Applied Oracle Security: Developing Secure Database and Middleware Environments- P64 pdf

BOECVTJOFTTUSFOET t 5IJSEQBSUZOFXTBOEBOOPVODFNFOUT BOEPQFSBUJOHFOWJSPONFOUT t %FWFMPQNFOUBOEBENJOJTUSBUJPOUJQT t 3FBMXPSMEDVTUPNFSTUPSJFT If there are other Oracle users at your locatio

Oracle Business Intelligence examples, 580–592

auditing, 582

authentication, 589–592

preparations, 581–583

recommended testing, 586–587

RPD descriptions, 588–592

scripts, 582–583

setup process, 583–586

SSO integration, 592

users and groups, 580–581

web catalog descriptions, 587–588

Oracle Call Interface (OCI), 504

Oracle Data Dictionary

DBV integration and, 329

object-owner accounts in, 332

Oracle Database 10g Release 2

column-level encryption, 38–43

TDE setup, 34–35

Oracle Database 11g

Advanced Security features, 33

DBV integration with, 329–344

tablespace encryption, 44–45

TDE configuration, 45–55

Oracle Database Vault See Database Vault

Oracle Delivers component, 530, 587

Oracle Directory Management, 373–374

Oracle Enterprise Manager Grid Control (OEM GC)

DBV policy deployment and validation with,

327–329

monitoring and alerting on DBV with,

345–347

Oracle Entitlement Server (OES), 380–381

architecture of, 380, 381

developer’s view of, 380–381

Oracle External Tables (OETs), 312–318

Oracle HTTP Server (OHS), 434

enabling SSL in, 452–454

password obfuscation in, 445

Oracle Identity Federation (OIF), 377

Oracle Identity Manager (OIM), 386–403

access policies, 389, 394–396

access reporting, 401

attestation, 399–400

compliance solutions, 399–401

deployment architecture, 402–403

discretionary account provisioning, 391–392

IMOM information and, 362

IT resources, 390

organizations, 388–389

overview of, 386–390

provisioning integrations, 397–398 provisioning processes, 390–396 reconciliation integrations, 398–399 resource objects, 390

self-service provisioning, 392–393 summary of, 403

user provisioning, 372–373, 386, 390–398 users and user groups, 387–388

workflow-based provisioning, 393–394

See also identity management

Oracle Internet Directory (OID), 156, 217, 303, 406–409

architecture, 407 synchronizations, 373–374, 408–409 Oracle Label Security (OLS)

declarative framework of, 99 factor integration with, 174–189, 221–222 identifying tables protected by, 294 Oracle VPD comparison, 228 Oracle Metalink notes, 185 Oracle Proxy Authentication, 184 Oracle Real Application Testing, 327, 328 Oracle Recovery Manager (RMAN), 342–343 Oracle Role Manager (ORM), 382–383 Oracle Sample Schemas, 294

Oracle Spatial, 332–333 Oracle Streams Advanced Queuing, 336–341 Oracle Technology Network (OTN), 185, 307 Oracle Text, 329–332

Oracle Virtual Directory (OVD), 307, 374, 409–430

adapter visibility, 426–427 architecture, 410–413 database integration, 419–423 directory tree design, 414–415 explanation of, 410

information access to/from, 412 installing, 413

joining information in, 424–430 LDAP server integration, 415–419 server configuration, 413–414 summary of, 430

Oracle Wallet Auto Login, 36–37 backing up, 35 described, 34, 35 encryption overview, 37 managing, 34–35, 36, 45 TDE and, 33, 34–37 Oracle Wallet Manager (OWM), 36, 453

organizational policies

conditions based on, 207

factors based on, 217, 318

organizations, OIM, 388–389

ORM (Oracle Role Manager), 382–383

OSAUD collectors, 72, 74, 75

OTHER identity, 169, 170

output filtering, 450

OVD See Oracle Virtual Directory

P

parent factors, 164, 165–166

passwords

APEX, 442–443, 445, 463–468, 482

default account, 65–66

obfuscating, 445

Oracle BI, 530

patterns for identity management, 366–372

enterprise maturity levels and,

366–369

hub-and-spoke architecture, 370

point-to-point architecture, 369

PCI standard, 47

PCI-DSS requirements, 47–48

people discovery, 361–362

performance

TDE and, 49–51

tracking data on, 564

permissions

Oracle BI, 537–538

proxy user, 568

personally identifiable information (PII), 9

PL/SQL routines

audit trail records and, 280

centralizing for DBV factors/rules,

211–215, 241

custom event handlers and, 348–352

factors used in, 223–224, 325–326

HANDLER_MODULE parameter and, 494

querying program names for, 326

PL/SQL “wrap” utility, 466

point-to-point architecture, 369

Point-to-Point (P2P) integration, 409

policy

audit, 84–86

DBV, 106–110, 327–329, 345–347

item-based, 484–486

OAM, 526–527

session context-based, 486–489

violations of, 81, 345–347 VPD, 171–174, 484–489 policy administration point (PAP), 380 policy decision point (PDP), 380 policy enforcement point (PEP), 380 policy information point (PIP), 380 policy manager, 375

policy store, 380 prebuilt connectors, 397 preconsolidation databases, 120 predicate parameter, 222 presentation server, 528–529 presentation variables, 508 primary account number (PAN), 47–48 primary adapter, 425

primary key/foreign key (PK/FK) relationships, 44 principles of security, 10–12

private keys, 25–26 privilege escalation, 65, 68 privileged accounts, 94–96 privileges

application administrator, 235–236 audit policy for, 85

BI Web Services, 576 database administrator, 299 default, 567–568

preventing escalation of, 241–243 validating for rules, 154

process discovery, 361, 363–364 Program Global Area (PGA) memory, 436 programmatic encryption, 32

protected health information (PHI), 9–10 protection patterns for realms, 122–124 provisioning integrations, 397–398 Generic Technology Connector, 397–398 prebuilt connectors, 397

provisioning processes, 390–396 access policy-driven provisioning, 394–396 discretionary account provisioning, 391–394

self-service provisioning, 392–393 workflow-based provisioning, 393–394 proxy authentication, 7, 302

proxy server topology, 447 PROXY session variable, 569 proxy users, 568–571 PROXYLEVEL session variable, 569 public key encryption (PKE), 25–27, 452 public users, 533

public-facing applications, 532–533

Publisher, Oracle BI

authentication, 515–516

authorization, 524

catalog content security, 539–540

configuration, 584–585

sample report, 585

super user, 584

testing, 587

Q

queries

application data manager, 256–257

database feature/option, 326

encrypted data, 50

queuing/dequeuing messages, 336–341

R

RAC architecture, 71, 74

RAID technology, 31

read-only application users, 17, 231, 234, 264–267

read-write application users, 17–18, 231, 234,

264–267

realm authorizations, 130–136, 296–309

database roles and, 296–301

explanation of, 130–131

externalizing, 303–309

object-owner accounts and, 131–132

realm headers, 127

realm-protected objects, 111, 292–296

accessing, 125–126

object-level auditing for, 226–227, 293–294

row-level security on, 227–228, 294

realm-protected schemas

EXPLAIN PLAN feature on, 343–344

gathering statistics on, 343

realms, 98, 102–104, 118–136

accessing objects protected by, 125–126

audit reporting for, 126–127

authorizations for, 130–136, 296–309

command rules and, 137–138

components of, 127–136

consolidation with, 119–121

creating, 124–127

DBV administrators and, 131

direct object privileges and, 131

explanation of, 102–104, 118–119

identifying based on objects, 224–228

identifying roles to protect as, 295–296

named accounts and, 132–135 object-owner accounts and, 131–132, 292 objects protected by, 111, 127–128, 292–296

Oracle BI and, 563 participants vs owners, 130 protection patterns of, 122–124 role provisioning with, 128–130 rule sets and, 135–136

violations of, 119 reconciliation integrations, 398–399 Recovery Manager (RMAN), 342–343 REDO collectors, 72, 74, 75

relative distinguished name (RDN), 422 replication, 408

reports Audit Vault, 79–80

BI Publisher, 585 Database Vault, 108 general security, 108 Identity Manager, 401 request-driven provisioning, 395 Resource Description Framework (RDF), 333 resource objects, 390

resources definition of, 386 optimization/usage of, 68 user access to, 386 restricted items, 480–481 retrieval, factor, 158–162 risk management, 284 RMAN (Oracle Recovery Manager), 342–343 role management, 382–383

role mappings, 7 role mining, 381–383 roles

APEX and database, 437–438 application administrator, 235–239, 245–262 Audit Vault, 76–77

Database Vault, 105–106, 128–130 identifying for realm protection, 295–296 identifying for SARs, 310–311

mapping to data, 364–365 operational database administrator, 239–241 realm authorizations for, 296–301

See also SARs

role-to-data mapping, 364–365 root accounts, 314

row-level security (RLS), 111 business model filters for, 516

configuring on realm-protected objects,

227–228

Oracle BI, 543–546, 559–561

realm object identification based on, 294

VPD security and, 559–561

row-wise initialization, 508–509

RPD descriptions, 588–592

RPD-specific scripts, 582–583

rule expressions, 333

rule sets, 102, 147–157

auditing, 148–149

command rules and, 138

custom event handlers and, 150–151,

348–352

evaluation mode for, 147–148

event functions, 154–155

factors and, 156–157

realm authorizations and, 135–136

rule configuration, 151–154

rules

centralizing PL/SQL routines for, 211–215

configuring, 151–153

security, 101–102

validating, 153–154

rule_set_name parameter, 191

RUNAS session variable, 569, 570

SS

Sales History (SH) schema, 14, 15

salt tool, 38–39

sandbox metaphor, 103

SANS Institute, 96

SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY

procedure, 222

SA_POLICY_ADMIN.APPLY_TABLE_POLICY

procedure, 221–222

Sarbanes Oxley (SOX) Act of 2002, 10

SARs (Secure Application Roles), 194–197

audit report for, 196, 197

command rules vs., 104

establishing from conditions, 281–284

multifactor authentication and, 98

security-sensitive operations and, 194

user access accounts and, 310–311

SA_SESSION.SET_LABEL procedure, 183

scenarios, 202

example of, 204–205

explanation of, 202–203

scheduler job, 343

scheduler service, 585 schema objects, 84 schemas

APEX, 456–459 defined, 12 implementing, 239–267 modeling, 12–16 naming, 18–19 realm-protected, 343–344 security concerns, 14, 228–231 worst practices, 14, 15 Schneier, Bruce, 24 SCN (System Change Number), 494 scripts

database, 582–583 RPD-specific, 582–583 setup, 582

SDO_RELATE spatial operator, 333 SEC_ADMIN schema, 491

Secure Application Roles See SARs

Secure Transmission Control Protocol (TCPS), 186–187

security adaptive, 99 addressing gaps in, 94–100 APEX, 439–456

application design and, 200 architecture checklist, 19–20 audit, 62–63

BI features and, 567–576

by command, 100 column-level, 547–551, 590 conditional, 98–99

context-based, 98–99 costs of not applying, 284 factors, 101, 115

folder-based, 537–538 group-level, 537 HAP for, 100 iBot, 538–539 layers of, 11 managing, 11 motivators of, 5, 8–9 multifactored, 163, 171, 183 principles of, 10–12 protecting mechanisms of, 101 Publisher, 539–540

realms, 102–104 reports, 108 row-level, 111

rules, 101–102

statement-level, 111

web content, 536–540

web-based attack, 449–451

security administrator, 111

Security Assertion Markup Language (SAML), 377

security profiles

coarse-grained, 205–208

conditions related to, 207–208

fine-grained, 208–209

process for designing, 202

questions for improving, 207

SEC_USER schema, 491

SELECT command, 143, 144, 259, 268

self-service provisioning, 392–393

sensitive data categorization, 9–10

separation of duties, 99

application administrator, 236–239

Database Vault, 110–114

factors based on, 216–217, 318

sequence of transactions, 323–324

sequential conditions, 208, 219–220

server variables, 507

Service Provisioning Markup Language (SPML),

371, 397

service-oriented security (SOS), 370, 371–372

session context-based policy, 486–489

session control commands, 144

session state, 479–480

encrypted, 482–483

protection scenario, 481–482

session variables, 184, 508–509, 575

SESSION_USER environment variable, 491

SET ROLE command, 98, 144

set variable command, 575

setup scripts, 582

SH dashboard, 587–588

SH schema, 97

shadow joiner, 426

Shah, Vipul, 69

shared accounts, 15–16

SHELPER schema, 97

simple joiner, 425

single sign-on See SSO

Site Data Protection (SDP) program, 47

SOA (Service-Oriented Architecture), 11–12

SOAP privilege, 576

source code modifications, 68

Spatial, Oracle, 332–333

SQL injection attacks, 449–450, 472–476 bind variables and, 472, 475–476 explanatory overview of, 472 procedures vulnerable to, 473–475 SQL statements

audit policy for, 84 factors used in, 221–222, 223–224 predicate parameter, 222

SQL Workshop, 492 SSL (Secure Sockets Layer) protocol APEX and, 454–456

enabling in OHS, 452–454 encryption process, 451–452 Internet security and, 23 mod_rewrite and, 456 symmetric and public key encryption used

in, 27 SSL Everywhere feature, 530 SSO (single sign-on) Oracle Access Manager for, 375–376, 525–529

Oracle BI options for, 524–529, 592 Oracle eSSO for, 376

statement-level security (SLS), 111 static server variables, 507 statistics gathering, 343 strategic maturity level, 368 strings command, 30–31, 39 strong authentication, 33, 375, 377 subject area security, 542–543 Subject-Verb-Object-Condition table, 210, 234,

267, 285, 311–312, 353 superuser account, 95 SYBDB collectors, 73 symmetric key encryption, 24, 25, 27–28, 37 synchronization, OID, 373–374, 408–409 syntax, DBV rule, 153–154

SYS account, 16, 94–96 auditing, 73, 75 DBA role and, 235 SYS_CONTEXT function, 145, 280, 492 SYSMAN account, 229–230

system access accounts, 231, 232–234 SYSTEM account, 16, 94–96, 235 system alterations, 68

system ANY privileges application administrators and, 235 command rules and, 137

queries with no results, 301–303 realms and, 103, 118, 125, 137, 296

security (continued)

system control commands, 144

system integration, 386

system privileges, 68

system use cases, 280–281, 289

system-level auditing, 280–281

T

table keys, 37

table of usernames, 463–468

table-based authentication, 511–512, 590

tables

authorization process using, 520

dynamic group membership using,

518–520

encrypting columns in, 38–40, 41–43

identifying protected, 294

Oracle External, 312–318

tablespace encryption, 44–45, 50–51

tactical maturity level, 367

target resource reconciliation (TRR), 399

TCPS (Secure Transmission Control Protocol),

186–187

TDE (Transparent Data Encryption), 22,

33–44

Advanced Security option, 33

column-level encryption, 38–43

Data Guard with, 49

DBMS_CRYPTO package vs., 40–41

DBV integration with, 341

exporting/importing data, 52–53

integration with HSM devices, 53–55

key management, 37–38

limitations of, 44

operational concerns, 49–51

Oracle Wallet overview, 34–37

PCI-DSS compliance, 47–48

performance issues, 49–51

setting up, 34–35

summary of, 55–56

testing

audit effectiveness, 280–281

BI Publisher, 587

DBV policy, 327–329

join view, 429

Oracle BI, 586–587

Oracle Delivers, 587

VPD and BI cache, 556–559

Text, Oracle, 329–332

three-tier systems, 184

time conditions based on, 208 factors based on, 219–220, 319–321 TNS Listener, 445

tracking usage data, 564–565 transaction control commands, 144 transaction profiles, 290, 352–353 transactional systems, 499–500, 501 transactions

factors based on sequence of, 323–324 identification of important, 312 limiting availability of sensitive, 312–318

transparency, 12, 99, 116

Transparent Data Encryption See TDE

triggers, 116, 177 trust but verify model, 190 trusted source reconciliation (TSR), 399 trust_level parameter, 165

U

UML (Unified Modeling Language), 201 unknown audit patterns, 66–67 UPDATE command, 140, 268, 348 URL tampering, 478–483

checksums and, 481 restricted items and, 480–481 session state protection, 481–482 usage analysis, 225

usage tracking, 564–565 database auditing with, 566–567 notes on configuring, 565 setting up, 585–586 use cases, 202

business, 289 categories of, 285 example of, 203–205 explanation of, 202–203 system, 280–281, 289 user access accounts, 13, 14–16, 231–239 database administrator, 235–239 identifying for SARs, 310–311 overview of categories for, 231–232 read-only/read-write application users, 234, 264–267

system access accounts, 232–234 user accounts

APEX settings, 442 dedicated, 15

grouping, 16–18

shared, 15–16

user groups, 387–388

user profiles, 16–18

user provisioning, 372–373, 390–398

challenges, 386

integrations, 397–398

processes, 390–396

USER_ENCRYPTED_COLUMNS view, 41

user_has_priv function, 217

user_has_role function, 216

usernames, table of, 463–468

users

audit vault, 76–77

BI system, 499, 510

Impersonator, 527–528

OIM, 387

public, 533

read-only, 17

read-write, 17–18

user-specific attributes, 217–218

Utilities dashboard, 588

V

validate_expr parameter, 191

validation

DBV policy, 327–329

factor, 189–194

rule syntax, 153–154

VARCHAR2 values, 158

variables

bind, 472, 475–476

presentation, 508

server, 507

session, 184, 508–509

Verb Object technique, 205–206

viewing datafiles, 30–31

views

audit trail, 290

database, 410

encrypted column, 41

factors used in, 222–223

join, 424–430

virtualization, 373, 409–410

See also Oracle Virtual Directory

VPD (Virtual Private Database), 6 APEX integration, 484–489 factors, 220–221

identifying tables protected by, 294 Oracle BI integration, 551–559 Oracle OLS comparison, 228 policy creation, 171–174 row-level security and, 559–561 VPD_TAG session variable, 554–556 VPD_WHERECLAUSE function, 556

W

wallet See Oracle Wallet

web access management, 379 web catalog content, 536–540

BI Publisher security, 539–540 folder-based security, 537–538 group-level security, 537 iBot security, 538–539 web catalog description, 587–588 web catalog groups, 516–517, 523, 537 web services

access to Oracle BI, 576 notional database applications and, 200–201 web tier, 402

web-based attacks cross-site scripting, 449, 476–478 preventing in APEX, 449–451, 472–483 SQL injection, 449–450, 472–476 URL tampering, 478–483 webgroups, 516–517 weekly_window function, 219 Windows Notepad, 31 workflow-based provisioning, 393–394 workflows, self-service, 307

X

X.509 certificate, 186, 187 XACML (Extensible Access Control Markup Language), 371

XML for Analysis (XMLA), 505 XSS attacks, 449, 476–478

user accounts (continued)

BOE
CVTJOFTT
USFOET t
5IJSEQBSUZ
OFXT
BOE
BOOPVODFNFOUT BOE
PQFSBUJOH
FOWJSPONFOUT

t
%FWFMPQNFOU
BOE
BENJOJTUSBUJPO
UJQT t
3FBMXPSME
DVTUPNFS
TUPSJFT

If there are other Oracle users at

your location who would like to

receive their own subscription to

Oracle Magazine, please

photo-copy this form and pass it along.

Three easy ways to subscribe:

Web

7JTJU
PVS
8FC
TJUF
BU oracle.com/oraclemagazine

Fax

$PNQMFUF
UIF
RVFTUJPOOBJSF
PO
UIF
CBDL
PG
UIJT
DBSE

BOE
GBY
UIF
RVFTUJPOOBJSF
TJEF
POMZ
UP
+1.847.763.9638

Mail

$PNQMFUF
UIF
RVFTUJPOOBJSF
PO
UIF
CBDL
PG
UIJT
DBSE

BOE
NBJM
JU
UP P.O Box 1263, Skokie, IL 60076-8263

1

2

3

FREE SUBSCRIPTION

GET

Y O U R

TO ORACLE MAGAZINE Oracle Magazine is essential gear for today’s information technology professionals

Stay informed and increase your productivity with every issue of Oracle Magazine.

Inside each free bimonthly issue you’ll get:

WHAT IS THE PRIMARY BUSINESS ACTIVITY

OF YOUR FIRM AT THIS LOCATION? (check

one only)

o 01 Aerospace and Defense Manufacturing

o 02 Application Service Provider

o 03 Automotive Manufacturing

o 04 Chemicals

o 05 Media and Entertainment

o 06 Construction/Engineering

o 07 Consumer Sector/Consumer Packaged

Goods

o 08 Education

o 09 Financial Services/Insurance

o 10 Health Care

o 11 High Technology Manufacturing, OEM

o 12 Industrial Manufacturing

o 13 Independent Software Vendor

o 14 Life Sciences (biotech, pharmaceuticals)

o 15 Natural Resources

o 16 Oil and Gas

o 17 Professional Services

o 18 Public Sector (government)

o 19 Research

o 20 Retail/Wholesale/Distribution

o 21 Systems Integrator, VAR/VAD

o 22 Telecommunications

o 23 Travel and Transportation

o 24 Utilities (electric, gas, sanitation, water)

o 98 Other Business and Services _

WHICH OF THE FOLLOWING BEST DESCRIBES

YOUR PRIMARY JOB FUNCTION?

(check one only)

CORPORATE MANAGEMENT/STAFF

o 01 Executive Management (President, Chair,

CEO, CFO, Owner, Partner, Principal)

o 02 Finance/Administrative Management

(VP/Director/ Manager/Controller,

Purchasing, Administration)

o 03 Sales/Marketing Management

(VP/Director/Manager)

o 04 Computer Systems/Operations

Management

(CIO/VP/Director/Manager MIS/IS/IT, Ops)

IS/IT STAFF

o 05 Application Development/Programming

Management

o 06 Application Development/Programming

Staff

o 07 Consulting

o 08 DBA/Systems Administrator

o 09 Education/Training

o 10 Technical Support Director/Manager

o 11 Other Technical Management/Staff

o 98 Other

WHAT IS YOUR CURRENT PRIMARY OPERATING PLATFORM (check all that apply)

o 01 Digital Equipment Corp UNIX/VAX/VMS

o 02 HP UNIX

o 03 IBM AIX

o 04 IBM UNIX

o 05 Linux (Red Hat)

o 06 Linux (SUSE)

o 07 Linux (Oracle Enterprise)

o 08 Linux (other)

o 09 Macintosh

o 10 MVS

o 11 Netware

o 12 Network Computing

o 13 SCO UNIX

o 14 Sun Solaris/SunOS

o 15 Windows

o 16 Other UNIX

o 98 Other

99 o None of the Above

DO YOU EVALUATE, SPECIFY, RECOMMEND,

OR AUTHORIZE THE PURCHASE OF ANY OF THE FOLLOWING? (check all that apply)

o 01 Hardware

o 02 Business Applications (ERP, CRM, etc.)

o 03 Application Development Tools

o 04 Database Products

o 05 Internet or Intranet Products

o 06 Other Software

o 07 Middleware Products

99 o None of the Above

IN YOUR JOB, DO YOU USE OR PLAN TO PUR-CHASE ANY OF THE FOLLOWING PRODUCTS?

(check all that apply) SOFTWARE

o 01 CAD/CAE/CAM

o 02 Collaboration Software

o 03 Communications

o 04 Database Management

o 05 File Management

o 06 Finance

o 07 Java

o 08 Multimedia Authoring

o 09 Networking

o 10 Programming

o 11 Project Management

o 12 Scientific and Engineering

o 13 Systems Management

o 14 Workflow HARDWARE

o 15 Macintosh

o 16 Mainframe

o 18 Minicomputer

o 19 Intel x86(32)

o 20 Intel x86(64)

o 21 Network Computer

o 22 Symmetric Multiprocessing

o 23 Workstation Services SERVICES

o 24 Consulting

o 25 Education/Training

o 26 Maintenance

o 27 Online Database

o 28 Support

o 29 Technology-Based Training

o 30 Other

99 o None of the Above WHAT IS YOUR COMPANY’S SIZE?

(check one only)

o 01 More than 25,000 Employees

o 02 10,001 to 25,000 Employees

o 03 5,001 to 10,000 Employees

o 04 1,001 to 5,000 Employees

o 05 101 to 1,000 Employees

o 06 Fewer than 100 Employees DURING THE NEXT 12 MONTHS, HOW MUCH

DO YOU ANTICIPATE YOUR ORGANIZATION WILL SPEND ON COMPUTER HARDWARE, SOFTWARE, PERIPHERALS, AND SERVICES FOR YOUR LOCATION? (check one only)

o 01 Less than $10,000

o 02 $10,000 to $49,999

o 03 $50,000 to $99,999

o 04 $100,000 to $499,999

o 05 $500,000 to $999,999

o 06 $1,000,000 and Over WHAT IS YOUR COMPANY’S YEARLY SALES REVENUE? (check one only)

o 01 $500, 000, 000 and above

o 02 $100, 000, 000 to $500, 000, 000

o 03 $50, 000, 000 to $100, 000, 000

o 04 $5, 000, 000 to $50, 000, 000

o 05 $1, 000, 000 to $5, 000, 000 WHAT LANGUAGES AND FRAMEWORKS DO YOU USE? (check all that apply)

o 01 Ajax o 13 Python

o 02 C o 14 Ruby/Rails

o 03 C++ o 15 Spring

o 04 C# o 16 Struts

o 05 Hibernate o 17 SQL

o 06 J++/J# o 1 8 Visual Basic

o 07 Java o 98 Other

o 08 JSP

o 09 NET

o 10 Perl

o 11 PHP

o 12 PL/SQL WHAT ORACLE PRODUCTS ARE IN USE AT YOUR SITE? (check all that apply)

ORACLE DATABASE

o 01 Oracle Database 11g

o 02 Oracle Database 10g

o 03 Oracle9i Database

o 04 Oracle Embedded Database (Oracle Lite, Times Ten, Berkeley DB)

o 05 Other Oracle Database Release ORACLE FUSION MIDDLEWARE

o 06 Oracle Application Server

o 07 Oracle Portal

o 08 Oracle Enterprise Manager

o 09 Oracle BPEL Process Manager

o 10 Oracle Identity Management

o 11 Oracle SOA Suite

o 12 Oracle Data Hubs ORACLE DEVELOPMENT TOOLS

o 13 Oracle JDeveloper

o 14 Oracle Forms

o 15 Oracle Reports

o 16 Oracle Designer

o 17 Oracle Discoverer

o 18 Oracle BI Beans

o 19 Oracle Warehouse Builder

o 20 Oracle WebCenter

o 21 Oracle Application Express ORACLE APPLICATIONS

o 22 Oracle E-Business Suite

o 23 PeopleSoft Enterprise

o 24 JD Edwards EnterpriseOne

o 25 JD Edwards World

o 26 Oracle Fusion

o 27 Hyperion

o 28 Siebel CRM ORACLE SERVICES

o 28 Oracle E-Business Suite On Demand

o 29 Oracle Technology On Demand

o 30 Siebel CRM On Demand

o 31 Oracle Consulting

o 32 Oracle Education

o 33 Oracle Support

o 98 Other

99 o None of the Above

YOU MUST ANSWER ALL 10 QUESTIONS BELOW.

1

2

3

4

5

6

7

8

9

s i g n a t u r e ( r e q u i r e d ) d a t e

x

From time to time, Oracle Publishing allows our partners

exclusive access to our e-mail addresses for special

promo-tions and announcements To be included in this program,

please check this circle If you do not wish to be included, you

will only receive notices about your subscription via e-mail.

Oracle Publishing allows sharing of our postal mailing list with

selected third parties If you prefer your mailing address not to

be included in this program, please check this circle.

If at any time you would like to be removed from either mailing list, please contact

Customer Service at +1.847.763.9635 or send an e-mail to oracle@halldata.com

e-mail related to Oracle products, services, and events If you want to completely

unsubscribe@oracle-mail.com with the following in the subject line: REMOVE [your

please visit oracle.com/html/privacy/html

n a m e t i t l e

c o m p a n y e - m a i l a d d r e s s

s t r e e t / p o b o x

c i t y / s t a t e / z i p o r p o s t a l c o d e t e l e p h o n e

c o u n t r y f a x

Yes, please send me a FREE subscription Oracle Magazine No.

Would you like to receive your free subscription in digital format instead of print if it becomes available? Yes No

To receive a free subscription to Oracle Magazine, you must fill out the entire card, sign it, and date

it (incomplete cards cannot be processed or acknowledged) You can also fax your application to

+1.847.763.9638 Or subscribe at our Web site at oracle.com/oraclemagazine

10