I never intended.”

It’s never good to hear a programmer wor-rying about a program with a will of its own, so I hopped into my bright-red PLSQLmobile and raced over to Bob’s cubicle.

“Take a look at this,” said Bob. “I’m using my program in our HR system. You’re familiar with the employees table, right? So let’s update the salary of employee 100.”

BEGIN

em_update_col_value ('employees',

'employee_id',

100,

'salary',

1000);

END;

/

Value of salary updated to 1000

“No problem, right? OK, now let’s try to update the department name and...kaboom!”

BEGIN

em_update_col_value ('departments',

'department_id',

10,

'department_name',

'Jolly Fun');

END;

/

ORA-00933: SQL command not properly ended

ORA-06512: at "SYS.DBMS_SQL", line 1053

ORA-06512: at "QDB_BETA

.EM_UPDATE_COL_VALUE", line 11

ORA-06512: at line 2

“How,” wondered Bob, with a pained expression on his face, “can it work for one column and not another?”

Without even glancing at Bob’s code, I already had a pretty good idea of the problem—or problems. I grabbed his key-board and typed.

“And how about this?” I asked.

BEGIN


'employee_id=employee_id;

delete from employees

where employee_id',

100,

'salary',

1000);

END;

/

SELECT * FROM employees

WHERE employee_id = 100

/

No rows found

“Exactly!” shouted Bob, pointing at the screen. “What’s with that? How can my program delete a row from a table when all it contains is an UPDATE statement?”

To Bob I merely said, “Let’s take a look.”

“ALL” IT DOES IS AN UPDATE?Even before looking at the em_update_col_value procedure, I was pretty certain of a few things, based on what I’d just witnessed:• The procedure was executing dynamic SQL.• Bob’s error handling was minimal or

nonexistent.• Bob had taken no precautions against

SQL injection.

But I must admit that I was not quite prepared for the awfulness that presented itself to me when Bob opened em_update_col_value in Oracle SQL Developer, as shown in Listing 1.

“See?” said Bob, “No deletes. Just an update. A nice generic procedure for exe-cuting an update against any column in any table. Really neat, huh?”

I decided to break the news gently. “Bob, this procedure is a total abomination, but I like your energy and enthusiasm.”

I shared my questions and concerns with him:• Is this program too reusable to be useful?• Why is it using DBMS_SQL?• Where’s the error handling?• Your program is wide open to SQL injection.

“But don’t feel bad, Bob,” I concluded. “This will be a great learning moment. Shall we explore?” Bob nodded a bit glumly.

WHEN IS REUSABLE TOO REUSABLE?“Tell me why you wrote this procedure,” I started off.

Bob recounted to me a session from one of my trainings: “You urged us to find every opportunity to reuse code instead of writing the same or similar code in multiple places. I noticed that in at least five places in our code, we executed updates of a single column in a single row. So I figured I could write a single procedure with dynamic SQL and that we then could call that one procedure instead of writing updates over and over again.”

Bob’s justification sounded reasonable on the surface, but in fact it was a big mistake.

It is better to reuse code whenever pos-sible, but only when that is appropriate. There are several reasons this guideline does not apply to single-column updates: dynamic SQL is more complex than static SQL, it exe-cutes more slowly than static SQL, it’s harder to make secure, and it’s harder to debug.

ORACLE DATABASE

MJ15_PLSQL.indd 43 4/27/15 12:59 PM

44 PL/SQL


So you want to use it only when absolutely necessary—and that is certainly not the case here. In em_update_col_value, dynamic SQL was used for the sake of convenience.

“When it comes to writing SQL in your PL/SQL code,” I admonished Bob, “you should use dynamic SQL only when it is required—when a user needs to supply some additional information at runtime to complete the SQL statement.

“So I suggest that you abandon em_update_col_value and instead go to wherever the procedure is called and replace it with a new procedure call, such as em_update_salary or em_update_last_name.”

“But then I end up with dozens of different procedures!” Bob exclaimed. “Why not just execute the UPDATE directly in my code?”

“You could do that, but if you put each UPDATE inside a procedure, then it is pos-sible you will reuse that procedure—and not duplicate the UPDATE statement,” I responded. “You are also more likely to write better error handling, and you can add functionality to the update later—in just one place—as your requirements change.”

Bob nodded sadly. I could tell he didn’t like having to throw away his generic procedure.

“But I tell you what, Bob: let’s still go through this procedure and draw out some lessons for the right way to construct a pro-cedure that relies on dynamic SQL. You are sure to run into the need soon.” Bob bright-ened, and off we went.

WHY ARE YOU USING DBMS_SQL?“First of all,” I told Bob, “let’s do some basic cleanup in your program so that it is easier to focus on the bigger issues. You should use DBMS_SQL only if you have very complex requirements, such as not knowing at compile time how many columns you are querying or how many variables you must bind. Because that is not the case here, EXECUTE IMMEDIATE is a better fit.

“In addition, your IF statement after the UPDATE is verbose and distracting.” I tapped at the keyboard for a minute or two. “Here. What do you think of this?” I asked, pointing to the code in Listing 2.

“Oh, right,” said Bob, “you used a nested subprogram to hide the reporting details. I like the inline CASE expression, too. And

really that’s all I need to do with EXECUTE IMMEDIATE? All that other code disappears?”

“That’s correct,” I replied. “There’s no need to declare and manage cursors, no need to parse and then execute. That’s all taken care of for us. Nice, eh?”

WHERE’S YOUR ERROR HANDLING? “We’re still far from done, though,” I pointed out. “Right now this program assumes that everything is going to proceed without any problem. What’s the chance of that hap-pening? Assume there will be an error. What can we do, then, to make it easier to figure out what went wrong and fix it?”

The challenge with most dynamic SQL requirements is usually not figuring out how to use EXECUTE IMMEDIATE; it’s a simple, elegant statement. No, programmers are much more likely to run into problems constructing the dynamic SQL at runtime. The smallest mistake (forgetting to leave a space between keywords, for example) results in SQL that cannot be parsed.

So any program that contains dynamic SQL should do the following: • Assign the dynamically constructed SQL

statement to a variable and then use EXECUTE IMMEDIATE on that variable

• Add an exception handler that logs the

PROCEDURE em_update_col_value ( table_in IN VARCHAR2, pkey_col_in IN VARCHAR2, pkey_value_in IN INTEGER, update_col_in IN VARCHAR2, value_in IN VARCHAR2)IS l_cursor PLS_INTEGER := DBMS_SQL.open_cursor; l_feedback PLS_INTEGER;BEGIN DBMS_SQL.parse ( l_cursor, 'BEGIN update ' || table_in || ' set ' || update_col_in || ' = ' || value_in || ' where ' || pkey_col_in || ' = ' || pkey_value_in || '; END;', DBMS_SQL.native); l_feedback := DBMS_SQL.execute (l_cursor);

IF l_feedback > 0 THEN DBMS_OUTPUT.PUT_LINE ( 'Value of ' || update_col_in || ' updated to ' || value_in); ELSE DBMS_OUTPUT.PUT_LINE ( 'Update of ' || update_col_in || ' to ' || value_in || ' failed.'); END IF;

DBMS_SQL.close_cursor (l_cursor);END;/

Code Listing 1: The original—and awful—em_update_col_value procedure

MJ15_PLSQL.indd 44 4/27/15 12:59 PM

45PL/SQL


error along with the variable containing the SQL statement

• Reraise the exception so that the calling program knows that something went wrong

Applying these principles, Bob and I updated the em_update_col_value proce-dure to the code in Listing 3.

The new em_error_log_pkg.log_error procedure (called in the updated em_update_col_value procedure) should write out to a log table all of the following:• SQLCODE – the current error code• DBMS_UTILITY.FORMAT_ERROR_STACK

– the current error message and/or stack (I recommend that you use this instead of SQLERRM)

• DBMS_UTILITY.FORMAT_CALL_TRACE – the execution call stack, answering the question “How did I get here?”

• DBMS_UTILITY.FORMAT_ERROR_BACKTRACE – the trace back to the line number on which the error was raised

• Any information passed to the procedure by the application developer (in this case, the value of l_statement)

Assume for this article, however, that the log_error procedure simply displays the value of l_statement with a call to DBMS_OUTPUT.PUT_LINE.

I asked Bob to run the following block again, against the latest version of the em_update_col_value procedure, to see if it would help with the “ORA-00933: SQL command not properly ended” error message he received when he ran the block against the first version of em_update_col_value. Bob ran

BEGIN

em_update_col_value ('departments',

'department_id',

10,

'department_name',

'Jolly Fun');

END;

/

And then we saw this output, in addition to the error stack:

BEGIN update departments

set department_name = Jolly Fun

where department_id = 10; END;

“D’oh!” Bob groaned. “Well that’s obvious enough—now that I can see the string. I forgot to put single quotes around the value. When it’s a number, no problem. When the value is a string, big problem!”

Bob grabbed the keyboard and a moment later had the problem “fixed.”

l_statement :=

'BEGIN update '

|| table_in

|| ' set '

|| update_col_in

|| ' = '''

|| value_in

|| ''' where '

|| pkey_col_in

|| ' = '''

|| pkey_value_in

|| '''; END;';

I nodded. “Yep, that fixes the specific problem caused by string values, but the main lesson here is this: assign that expres-

sion to a variable so you can easily trace and log the value. You will then be able to diagnose the problem—and achieve the proper dynamic SQL statement construc-tion—much more quickly.”

Bob smiled. One less bug to worry about. Then he frowned. “But what about the dele-tion from my table? That was really weird, and I have a feeling we haven’t fixed that yet.”

WHAT IS SQL INJECTION?“You read my mind, Bob. That’s right. That problem—and it is far and away the most serious problem with your procedure—still lurks. And it has a name: SQL injection.

“SQL injection occurs when users insert their own text into your SQL statement and cause it to do things you never intended—such as delete a row.”

“Two questions: How could that possibly happen, and how do I make sure it can’t happen?” Bob asked.

“Right,” I responded. “Let’s go back to that delete example I gave you and run it with our

PROCEDURE em_update_col_value ( table_in IN VARCHAR2, pkey_col_in IN VARCHAR2, pkey_value_in IN INTEGER, update_col_in IN VARCHAR2, value_in IN VARCHAR2)IS PROCEDURE report_results IS BEGIN DBMS_OUTPUT.PUT_LINE ( 'Value of ' || update_col_in || CASE SQL%ROWCOUNT WHEN 0 THEN ' NOT' END || ' updated to ' || value_in); END;BEGIN EXECUTE IMMEDIATE 'BEGIN update ' || table_in || ' set ' || update_col_in || ' = ' || value_in || ' where ' || pkey_col_in || ' = ' || pkey_value_in || '; END;';

report_results;END;

Code Listing 2: The updated—but still flawed—em_update_col_value procedure

MJ15_PLSQL.indd 45 4/27/15 12:59 PM

46 PL/SQL


new, error-handling-enriched version of the em_update_col_value procedure, but this time I will comment out the semicolon (;) before the delete to force an error.”

BEGIN


'employee_id=employee_id /*;*/

delete from employees

where employee_id',

100,

'salary',

1000);

END;

/

BEGIN update employees set salary = 1000

where employee_id=employee_id

/*;*/ delete from employees

where employee_id = 100; END;

“With a semicolon just before the DELETE keyword, a malicious user ter-minates the UPDATE statement (which is

setting everyone’s salary to 1000) and then starts a brand-new statement inside the block, performing a DELETE. Those semi-colons embedded in PL/SQL blocks can really wreak havoc!”

Bob sighed and nodded. “OK, now I see what is going on. What can I do about it?”

“First, Bob, I need to set expectations properly. SQL injection is a security issue. This means that you need to engage with your chief security officer to make sure you are following all of extremememe’s guidelines. It is also a very specialized topic, and I am not a security specialist. So I will share with you some basic steps you should take to shore up your defenses, but I also encourage you to check out the excellent ‘How to write SQL injection proof PL/SQL’ white paper, available on Oracle Technology Network at bit.ly/sqlinjproof.”

I then presented the following concerns regarding the latest version of the em_update_col_value procedure to Bob:1. The procedure includes unnecessary

construction and execution of a dynamic PL/SQL block.

2. Users can pass their own strings directly to the procedure.

3. The procedure does not check to make sure the table or column names are valid.

I elaborated on each of these to Bob:1. Dynamic PL/SQL—a string that starts

with “DECLARE” or “BEGIN” and ends with “END;”—is much more vulnerable to injection than dynamic SQL (a data manipulation language [DML] or data definition language [DDL] statement), because you can execute procedural logic, invoke stored program units, and so on.

So if you are not actually executing PL/SQL code, do not put your SQL state-ments inside a PL/SQL block. In the em_update_col_value procedure, the assignment to the local variable should be nothing more than

l_statement :=

'update '

Each PL/SQL article offers a quiz to test your knowledge of the information provided in it. The quiz appears below and also at PL/SQL Challenge (plsqlchallenge.com), a website that offers online quizzes on the PL/SQL language. Your quiz:

I execute the following statements:

CREATE TABLE plch_persons

( pky INTEGER PRIMARY KEY,

nm VARCHAR2 (100))

/

CREATE TABLE plch_trees

( pky INTEGER PRIMARY KEY,

nm VARCHAR2 (100))

/

BEGIN

INSERT INTO plch_persons

VALUES (1, 'Sam');

INSERT INTO plch_trees

VALUES (1, 'Oak');

COMMIT;

END;

/

Which of the following choices create(s) a pro-cedure named PLCH_SHOW_NAME so that after the following block executes, both “Oak” and “Sam” are displayed on the screen?

BEGIN

plch_show_name ('PLCH_TREES', 1);

plch_show_name ('PLCH_PERSONS', 1);

END;

/

a.CREATE OR REPLACE PROCEDURE plch_show_name

(table_in IN VARCHAR2, pky_in IN INTEGER)

IS

BEGIN

EXECUTE IMMEDIATE

'DECLARE l_value VARCHAR2(100);

BEGIN SELECT nm INTO l_value

FROM '

|| table_in

|| ' WHERE pky = '

|| pky_in

|| '; DBMS_OUTPUT.PUT_LINE (l_value);

END;';

END;

/

b.CREATE OR REPLACE PROCEDURE plch_show_name


IS

l_value VARCHAR2 (100);

BEGIN

EXECUTE IMMEDIATE

'BEGIN SELECT nm INTO :val FROM '

|| table_in

|| ' WHERE pky = '

|| pky_in

|| '; END;'

USING OUT l_value;

DBMS_OUTPUT.PUT_LINE (l_value);

END;

/

c.CREATE OR REPLACE PROCEDURE plch_show_name


IS


BEGIN

EXECUTE IMMEDIATE

'SELECT nm FROM ' || table_in || '

WHERE pky = ' || pky_in

INTO l_value;


END;

/

d.CREATE OR REPLACE PROCEDURE plch_show_name


IS


BEGIN

EXECUTE IMMEDIATE

'SELECT nm FROM '

|| DBMS_ASSERT.sql_object_name (table_

in)

|| ' WHERE pky = :pky'

USING pky_in

INTO l_value;


END;

/

Take the Challenge

MJ15_PLSQL.indd 46 4/27/15 1:00 PM

Print. Digital. Mobile

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Go to where the conversation lives.

Connect with Oracle Magazine on your favorite social channel and be a part of our growing community.

Join Us.

OracleMagazine

Oracle Magazine

@OracleMagazine

48 PL/SQL


|| table_in

|| ' set '

|| update_col_in

|| ' = '''

|| value_in

|| ''' where '

|| pkey_col_in

|| ' = '''

|| pkey_value_in

|| '''';

2. An end user should never be able to directly insert text into a string executed dynamically. If this is allowed, it will always be very difficult to stop injection.

User inputs should be tightly con-strained and then checked before they are used in a dynamically constructed string. There is no general solution for performing this task. You must analyze each use case and decide how to guard your database from injection. The first step is to avoid concatenation when-ever possible and instead bind variable values into the string. You cannot inject into variables!

I updated em_update_col_value to use bind variables and showed it to Bob:

BEGIN

l_statement :=

'UPDATE '

|| table_in

|| ' SET '

|| update_col_in

|| ' = :my_value WHERE '

|| pkey_col_in

|| ' = :my_pky';

EXECUTE IMMEDIATE l_statement

USING value_in, pkey_value_in;

“OK,” said Bob. “I see now that users can’t inject through the values, but what about the table and column names?”

“Right,” I responded. “That brings us to the final point.”

3. This procedure accepts the name of a table and a column and then concat-enates them directly into the string. You cannot bind a table name into a SQL statement with the USING clause; the SQL engine needs all that information

before binding to ensure that it is a valid SQL statement. Theoretically, injection could still occur if there is concatenation.“So,” I explained, “first make sure that

users can never enter a table name or a column name directly. It sounds unlikely that they’d be able to, doesn’t it? But make sure! Next, you can further guard against injection via object names by using DBMS_ASSERT subprograms to check that the string is the name of a database object and/or is a valid object name.”

l_statement :=

'UPDATE '

|| DBMS_ASSERT.SQL_OBJECT_NAME (

table_in)

|| ' SET '

|| DBMS_ASSERT.SIMPLE_SQL_NAME (

update_col_in)

|| ' = :my_value WHERE '

|| DBMS_ASSERT.SIMPLE_SQL_NAME (

pkey_col_in)

|| ' = :my_pky';

“So now with a call to DBMS_ASSERT .SQL_OBJECT_NAME, if I pass a ‘bad’ name for the table, I will see

BEGIN

em_update_col_value(

'employees; more code here',

'employee_id',

1000000,

'salary',

1000);

END;

/

ORA-44002: invalid object name

“And if I try to play games with the column name, Oracle Database will reject my effort:”

BEGIN

em_update_col_value(

'employees',

'employee_id;more code here',

PROCEDURE em_update_col_value ( table_in IN VARCHAR2, pkey_col_in IN VARCHAR2, pkey_value_in IN INTEGER, update_col_in IN VARCHAR2, value_in IN VARCHAR2)IS l_statement VARCHAR2 (32767);

PROCEDURE report_results ...

BEGIN l_statement := 'BEGIN update ' || table_in || ' set ' || update_col_in || ' = ' || value_in || ' where ' || pkey_col_in || ' = ' || pkey_value_in || '; END;';

EXECUTE IMMEDIATE l_statement;

report_results;EXCEPTION WHEN OTHERS THEN em_error_log_pkg.log_error (l_statement); RAISE;END;

Code Listing 3: The further updated em_update_col_value procedure, with error handling

MJ15_PLSQL.indd 48 4/27/15 1:02 PM

49PL/SQL


1000000,

'salary',

1000);

END;

/

ORA-44003: invalid SQL name

Bob smiled broadly. “I like it when Oracle Database takes care of the heavy lifting for me.”

“Indeed,” I agreed. “But when it comes to SQL injection, Oracle Database makes no

promises. You need to do the lion’s share of the work to ensure that your code is not vulnerable to SQL injection.”

DYNAMIC AND REUSABLE? AN UNLIKELY PAIRProgrammers should always strive for a single point of definition (usually a subpro-gram) for rules, formulas, SQL statements, and magic values. Reuse those subpro-grams, and look for opportunities to build generic utilities, such as error loggers, that can be reused throughout an application.

Nevertheless, programs that execute dynamic SQL statements are unlikely to be a good fit for reusable code. Dynamic SQL should be utilized only when static implementations are impossible. And when you write a subprogram with dynamic SQL, the need for solid error handling and proactive protection against SQL injection rises significantly. t

TEST your PL/SQL knowledgeplsqlchallenge.comREAD more Feuersteinbit.ly/omagplsqlREAD more about PL/SQLoracle.com/plsqlSQL injection

“How to write SQL injection proof PL/SQL” bit.ly/sqlinjproof

NEXT STEPS

The PL/SQL Challenge quiz in the last issue’s “Four Resolutions for Better Code” presented three code blocks and asked which block(s) would display “-6502” after execution. All three answers are correct, but only the first (a) follows the native PL/SQL paradigm for error raising and handling. The other two techniques should, therefore, be avoided.

Answer to Last Issue’s Challenge

Steven Feuerstein ([email protected]) is an architect for Oracle, specializing in PL/SQL. His books, such as

Oracle PL/SQL Programming, and more than a thousand PL/SQL quizzes at PL/SQL Challenge (plsqlchallenge.com) provide in-depth resources for PL/SQL developers.

Polar Bears International is a trusted voice focused

on funding scientific research for the survival of this magnificent animal.

Polar Bears International also funds educational

programs that are inspiring people to reduce their

carbon emissions.

Conservation through Research and Education www.polarbearsinternational.org

Help Us Help the Polar BearPhoto © R&C BuChanan

MJ15_PLSQL.indd 49 4/28/15 3:31 PM

Untitled-8 1 1/23/15 11:07 AM

Database Application Developer and DBA 51


ASK TOM BY TOM KYTE

On More-Secure ApplicationsOur technologist shows how to build security into application design.

I’m worried about the security of my application—things like SQL injection,

for example. What can I do to minimize the chances that my application will be hacked?

This is a great question, because not a day seems to go by without news of yet another hack. Whether it be someone stealing identi-ties, credit card information, personal infor-mation, or whatever, new security incidents seem to happen often. Too often.

There are a few things you can do in your application design to eliminate or reduce your exposure. Securing an application is some-thing that needs to be done as the application is being developed—it is very hard to retrofit security into an existing application. Trying to fix an existing application to be secure is sort of like trying to patch a leaky foundation of a house rather than building a waterproof foundation in the first place.

Here are some of the most important things you can do for your application design architecturally:• Make sure you have read the Database 2

Day + Security Guide (bit.ly/2daysecure) and the Database Security Guide (bit.ly/oradbsecurity). They will give you an over-view of what you need to be thinking about security-wise and an excellent look into the capabilities Oracle Database offers in the area of security.

• Employ the concept of least privilege.• Use multiple schemas—many more than

one—to separate objects and help enforce the concept of least privilege.

• Use bind variables! They are not only a scalability and performance feature; they also help secure your application from SQL injection attacks.

• Employ multiple levels of defense. Do not put security only in the application code; repeat it as many times as you can within

the database, using different techniques. In that way, a bug in one layer of defense won’t leave your database exposed.

Read on for details of some of these secu-rity strategies.

LEAST PRIVILEGEThis is a key tenet of database security: grant the fewest (least) privileges possible to everyone—from your DBAs down to the application schemas and out to the schemas used to connect to the database from the middle tier.

All too often, application developers request a privilege in the database simply to make their lives easier. For example, if they are working on an application that requires data from other application schemas—from many tables in many other schemas—they might request the SELECT ANY TABLE privi-lege. With that privilege, no matter what table they need from those other schemas, they will have it. The application developers might feel that it makes them more “agile”—able to pump out code faster—because they never have to ask for a SELECT grant again.

If attackers can find a SQL injection flaw in the developed application, they will almost certainly be able to gain at least read access to everything in the database—not just the tables the application accesses but every single table in the entire database.

The SELECT ANY TABLE privilege will also make it very hard to survive a true security audit. There will be no way to justify why the application truly needs SELECT ANY TABLE privileges. Additionally, there will be no documentation for the tables the applica-tion truly needs.

No ANY grant should ever be given to an application schema. The power of a grant with the ANY keyword in it—such as CREATE

ANY CONTEXT, SELECT ANY TABLE, DROP ANY TABLE—is beyond what any applica-tion needs. There is always another way for developers to achieve what they need to do.

For example, I’ve seen DROP ANY TABLE granted to an application schema with the reasoning that the application developers needed to truncate a table in another schema. In reference to truncating a table, the Database SQL Language Reference, at bit.ly/sqltrunc, states: “To truncate a table, the table must be in your schema or you must have the DROP ANY TABLE system privilege.”

That is true, but you do not need to have the DROP ANY TABLE privilege to achieve the goal of truncating a table in another schema. That is what’s important—the goal is to truncate table T in schema X. There are at least two ways to achieve that:1. Use the powerful and dangerous DROP

ANY TABLE privilege.2. Implement a stored procedure that

executes as schema X (the owner of the table) and performs the truncate. And then grant EXECUTE privileges on this procedure.If you were to grant DROP ANY TABLE to

the application schema and an attacker dis-covered a SQL injection flaw in the applica-tion, the attacker would have the DROP ANY TABLE privilege. Think about how damaging that would be!

The other approach, achieving the goal with the minimum privileges—with the least privileges—is the right way to go. Consider the following:

SQL> create user a identified by a;

User created.

SQL> create user b identified by b

2 default tablespace users

ORACLE DATABASE

MJ15_asktom.indd 51 4/22/15 9:39 PM

52 ASK TOM


3 quota 5m on users;

User created.

SQL> grant create session to a;

Grant succeeded.

SQL> grant create session,

2 create table,

3 create procedure

4 to b;

Grant succeeded.

I now have two schemas—A and B. A has just the privilege to log in, and B can log in and create tables and procedures. Now I’ll log in as B and create my objects:

SQL> connect b/b

Connected.

SQL> create table t

2 as

3 select *

4 from all_users;

Table created.

SQL> create or replace

2 procedure truncate_table_t

3 authid DEFINER

4 as

5 begin

6 execute immediate

7 'truncate table B.T';

8 end;

9 /

Procedure created.

SQL> grant select on t to a;

Grant succeeded.

SQL> grant execute

2 on truncate_table_t

3 to a;

Grant succeeded.

Schema B now has a table T with some data in it and also a definer’s rights proce-dure that truncates table B.T. A definer’s rights routine (the default type of stored procedure) runs with the privileges granted directly to the owner of the procedure—that is, all the privileges of schema B minus any privileges granted to B via a role.

Schema B allows schema A to read table T and to execute the stored procedure B.TRUNCATE_TABLE_T.

I’ll log in as A and see what I can do:

SQL> connect a/a

Connected.

SQL> select count(*) from b.t;

COUNT(*)

---------------------

55

I can see that table B.T exists, I can query it, and it has data. Now I’ll try to truncate table B.T as user A:

SQL> truncate table b.t;

truncate table b.t

*

ERROR at line 1:

ORA-01031: insufficient privileges

I am not privileged enough to truncate this table. For that truncate to succeed as executed by A, I would need the DROP ANY TABLE privilege. But that doesn’t mean I need to have the DROP ANY TABLE privilege in order to truncate B.T! I can just execute that stored procedure:

SQL> exec b.truncate_table_t;

PL/SQL procedure successfully completed.

SQL> select count(*) from b.t;

COUNT(*)

---------------------

0

I have achieved the goal—to truncate B.T—but did not require the DROP ANY TABLE privilege. I have greatly limited the exposure to risk, but I have not eliminated it. An attacker finding a SQL injection bug in code executed by schema A would likely be able to execute the B.TRUNCATE_TABLE_T procedure, but I’ve still achieved a huge reduction in exposure. I’ve gone from risking the loss of every table in the database to the loss of data in one table, a table that is trun-cated on a recurring basis already.

Using stored procedures is a great way to reduce the strength of a grant you need to give across schemas. They definitely help achieve the least privileges concept. Here schema A needs the EXECUTE privilege only on a procedure that can truncate exactly the one table that A needs.

NOTE: Oracle Database 12c includes a new privilege analysis tool to help enforce the concept of least privileges. See the Database Vault Administrator’s Guide, at bit.ly/dbvault, for details.

USE MULTIPLE SCHEMASThis idea probably gets more pushback from developers than any other security idea I suggest. I’m going to reproduce a question from a previous Ask Tom column (at bit.ly/asktommultischema):

A data architect at work has proposed that we start using separate database accounts to hold the code (packages, procedures, views, and so on) and the data (tables, materialized views, indexes, and so on) for an application. I’ve never come across this idea before, and it seems to be contrary to the concepts of encapsulation, in that the application will be spread across at least two schemas and require more administrative overhead to maintain the necessary grants between them.

Are there any situations you can think of where this would be a recommended approach? And if you did this, how would you recommend referencing objects in the data schema from the application schema? Finally, would you put any views into the code or data schema?

You can see my original response to this question at bit.ly/asktommultischema, but in looking at this question again, I can see that the questioner is trying to find reasons to not do something that would be greatly beneficial to security. Developers may throw out words such as encapsulation (although having multiple schemas actually promotes encapsulation) and claim that it will require more administrative overhead to maintain the necessary grants, while missing the point that the production application will need to have the concept of least privileges in place. What some developers view as drawbacks, I see as positives.

My approach would be to have at least


53ASK TOM


one schema that contains table data, and maybe more than one—probably more than one—but at least one schema that owns just the table data and, if need be, a few procedures like the one described in the last section. There would be a second schema, and this schema would own code (PL/SQL, Java stored procedures, and so on) that accesses these tables. It would also contain views of the various tables as needed. The first schema, the one that contains table data, would grant just the privileges needed on a table to the second, “code” schema. (There would be no GRANT ALL ON T TO another_schema.) The data schema would grant just the access necessary: INSERT, UPDATE, DELETE, and/or SELECT.

Then there would be a third schema. This schema would be granted nothing more than CREATE SESSION to log in and the bare privi-leges on the second schema the application needs in order to execute the procedures and access the views. This third schema, the database account, is the one your application server would use to connect to the database.

Think about the benefits this would bring you. If hackers get into the application schema, the damage they can do will be very limited. They won’t be able to read every table—they’ll be able to read only a few. And if you use stored procedures as a data access layer, they may not be able to access any tables at all! All they’ll be able to do is run your application. They won’t be able to drop any tables, which they would be able to do if you used a single schema for everything, or update anything they choose, as they would be able to if you used a single schema. And so on. Hackers will be very restricted in what they can and cannot do.

Let’s make this a bit more concrete. Suppose your application has an applica-tion audit trail (as it and every application should). Your typical application user needs to be able to insert into this audit trail, but that user should never be able to read it, delete it, or modify it. You might also have an administrative application that needs to read the audit trail, but it doesn’t ever need to insert into it, update it, or delete from it. If you go with a single schema, both the application and the administrative applica-tion users will have full READ/WRITE access

on this table. You might say, “Our applica-tion enforces security—don’t worry.” But that does worry me, because you will have a bug in your application—somewhere, someday. And then the audit trail will be 100 percent exposed to tampering.

If instead you put the audit trail into its own schema and create two code schemas—one for the typical application user and the other for the typical administrative applica-tion user, you’ll be able to grant INSERT priv-ileges on the audit trail table to the first code schema and SELECT privileges on the audit trail to the second code schema. Now the first schema can create the code that inserts into the audit trail. The second schema can create some views for reporting or use stored procedures that return ref cursors instead.

Last, you’ll create a schema that has CREATE SESSION and EXECUTE privileges on the code in the first application schema and then create an administrative login that has CREATE SESSION and EXECUTE privi-leges on the code in the second schema. This is the concept of least privileges put into action to the fullest. The administra-tive schema will use code in the application schema to audit itself and will be able to report on—but not modify—the audit trail. The application schema will also be able to audit itself but not read the audit trail (because it has no reason to).

To witness this multischema architec-ture idea in action—with all the details, code, and more—see the Database 2 Day Developer’s Guide, Chapter 9, “Developing a Simple Oracle Database Application,” at bit.ly/devguidemultischemaapp.

USE BIND VARIABLESDid you know that if your SQL uses bind vari-ables for all variables that can change from execution to execution, your code cannot be SQL-injected? On the other hand, if you use string concatenation to put these variables into your SQL, your code can be SQL-injected!

That is, if you issue SQL such as SELECT * FROM EMP WHERE ENAME LIKE ? and you bind in a value for the ?, no one will be able to change the meaning of your SQL, regard-less of what they send you. On the other hand, if you build your SQL statement by using string concatenation like this:

SELECT * FROM EMP WHERE ENAME

LIKE '" + some_variable +"'

it will be far too easy for your code to be SQL-injected.

In my experience, many, if not most, database attacks are performed by SQL injection, whereby the attacker sends you input that makes your resulting SQL different from what you intended. There are program-matic ways to combat this. For example, you can use the DBMS_ASSERT package in PL/SQL when building SQL, write your own “sanitizer” routines to verify that the inputs are safe to concatenate, and write lots of code. You’ll still have to worry about attack vectors you haven’t thought of (see bit.ly/tkbinject for an interesting example of a SQL injection attack most people would not see coming). So whatever programmatic strategy you use, there will still be concern that your code is not as secure as you think it is.

Or you can use bind variables. If you use a bind variable, it will be impossible—repeat, impossible—for an attacker to change SELECT * FROM EMP WHERE ENAME LIKE ? into any other SQL. On the other hand, it would be relatively easy for an attacker to try to change


LIKE '" + some_variable +"'

into


LIKE '' or 1=1 – '

by providing the input

' or 1=1 –

That input would change the meaning of your query entirely. Additionally, attackers might instead try to input

'UNION ALL SELECT… FROM T – '

Think about what that would do to your query. Instead of querying the EMP table, your attackers would now be querying some other table T (a SQL injection bug, once found, typically gives at least READ access to


54 ASK TOM


every object the schema has read access to).If you do not use bind variables in your

application for inputs into your query, I firmly believe you’ll have to• Write lots of additional procedural code to

sanitize inputs (and lose sleep every night wondering if you did it perfectly every time and everywhere).

• Submit your code to be reviewed by at least five people who do not like you. The reason for the “do not like you” part is that they must be motivated to search long and hard for any mistakes you might have made. If they like you—or even worse, respect you—they might not look hard enough.

But following these steps will not guar-antee security. Your code may still be SQL-injectable, because it might not be perfect and the reviewers might not find everything.

Remember: bugs happen to everyone. Bugs, including ones that allow for SQL injec-tion, happen to me more times than I can count. Consider the article I wrote years ago on SQL injection at bit.ly/tkinjectc. After you read the section on SQL injection in that article, I encourage you to read on and look at the last section. There I used a stored proce-dure to do “selective granting”—similar to the truncate example earlier in this article. But note the “note” there about revised content. My original stored procedure—the one that was printed in the hard-copy magazine, never to be fixed—had a SQL injection flaw in it! Yes, in an article on SQL injection, I supplied some code that was SQL-injectable. It can happen to anyone—highly experienced pro-grammers, novice programmers . . . everyone.

HAVE MULTIPLE LEVELS OF DEFENSEHaving multiple levels of defense is another basic security tenet, right up there with the least privileges concept. You want to have security in depth—security at multiple levels.

Suppose you put all your security logic in the application, so the folks at the network/database/storage level don’t have to worry about anything. Someone will find a way around that security. It is not if but a matter of when attackers will find a way around it.

If, on the other hand, you have multiple layers of defense—multiple repetitive layers of defense—a hole in any one defense level won’t mean that your data will be com-

promised. For example, suppose for some reason that your application uses string concatenation and does not use bind vari-ables. In that case, I would suggest that you• Procedurally sanitize your application

inputs to validate them• Have your string concatenation code

reviewed so that multiple eyes look at it to validate it

• Employ Oracle Database Firewall (bit.ly/odsavdf) to catch SQL injection flaws when they inevitably occur (from not using bind variables!)

• Use the concept of least privileges so that if all other defenses fail, you’ll minimize your risk

• Use multiple schemas to further mitigate the security risk (and take least privileges to the farthest point possible)

• Employ auditing at the application level, firewall level, and database level; consider using Oracle Audit Vault (bit.ly/odsavdf) to consolidate all that information; and set up real-time audit policies that look for suspi-cious activity as it happens

There are at least six levels of defense right there, but each of those layers might have a flaw in it somewhere—a hole to be exploited. Use multiple layers of defense in case one—or more—of them is defeated.

CONCLUSIONSecurity is a #1 concern these days. In the past—before the internet—security was a bit easier. Our databases were not exposed to billions of potential attackers and didn’t have as much sensitive information in them. Today a child could attack your database just for fun (search for “sql injection toolkit,” and you might be surprised at what is out there). Attacking a website is not hard.

Fortunately, protecting yourself and mini-mizing your exposure is not that hard either.

Employ least privileges—yes, that seems like more work for the development team, but look at what you get out of it: minimized exposure, better documentation, and a solid understanding of who uses what objects and why. It is not only a security feature; it also makes your entire code base better, easier to maintain, and easier to understand.

Use encapsulation and modulariza-tion via multiple schemas to set up “walls”

between various components. Again, use least privileges to put the pieces together.

Avoid the major attack vectors such as SQL injection entirely by using bind vari-ables. Bind variables are not only good for performance and scalability but also excel-lent for security.

Employ as many layers of defense as you can come up with. They are not redundant, so do not consider them redundant. They each add to your security footprint, in a positive fashion.

And perhaps most importantly, remember to design this all into your appli-cation from day 1. Trying to retrofit least privileges and multiple schemas—and fixing code that doesn’t use bind variables so that it does use bind variables—is not only hard but also error-prone. It would be like working on a leaky foundation.

Tom Kyte is a database evangelist in Oracle’s Server Technologies division and has worked for Oracle since 1993. He is the author of Expert

Oracle Database Architecture (Apress, 2005, 2010) and Effective Oracle by Design (Oracle Press, 2003), among other books.

ASK Tom Tom Kyte answers your most difficult technology questions. Highlights from that forum appear in this column. asktom.oracle.com FOLLOW Tom on Twitter@OracleAskTomREAD more Tombit.ly/omagasktomREAD more about Oracle Database Securitybit.ly/2daysecurebit.ly/oradbsecuritybit.ly/dbvaultbit.ly/12cdbsecurity

DOWNLOAD Oracle Database 12cbit.ly/epBiUG LEARN more about Oracle Database 12coracle.com/database FOLLOW Oracle Database on Twitter@oracledatabaseon Facebookfacebook.com/oracledatabase

NEXT STEPS


For more information or to place your recruitment ad or listing contact: [email protected]

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Find the Most Qualified Oracle Professional for your Company’s Future

Introducing the Oracle Magazine Career Opportunities section -

the ultimate technology recruitment resource.

Oracle Magazine is the largest IT publication in the world with a total circulation of more than 500,000.

Place your advertisement and gain exclusive and immediate access to top talent including:

IT Managers, DBAs, Programmers and Developers.

Untitled-2 1 5/4/15 10:51 AM

56


IN THE FIELD BY KATE PAVAO

During her 17 years as an Oracle Applications Users Group (OAUG)

member, Melissa English has had many jobs, including volunteering on the educa-tion committee, chairing the marketing and communication committee, and serving on OAUG’s board of directors. So she was well prepared when, in January 2015, she began her term as OAUG president.

What first drew her to OAUG, the largest education, networking, and advocacy forum for Oracle Applications users? “I really loved that it was other people like me providing content and information,” remembers English, who is manager of instructional design at Amway.

Here, English talks to Oracle Magazine about why she stays committed to OAUG, her plans for growing the organization during its celebratory 25th-anniversary year, and how business leaders can better prepare their workers to evolve in swiftly changing times.Oracle Magazine: What sparked your interest in technology? English: In the mid-1990s, I was working in accounts payable at the Cincinnati Department of Human Services. When I started to train other workers on how to use Oracle applications, I knew that’s what I wanted my career path to be. I love being able to help people understand new technology, and I love knowing I was able to provide value to them. This passion is what keeps me going with OAUG, because OAUG is all about members supporting and learning from each other. Oracle Magazine: What are you hoping to accomplish as OAUG president? English: I want to continue to innovate and increase our user involvement, because the more our members share their experiences, the better the results for our community.

If that means we can get more end users to present at events or in our e-learning

series, that’s terrific. But also we want to help people connect with each other through networking opportunities at our OAUG Connection Point events and at COLLABORATE conferences.

For example, we host a luncheon for women in technology each year at COLLABORATE, which is a great opportu-nity for women from all walks of life, in all points in their careers, and from all indus-tries to talk to one another. Oracle Magazine: How is OAUG growing its membership?English: We need to support our new users and offer them opportunities to advance

their careers. Through our user forums, we recently established a young professionals group that brings new workers together with our seasoned members, so they can start gaining an understanding of what it’s going to take for them to become leaders.

Also, extending our international reach is top of mind, and during the last few years our international committee has made great connections around the world through our affiliated user groups. We look at this as a “win, win, win,” because as we grow, so do the affiliate groups that partner with us—and their users win because they can get information from their local community as well as from international sources. Oracle Magazine: You oversee global change management, communications, and training for Oracle E-Business Suite. What’s the secret to change management success?English: The key is to have a really strong and clear vision to provide to the team. Then you have to engage stakeholders at all levels in order to make the change sustain-able. A lot of business leaders think change management is about communication and trainings, and those are components of it. But it’s also about helping people under-stand what’s going to be different for them.

You need to eliminate their fear and anxiety, and that comes from providing information to people and then listening to them. It’s really about connecting with people and making sure that you are taking care of them.

LEARN more about OAUGoaug.org

NEXT STEPS

Kate Pavao is a frequent contributor to Oracle’s Profit and Profit Online publications.

Keeping PaceOAUG’s new president knows how to handle a changing environment.

BLAK

E J.

DIS

CHER

“We need to support our new users and offer them opportunities to advance their careers.”—Melissa English, President, OAUG

MJ15_InTheField_R2_gtxcel.indd 56 5/12/15 4:06 PM

12x compression on Oracle database with Hybrid Columnar Compression. Copyright © 2015, Oracle and/or its affiliates. All rights reserved.

Oracle and Java are registered trademarks of Oracle and/or its affiliates.

oracle.com/goto/compression

Only OracleCompressesYour Data 12x

Oracle ZFS Storage and FS1 Flash Storage

More Data.Less Storage.Less Energy.Run Faster.


PRODUCTION NOTES



READER

01LASER% RELEASED

4/242015

Resize

8” x 10.875”Job #:Ref #:

Headline:Live:Trim:

Bleed:

415M_STO00302_CmprssData12xM_315M_STO00230_CmprssData12xOnly Oracle Compresses Your Data 12x 7” x 9.875”8” x 10.875”8.25” x 11.125”

Documents

OracleMagazine May June