Oracle20150506 DL

Construction project management at the next level
Many have been lost

trying to reach the Cloud.
If only theyd
let us lead the way.
If conquering the cloud was easy, anyone could do it.

Our Sherpas are standing by.
Finding the route to your perfect Cloud can be treacherous. Okay, more like impossible.
Lucky for you weve done the impossible beforeover 987,000 times before.
We know the best routes to get your project management software up, running
securely and in the Cloud fast. And no matter how big or specialized your project, weve
been there, done that, and have the parka to show for it.
Once youre in your perfect Cloud, our proven SpringBoard portal helps you
consolidate applications, data, reports and more, making them accessible to your whole
team worldwide. Youll get total control over project status, software licensing
even user training.
Get all that, plus legendary support that wont leave you up a mountain without a piton.
Call and lets talk.
Copyright 2015. LoadSpring is a trademark of LoadSpring Solutions, Inc. All Rights Reserved. loadspring.com Follow us on:
MAY/JUNE 2015
Get Mobile and Connected Consume enterprise

web services from mobile apps with Oracle Mobile
Application Framework / 33 Upload, Model,
Analyze, and Report Quickly load information to
Oracle Business Intelligence Cloud Service and
share the reporting / 39 Dynamically Dangerous
Code Theres a right time to use dynamic SQL, but
theres never a right time for SQL injection / 43 On
More-Secure Applications Our technologist shows
how to build security into application design / 51
Keeping Pace OAUGs new president knows how to
handle a changing environment / 56
GUARD THE
CROWN JEWELS
Secure your most important
business data where it lives with
Oracle Database security
BREAKAWAY SPEED
Specialized Bicycles pulls ahead with

Oracle engineered systems
MEMORABLE
PERFORMANCE
Die Mobiliar speeds business

analytics with Oracle Database
In-Memory
SOLARWINDS DATABASE PERFORMANCE ANALYZER
CHANGES THE JOB FROM
FIGURING OUT
WHAT TO FIX...
TO FIXING IT.
Chris M., Data Services Manager
Spend less time isolating performance problems and more time

fixing them. Database Performance Analyzer lets you quickly
pinpoint your toughest performance issues in Oracle SE & EE,
Oracle Exadata, Oracle Real Application Clusters and Oracle
E-Business. You can also monitor SQL Server, ASE SAP, and DB2
from the same interface. Its the one tool that gives application and
database professionals the visibility they need to quickly identify
bottlenecks, fix problems, and make applications measurably faster.
solarwinds.com/dpa-oracle
VOLUME XXIX - ISSUE 3
CONTENTS
BREAKAWAY SPEED
Specialized Bicycle Components pulls

ahead with Oracle engineered systems
and software solutions. David Baum
/ 24
MEMORABLE
PERFORMANCE
GUARD THE
CROWN JEWELS
Data breaches continue to make headlines. Secure
your most important business data where it lives:
in the database. Tom Haunert
Swiss insurance leader Die Mobiliar

deploys Oracle Database In-Memory to
speed business analytics. Philip J. Gill
/ 28
/ 21
Cover: I-Hua Chen
Up Front / 5
Community / 14
Technology / 33
FROM THE EDITOR / 5
PARTNER NEWS / 14
BOOK BEAT / 14
COMMUNITY
BULLETIN / 16
ORACLE MOBILE
APPLICATION
FRAMEWORK / 33
Happenings in Oracle
Technology Network
Roland Smart
Consume enterprise web

services from mobile apps via
data controls in Oracle Mobile
Application Framework.
Chris Muir
Technology by Example
Good sample data and real
examples tell the story.
Tom Haunert
MASHUP / 6
News, views, trends,
and tools
At Oracle / 8
EVENTS / 8
Find out about upcoming
technology and industry
events.
RESOURCES / 10
Your guide to the latest
Oracle videos, webcasts,
white papers, and more
BRIEFS / 12
The latest product news
ARCHITECT / 17
Get Where Youre Going

Training and certification
decisions are key junctures
on your career path.
Bob Rhubart
PEER-TO-PEER / 19
Thinking Green
Three peers recall

monochrome monitors, enjoy
the outdoors, and optimize
energy use. Blair Campbell
Get Mobile and

Connected
BUSINESS
ANALYTICS / 39
Upload, Model, Analyze,

and Report
Quickly load information to
Oracle Business Intelligence
Cloud Service and share the
reporting. Mark Rittman
PL/SQL / 43
Dynamically
Dangerous Code
Theres a right time to use
dynamic SQL, but theres
never a right time for
SQL injection.
Steven Feuerstein
ASK TOM / 51
On More-Secure
Applications
Our technologist shows
how to build security into
application design.
Tom Kyte
Comment / 56
IN THE FIELD / 56
Keeping Pace
OAUGs new president knows

how to handle a changing
environment. Kate Pavao
ORACLE MAGAZINE MAY/JUNE 2015
EDITORIAL
Editor in ChiefTom Haunerttom.haunert@oracle.com
Managing EditorJan Rogersjan.rogers@oracle.com
Associate Editor Patty Waddington
Contributing Editor and Writer Blair Campbell
Technology Advisor Tom Kyte
Contributor Leslie Steere
DESIGN
Senior Creative Director Francisco G Delgadillo
Design Director Richard Merchn
Contributing Designers Jaime Ferrand, Arianna Pucherelli
Production Designers Sheila Brennan, Kathy Cygnarowicz
PUBLISHING
PublisherJennifer Hamiltonjennifer.hamilton@oracle.com+1.650.506.3794
Associate Publisher and Audience Development DirectorKarin Kinnearkarin.kinnear@oracle.com+1.650.506.1985
Audience Development ManagerJennifer Kurtzjennifer.s.kurtz@oracle.com
ADVERTISING SALES
President, Sprocket MediaKyle Walkenhorstkyle@sprocketmedia.com+1.323.340.8585
Western and Central US, LAD, and Canada, Sprocket MediaTom Cometatom.cometa@oracle.com+1.510.339.2403
Eastern US and EMEA/APAC, Sprocket MediaMark Makinneymark.makinney@sprocketmedia.com+1.805.709.4745
Recruitment Advertising, Sprocket MediaJosie Damianjosie.damian@sprocketmedia.com+1.626.396.9400, x200
Advertising Sales Assistant, Sprocket MediaCindy Elhajcindy@sprocketmedia.com+1.626.396.9400, x201
Mailing-List Rentals Contact your sales representative.
EDITORIAL BOARD
Ian Abramson, Karen Cannell, Andrew Clarke, Chris Claterbos, Karthika Devi, Kimberly Floss, Kent Graziano, Taqi Hasan,
Tony Jambu, Tony Jedlinski, Ari Kaplan, Val Kavi, John King, Steve Lemme, Carol McGury, Sumit Sengupta,
Jonathan Vincenzo, Dan Vlamis
SUBSCRIPTION INFORMATION
Subscriptions are complimentary for qualified individuals who complete the form found at
oracle.com/oraclemagazine. For change of address, mail in label with the new address to:
Oracle Magazine, P.O. Box 1263, Skokie, IL 60076-8263.
MAGAZINE CUSTOMER SERVICE
oracle@halldata.com Fax +1.847.763.9638 Phone +1.847.763.9635
RESOURCES
Oracle Products
+1.800.367.8674 (US/Canada)
Oracle Services
+1.888.283.0591
Oracle Press Books
oraclepressbooks.com
PRIVACY
Oracle Publishing allows sharing of its mailing list with selected third parties. If you prefer that your
mailing address or e-mail address not be included in this program, contact Customer Service at
oracle@halldata.com.
Copyright 2015, Oracle and/or its affiliates. All Rights Reserved. No part of this publication may be reprinted or otherwise reproduced without permission from the editors. ORACLE MAGAZINE IS PROVIDED ON
AN AS IS BASIS. ORACLE EXPRESSLY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED. IN NO EVENT SHALL ORACLE BE LIABLE FOR ANY DAMAGES OF ANY KIND ARISING FROM YOUR
USE OF OR RELIANCE ON ANY INFORMATION PROVIDED HEREIN. The information is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into
any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality
described for Oracles products remains at the sole discretion of Oracle. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Oracle Magazine (ISSN 1065-3171) is published bimonthly with a free subscription price by: Oracle, 500 Oracle Parkway, MS OPL-3A, Redwood City, CA 94065-1600. Periodicals Postage Paid at Redwood City,
CA, and additional mailing offices. POSTMASTER: Send address changes to: Oracle Magazine, P.O. Box 1263, Skokie, IL 60076-8263.
Printed by Quad Graphics
MAY/JUNE 2015 ORACLE.COM/ORACLEMAGAZINE
FROM THE EDITOR
Technology by Example
Good sample data and real examples tell the story.
H
This From the Editor was inspired by an e-mail
conversation with Oracle ACE Director and Oracle
Magazine columnist Mark Rittman. In discussing
Marks next article for Oracle Magazine, I questioned his idea for introducing sample data into
the hands-on how-to steps he was planning to
describe. The article steps involved moving big
data between systems, and Marks plan for using
sample big data for the article was to load it quickly
from a single file. When I questioned the idea of
true sample big data coming from a single data file,
Mark pointed out that a more realistic alternative to
loading sample big data could be a long article all by
itself. An excellent point.
Thanks, Mark, for the example explanation and
editorial inspiration.
NEXT STEPS
READ more about Oracle Database
sample schemas
bit.ly/1dazDlV
READ
Oracle Magazine hands-on how-to articles
oracle.com/technetwork/oramag/magazine/
tech-articles
Oracle Magazine customer stories
bit.ly/1E09L50
REGISTER for Oracle OpenWorld 2015
oracle.com/openworld
SEND MAIL TO THE EDITORS

Send your opinions about what you read in Oracle
Magazine, and suggestions for possible technical
articles, to opubedit_us@oracle.com. You can
also follow our @oraclemagazine Twitter feed or
join us on Facebook at bit.ly/orclmagfb.
Letters may be edited for length and clarity and
may be published in any medium. We consider
any communications we receive publishable.
CONNECT:
bit.ly/orclmagcom
bit.ly/orclmagfb
ow do you learn? Do you look at a technology concept description or formula

or code syntax and immediately see practical applications? Do you go directly from
hearing about a new technology to applying
it successfully to real-world solutions?
Some people can get from technology
concepts and syntax to solutions and results
without a lot of information in between.
Many more, I believe, dont turn away when
examples are offered to support complex
concepts and syntax. For me, its the excellent examples that support, and often complete, the story of the underlying technology.
Longtime Oracle Magazine columnists

Tom Kyte and Steven Feuerstein are masters
of the brief example and brief sample data. If
someone on the Ask Tom forum (asktom
.oracle.com) asks Tom a question that calls
for a sample database with thousands or
tens of thousands or even more rows, Tom
will create the right-size database in the
fewest lines of code possible. Steven quickly
creates multiple PL/SQL package specifications, bodies, procedures, functions, and
more, always using best practices for naming
and coding while keeping the code volume to
just whats needed to explain the topic.
EXAMPLES OF SAMPLES
An important part of many good information
technology examples is a representative set
of sample datadata that enables everyone
who follows the example process to also
see how that example could be applied to
ones own business and technology. Oracle
Database, for example, has included sample
data for many years, going back to the venerable SCOTT schema and continuing with the
HR (human resources), OE (order entry), PM
(product media), SH (sales history), and IX
(information exchange) schemas.
If youre a regular reader of Oracle
Magazine, youve seen these schemas or data
derived from these schemas used often in
the magazines hands-on how-to technology
articles. Some of the magazines technology
writers also create ad hoc sample data that
provides what seems to be the exact amount
of information required for an article in
the shortest possible space. I respect that
efficiency, and as an editor who has to make
all content fit in pages, columns, boxes, and
so on, I appreciate the brevity.
EXAMPLE ADDITION
In addition to featuring hands-on how-to
articles that are rich with examples, Oracle
Magazine features stories of Oracle customers succeeding with Oracle technology.
These customers demonstrate by example
their own business and technology challenges and solutions for other business and
technology leaders to see. And in the same
way a technologist can extrapolate a solution
from the presentation of examples, business
and technology leadersvisionariescan
see success and create their own new
success strategies based in part on the experience of a small sample of some of Oracles
400,000 customers.
You can see tens of thousands of Oracle
customers and technologists, and hear their
success strategies and stories in person, at
Oracle OpenWorld 2015 in San Francisco,
California, October 2529. Register early. Be
an example.
twitter.com/oraclemagazine
Tom Haunert, Editor in Chief

tom.haunert@oracle.com
linkd.in/orclmag
APPS: GRE AT GETAWAYS
MashUp
News. Views. Trends. Tools.
Planning your summer vacation? These helpful travel apps will make it even more enticing.
GateGuru
Turn the journey into

a jaunt. GateGuru
gives you up-todate information
on in-airport food,
shops, and services,
keeps you on top
of gate changes,
and even gives you
estimated security
wait times to help
you make your flight.
Free (Android, iOS,
Windows Phone).
gateguru.com
Citymapper
Billing itself as
the ultimate urban
transport app,
Citymapper does the
work of navigating
14 major cities for
you. Choose the
subway, bus, train,
car, bike, or walking.
Citymapper plans
routes, then gives
you information
about distance,
times, and prices.
Free (Android, iOS).
citymapper.com
Time Out
City Guides
Image It
When your high

school language
skills desert you,
Image It comes to
the rescue by helping
you communicate
with pictograms.
Combine a series
of more than 400
images to free
yourself from
language barriers.
US$.99 (Android,
iOS). twitter.com/
image_it
Insider information
takes on a new
meaning with Time
Out city guides
covering more than
50 cities worldwide.
Get highlights for
history, food, art,
entertainment,
nightlife, and more,
all informed by local
expertise. Free
(Android, iOS).
timeout.com/
city-guides
Instant Inspection
Been longing for your very own tricorder? SCiO, a molecular sensor
that fits in the palm of your hand, is for anyone who wants instant
information about the things theyre interacting with or consuming. This tiny device reads the chemical make-up of materials
such as food, plants, medication, plastics, and oils using a nonintrusive, no-touch optical sensorand with every scan, the device
gets smarter. Discover how much fat is in any salad dressing, how
much sugar is in a particular piece of fruit, how pure an oil is, and
more. US$249. consumerphysics.com/myscio/scio
IT Security First Line of Defense: Employees
More than 85 percent of CIOs in a recent survey say theyre currently taking steps or
are planning to take steps in 2015 to improve IT security. Topping the list? Enhancing
employee training on IT security issues. Responses came from 2,400 CIOs at US companies
with 100 or more employees, and multiple responses were allowed.
CIOS CURRENT OR PLANNED MEASURES FOR ENHANCING IT SECURITY
Enhance employee training on IT security issues

Enhance vetting firms with access to company data
54%
45%
Add IT security personnel
41%
Contract with third-party vendors or add tools to enhance security
41%
Implement multifactor authentication process
41%
Other measures 1%
Source: Robert Half Technology, roberthalf.com/technology
DO YOU SPEAK TECH?
QUIZ YOURSELF!
1. In the term exabyte, the prefix exastands for __________ .

a. A unit of measurement
b. Multiplication by the sixth power of
1,000
c. One quintillion
d. A group of digits operated on as a unit
2. The movement behind the field of
inquiry that gave rise to devices such as
wearable fitness trackers is referred to as
__________ .
a. Quantified self
b. Fitness surveillance
c. Wearable computing
d. Humanism
3. In user interface design, a term
associated with user-friendliness is
__________ .
a. Xerosere
b. Xanthic
c. Xeographic
d. Xenodochial
Answers
1. (b) The prefix exa- indicates
multiplication by the sixth power
of 1,000.
2. (a) The history of quantimetric
self-tracking using wearable computer
devices is said to have begun in the
1970s, and the term quantified self is
commonly attributed to Wired editors
Gary Wolf and Kevin Kelly.
3. (d) Xenodochial describes something
that is friendly to strangers and has
become synonymous with accessible
user interface design elements such as
icons and universal symbols.
Power to Go
Hit the road this
summer with the
worlds smallest battery
pack with a standard
wall outlet. Power your
laptop, tablet, phone,
speakers, radio, television, lights, and more
anything, in fact, that can charge by USB or by a standard wall
plug. The ChargeAll Portable Power Outlet comes in two sizes
and uses AC power for household appliances and DC power for
12V electronics. Starting at US$269.95. chargetech.com
EVENTS
Technology Events
Conferences and sessions to help you stay

on the cutting edge
ODTUG Kscope
June 2125, Hollywood, Florida

ODTUGs annual gathering includes content for
developers, administrators, and business users on
developer toolkit essentials, Oracle Essbase, Oracle
Application Express, Oracle Business Intelligence,
Oracle Enterprise Performance Management, Oracle
Application Development Framework, Oracle Fusion
Applications development, Oracle Database, and
more. Register at kscope15.com.
ORACLE USER GROUPS

Mid-Atlantic Regional Higher Education
User Group Conference
June 2, Baltimore, Maryland
bit.ly/1KPBuYM
DOAG (German Oracle User Group)

2015 Business Solutions Conference
June 911, Darmstadt, Germany
bit.ly/1Mho6yk
Southern California Users Group

Quarterly Meeting
June 10, Huntington Beach, California
bit.ly/17p8qcL
New York Oracle User Group Summer

General Meeting
June 11, New York, New York
nyoug.org
Bulgarian Oracle User Group

Spring Conference
SANSFIRE
May 31June 2, San Jose, California

fbit.ly/1AE4lJC
Tech-savvy executives, entrepreneurs, and
thought leaders gather to collaborate on solutions to common business challenges and
explore new business opportunities that underscore how technology powers change.
June 1320, Baltimore, Maryland

fbit.ly/1F3AmR5
This event features hands-on, immersion-style
cybersecurity training courses aimed at security
professionals at all levels, plus bonus sessions,
evening presentations, and special events.
Oracle HCM Users Group (OHUG)

Global Conference
June 1718, San Francisco, California

fbit.ly/1zte42Q
Attendees at this annual conference explore
trends in cloud computing, including public
versus private cloud, cloud security, and innovative cloud computing use cases.
June 811, Las Vegas, Nevada

fohug.org/ohug2015
Oracle Human Capital Management (HCM) users
learn about Oracle E-Business Suite and Oracles
PeopleSoft solutions, plus get the latest updates
about Oracles HCM cloud solutions.
infoShare
June 1112, Gdansk, Poland
ftheinfoshare.org
The ninth annual free infoShare IT and new
media conference brings together tech leaders,
entrepreneurs, and investors to discuss IT,
mobile technology, security, innovations,
trends, new media, startups, and project and
team management.
EVENTS LOCATOR
Oracle Events
oracle.com/events
Locate User Groups
oracle.com/technetwork/community
Gigaom Structure
MobileBeat
July 1314, San Francisco, California
fbit.ly/1Adm8rr
More than 1,000 attendees focus on using
mobile technologies for growth. Key themes this
year include personalized advertising, customer
nurturing, big data, user acquisition and monetization, mobile apps, industries, and analytics.
MozCon
July 1315, Seattle, Washington
fmoz.com/mozcon
Attendees get three days of forward-thinking
sessions covering search engine optimization,
social media, community building, content
marketing, brand development, conversion rate
optimization, the mobile technology landscape,
analytics, and more.
June 1214, Plovdiv, Bulgaria
bgoug.org/en
New England Oracle Applications User

Group Conference
June 15, Worcester, Massachusetts
neoaug.org
DEVOXX United Kingdom
June 1719, London, England
devoxx.co.uk
Eastern Canada Regional User

Group Conference
June 2223, Toronto, Ontario, Canada
bit.ly/1LT7J81
UKOUG Database Server Special

Interest Group Meeting
UKOUG RAC Cloud Infrastructure
and Availability Special Interest
Group Meeting
July 1, Reading, England
ukoug.org
The Chartered Institute for IT, BCS

Berkshire Branch, Committee Meeting
July 7, Reading, England
bit.ly/1Ja0kmc
Twin Cities Java User Group Meeting

July 13, Eagan, Minnesota
bit.ly/1r3gQyD
Oracle Transportation Management

Special Interest Group Quarterly Webinar
July 14, online event
otmsig.com
Southwest Regional Oracle Applications

User Group Meeting
July 23, Irvine, California
bit.ly/1pxm5AM
GETTY IMAGES
Women in Technology Summit
Push a Button
Move Your Database
to the Oracle Cloud
Same Database
Same Standards
Same Architecture
or Back to Your Data Center
cloud.oracle.com/database
or call 1.800.ORACLE.1
Copyright 2015, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates.
10
RESOURCES
Whats New at Oracle
The latest videos, webcasts, e-books, and more
VIDEOS
and application platform services in your

private cloud.
Securing Cloud Data Is Not a Game

fbit.ly/1Dpzdj1
Not all cloud providers are created equal when
it comes to security. Find out how a modern
cloud can help you reduce risk and keep your
data secure.
E-BOOKS
INFOGRAPHICS
Oracle Cloud Solutions Overview

fbit.ly/1DlJ7ni
Learn how Oracles modern cloud solutions can
help your business thrive in the digital age.
Engineered for Innovation

fbit.ly/1B2R15Z
Discover what differentiates Oracles
engineered systems from other integrated
systems, and how they help customers focus
on business innovation.
.
WEBCASTS
The Next Generation of Oracles
Engineered Systems
fbit.ly/15aEQFE
See Oracle Executive Chairman and Chief
Technology Officer Larry Ellison and other Oracle
executives introduce Oracles X5 generation of
engineered systems.
Cloud Platform Online Forum
fbit.ly/1zaSG3G
Watch an analyst keynote featuring
International Data Corporation (IDC) Analyst
Robert Mahowald and sessions that teach you
how to rapidly build, deploy, manage, and secure
rich applications using an integrated cloud platform built on the industrys #1 database and #1
application server.
SaaS for Dummies

fbit.ly/1EG501P
As a business manager, how can you be sure
youre doing software as a service (SaaS) right?
Learn how to select modern cloud services that
are personalized, connected, and secure.
WHITE PAPERS
How Efficient IT Shapes High Tech Success
fbit.ly/1CjoC9j
Learn how seamlessly integrated IT addresses
the challenges of converging global markets,
increasing customer demands, greater supply
chain complexity, and unprecedented strain on
existing IT infrastructures.
RESOURCE CENTERS
Oracle Private Platform as a Service (PaaS)
Online Assessment
fbit.ly/paasassessment
Take this assessment to find out your private
PaaS adoption maturity relative to your peers,
and identify next steps to help drive your strategy.
Delivering Next-Generation Digital

Experiences
fbit.ly/1DlDHZC
Get an in-depth look at how enterprise-level
marketing technology unlocks breakthrough innovations for audience engagement and connects
experiences to business outcomes.
Oracle FS1: A Cost-Effective Flash

Storage System
fbit.ly/1yqYlRX
Visit this resource center to access videos,
demos, and more that will help you learn how
to speed queries by up to 5 times and reduce
storage requirements by up to 90 percent with
the Oracle FS1 Series flash storage system.
Accelerate Your Cloud Journey with Oracle

Enterprise Manager 12c
fbit.ly/1zaTtlf
Find out how to deliver top-quality database
Ensure Your MySQL Databases Are Secure

fbit.ly/1DlLCpR
Access this resource kit to learn about the
advanced MySQL authentication, auditing,
CONNECT:
and encryption features in MySQL

Enterprise Edition.
oracle.com/blogs
facebook.com/oracle
Five Best Practices for Platform as a

Service (PaaS) Success
fbit.ly/paasinfographic
Maximize the business value of your PaaS solution with techniques based on best practices
derived from a survey of more than 300 IT practitioners worldwide.
PODCASTS
Infinity Insurance Secures Sensitive
Personally Identifiable Information
fbit.ly/1AsdXu5
Infinity secures sensitive data, such as social
security, payment card, and drivers license
numbers, with Oracle Advanced Security.
DBA Security Superheroes: With Great
Power Comes Great Responsibility
fbit.ly/1rTMH5v
Michelle Malcher discusses the 2014 IOUG
Enterprise Data Security Survey Report, and
confirms that, more than ever, organizations
need database administrators with comprehensive security knowledge.
WEB LOCATOR
twitter.com/oracle
Oracle Consulting
oracle.com/consulting
Oracle Events and Webcasts
oracle.com/events
Oracle Newsletters
oracle.com/newsletters
Oracle Podcast Center
oracle.com/podcasts
Oracle University
bit.ly/ouoramag
Oracle Support
oracle.com/support
My Oracle Support
myoraclesupport.com
My Oracle Support Communities
communities.oracle.com
linkedin.com/company/oracle
bit.ly/plusOracle
YOUR DESTINATION FOR ORACLE AND JAVA EXPERTISE!

Written by leading technology professionals, Oracle Press books offer the most definitive,
complete, and up-to-date coverage of Oracle products and technologies available.
Oracle Database Upgrade, Migration

& Transformation Tips & Techniques
Edward Whalen, Jim Czuprynski
Learn best practices from two
OracleACEs for an effective, efficient,
and secure database transition.
Available June
Oracle SQL Developer Data Modeler
for Database Design Mastery
Heli Helskyaho
An Oracle ACE Director shows how
to design, deploy, and maintain highperformance enterprise databases on
any platform with this powerful, freetool.
OCA/OCP Oracle Database 12c

All-in-OneExam Guide
(Exams 1Z0-061, 1Z0-062 &1Z0-063)
John Watson, Roopesh Ramklass, Bob Bryla
This comprehensive exam preparation
tool covers all objectives for all
threeexams. Electronic practice exam
questionsareincluded.
Available August
Running Applications on Oracle Exadata:
Tuning Tips & Techniques
Joyjeet Banerjee
An enterprise architect specializing in migration
to Oracles engineered systems reveals how to
configure and tune Oracle Exadata to achieve
peak results from applications.
Available in print and eBook formats.

www.OraclePressBooks.com
@OraclePress
Press Headlines
New Oracle Consumer Study
Challenges Retailers to Adapt to
Modern Retail Marketplace
fbit.ly/1c1kdQm
Oracle Communications Advances

Network Function Virtualization
by Delivering Carrier-Grade Data
Center Performance
fbit.ly/1Ikw2yo
Genie Retail Energy Improves

Operations and Increases Efficiency
with Oracle Utilities Load Profiling
and Settlement
fbit.ly/1DcAM61
Dombivli Nagari Sahakari Bank

Chooses Oracle FLEXCUBE as Its
Core Banking Solution
fbit.ly/1yPyXGW
Boise State University Selects

Oracle Enterprise Resource
Planning Cloud
fbit.ly/1CLLD5p
Newfield Supports Employee

Performance with Oracle Human
Capital Management Cloud
fbit.ly/1y3eNZs
Epsilon Deploys Oracle Linux and

Oracle VM to Deliver Solutions up
to 20 Times Faster at a 35 Percent
Lower Total Cost of Ownership
fbit.ly/1y3eXju
Oracle Data as a Service for

Marketing Connects B2B
Marketers with Millions of Business
Professionals and Decision-Makers
fbit.ly/1EEZzwi
Oracles Netra Modular System

Brings Converged Infrastructure to
the Communications Industry
fbit.ly/1N5Yzrv
New Oracle and Forbes Insights

Study Shows Companies Moving
Toward Modern Customer Service
fbit.ly/19wZvXa
Oracles MICROS Workstation 6

Point-of-Service Terminal
fbit.ly/1I0OlIH
Oracle Advances Vision for Enterprise Big Data

Oracle recently unveiled new big data solutions that simplify information access and
discovery. New offerings include Oracle Big
Data Discovery, Oracle GoldenGate for Big
Data, Oracle Big Data SQL 1.1, and Oracle
NoSQL Database 3.2.5. These additions
further Oracles efforts to enable Hadoop,
NoSQL, and SQL technologies to work
together and be deployed securely in any
modelwhether public cloud, private cloud,
or an on-premises infrastructure.
Oracle Big Data Discovery is designed
to be the visual face of Hadoop, making it
easier to find, explore, transform, discover,
and share big data insights. The product
makes big data assets more accessible to
a broader group of business analysts and
helps reduce risks and improve time to value
for big data projects.
Oracle GoldenGate for Big Data is a
Hadoop-based technology that enables
customers to stream real-time data from
heterogeneous transactional systems into
big data systems, including targets such
as Apache Hadoop, Apache Hive, Apache
HBase, and Apache Flume. Customers can
use it to enhance big data analytics initiatives by incorporating existing real-time
architectures into big data solutions, while
ensuring that their big data reservoirs are up
to date with production systems.
Oracle Big Data SQL 1.1 extends Oracle
SQL to Hadoop and NoSQL with the security
of Oracle Database. It enables a single fast

query, written in Oracle SQL, to transparently access data in Hadoop, NoSQL, and
Oracle Database. Oracle Big Data SQL
1.1 provides tighter integration between
Hadoop and Oracle Database, while
increasing query performance by up to 40
percent from previous versions.
Oracle NoSQL Database 3.2.5 is an adaptable solution that allows developers to build
high-performance, next-generation applications. The latest release provides predictable low latency, a RESTful application
programming interface (API), and an Apache
Thriftbased C API, and is integrated with
the Oracle Big Data platform. Building
on Oracle Big Data SQL, Oracle NoSQL
Database 3.2.5 also supports data definition
language, making it even easier to use SQL
to query NoSQL data.
Data is a new kind of capital, and
enterprises must invest their data capital
strategically to create the best return, says
Neil Mendelson, vice president of big data
at Oracle. Oracle gives customers an integrated platform that helps simplify access
to all their data, discover new insights,
predict outcomes in
real time, and keep
all their data governed and secure.
bit.ly/1EPwMHU
Oracle Announces Release of Java Development Kit 8, Update 40

Demonstrating its continued investment
in the worlds #1 programming language,
Oracle announced the release of Java
Development Kit 8, Update 40 (JDK 8u40).
This latest release brings improvements to
performance, scalability, and administration, making it easier for Java developers,
partners, and IT decision-makers to innovate faster in a simple, easy manner and
improve application services. The release
also includes new updates to JavaFX.
Among the features and benefits of
the new release are G1 enhancements,
dynamic enablement of Java Flight Recorder,
improvements to the native packager,
a new time zone updater tool, Nashorn
support, Java Virtual Machine reaction to
memory pressure, the Java Mission Control

5.5 feature, lambda form reduction and
caching, native memory tracking scalability,
and enhanced cryptographic performance of
secure hash algorithms.
The proliferation of mobile devices and
the Internet of Things has led to an increasingly connected world, but none of this would
be possible without underlying foundational
technology like Java, says Georges Saab, vice
president of development, Java Platform at
Oracle. With these updates, we continue to
usher in the next era of Java to enable developers and enterprises alike to cement Javas
role as the backbone of todays and tomorrows revolutionary business solutions.
bit.ly/18VEyVt
I-HUA CHEN
12
BRIEFS
Oracle Introduces Oracle Data as a Service for Customer Intelligence

To help organizations increase customer
understanding and uniquely extract meaningful insights from any form of indirect or
direct customer feedback, Oracle recently
announced Oracle Data as a Service for
Customer Intelligence. Part of Oracle Data
Cloud, the new product is designed to help
organizations extract and unify insights
from a growing number of unstructured
data assets. These insights can be used
to capture a more complete view of customer input across social and enterprise
channels, identify and manage customer
issues, understand how customer voice
(expectations, preferences, aversions, and
more) is affecting sales, and ultimately arm
businesses with the intelligence to create
happier customers.
Knowing more about your customers

and prospectswhat they do, say, and
buyis key to driving competitive business
insights and actions,
says Omar Tawakol,
group vice president
and general manager,
Oracle Data Cloud.
With the release
of Oracle Data as a
Service for Customer
Intelligence, businesses can tap into what
customers say by unifying and analyzing
the growing world of unstructured data
across social messages, chat logs, reviews,
surveys, and transcripts into digestible and
actionable customer insights.
bit.ly/1EEZdWr
Oracle Marketing Cloud Helps Higher Education Institutions Improve

Student Engagement and Retention
To help higher education institutions
enhance student engagement and retention, Oracle has announced Oracle
Marketing Cloud for student engagement.
The new solution provides advanced targeting and segmentation capabilities, as
well as prebuilt data models and customized
campaign templates designed for student
outreach and retention initiatives.
The higher education landscape is
rapidly transforming, thanks in part to
shifting student demographics, diminishing
enrollment, rising expectations, escalating

dropout rates, and new funding criteria
imposed by local governments, says Mark
Armstrong, vice president, Oracle Higher
Education. At Oracle, we are committed
to leveraging our extensive insights across
a range of verticals to deliver the industryspecific, multichannel marketing solutions
that reduce marketing complexity and
enable more effective and meaningful audience engagements.
bit.ly/1NdhcI7
I-HUA CHEN
Primavera Launches Project Portfolio Management Cloud Services

Accelerators for Financial Services, Public Sector, and Engineering
and Construction Industries
Oracle has launched three new cloud services
accelerators for enterprise project portfolio
management (EPPM) in the financial services, public sector, and engineering and
construction industries. Combining Oracles
Primavera products with Oracles cloud
technology expertise, these purpose-built
accelerators enable organizations to address
the challenges associated with managing
project, program, portfolio, and contract lifecycles in their respective industries.
Gone are the days of one-size-fits-all
project and contract management tools. Our
customers need cloud-based, specialized
solutions that fit how they do business, get

them up and running quickly with industry
best practices, and provide the flexibility
and power to change and grow with their
needs. Thats why we have launched these
three process- and industry-specific accelerators. With this announcement, we are
looking to the cloud as the catalyst that
will enable our customers to use EPPM to
transform their organizations at the speed
that they demand, says Mike Sicilia, senior
vice president and general manager, Oracle
Primavera Global Business Unit.
bit.ly/1CsVKvU
Oracles New Ethernet Switches

and Virtual Network Services
Target Software-Defined Data
Centers and Cloud
Oracle is addressing two major networking
requirements for cloud-enabled data
centers with new high-performance, lowcost 10 Gb/40 Gb Ethernet switches and
the addition of virtual network services to
Software Defined Networking (SDN). The
new networking technologies provide the
flexibility and scalability for both enterprise data centers
and network
function virtualization infrastructure.
Cloud-enabled
data centers are only
as fast or as agile as their networking allows,
which makes the convergence of softwaredefined networking and network services
a next logical step in the evolution of the
software-defined data center, says Raju
Penumatcha, senior vice president, Netra
systems and networking at Oracle. Oracles
new Ethernet switches and virtual network
services in Oracle SDN help clear the way for
enterprises to deploy key network services
faster and gain high performance at the
lowest cost.
bit.ly/MvGNTK
MySQL Cluster 7.4 Released

MySQL Cluster 7.4, now generally available,
delivers greater performance, high availability, advanced management capabilities,
and more.
With digital proliferation generating
more data than ever before, businesses
need online transaction processing to be
as efficient and performant as possible,
says Tomas Ulin, vice president, MySQL
engineering at Oracle. With no single point
of failure, MySQL Cluster 7.4 provides high
performance to a wide range of application
requirements for a user base that spans
administrators of major telecommunications subscriber databases to providers
of next-generation web, cloud, social, and
mobile applications.
bit.ly/1JOgDIq
13
Book Beat
Expert Oracle Exadata,
Second Edition
By Andy Colvin, Karl
Arao, Martin Bach, Frits
Hoogland, Kerry Osborne,
Randy Johnson, Tanel Pder
Apress
apress.com
Expert Oracle Exadata,
Second Edition, covers the mechanics that
underlie Oracle Exadata to help readers
understand how its hardware and software
work together to create a superior platform
for running Oracle Database. The authors
share their real-world experience with
Oracle Exadata and introduce readers to
new performance-enhancing concepts
such as offloading SQL processing to the
storage layer. The book provides a roadmap
to laying out the Oracle Exadata platform
to best support existing systems.
Oracle SQL Developer Data Modeler

for Database Design Mastery
By Heli Helskyaho
Oracle Press
oraclepressbooks.com
In Oracle SQL Developer
Data Modeler for Database
Design Mastery, Oracle
ACE Director Helskyaho
reveals how to design world-class databases
on any platform using the full capabilities of
this powerful, free tool. She provides best
practices for planning, executing, installing,
deploying, and maintaining a database
of any size, and approaches the subject of
database design from concept to the details
of documenting code.
Advanced WebLogic Server

Automation
By Martin Heinzl
Rampant TechPress
rampant-books.com
Advanced WebLogic Server
Automation covers how
to automate all aspects
of Oracle WebLogic
Server in both small and very complex
environments by using powerful application programming interfaces. The book
includes tips based on lessons learned
during the authors more than 15 years of
experience with Oracle WebLogic Server.
It also offers many practical examples
and a comprehensive code download of
powerful WebLogic Scripting Tool and Java
Management Extension scripts.
Look for other Oracle books at

bit.ly/oraclebookstore.
Partners Earn Oracle Validated Integrations

Six partners have earned Oracle Validated
Integrations, demonstrating that their solutions are designed in a reliable way, have
been tested as functionally and technically
sound, and perform as documented.
Crawford Technologies, an Oracle
Gold Partner, achieved Oracle Validated
Integration status with integration of
PRO Transform Plus Version 3.0 and
Oracle WebCenter Content 11g. Crawford
Technologies offers print-stream transformation, document re-engineering, workflow,
document accessibility, and archiving software solutions.
ITCROSS, an Oracle Gold Partner,
achieved the status with a set of applications designed for integrating Oracles JD
Edwards 9.1 and Edicom software for electronic invoices in Mexico. ITCROSS provides
JD Edwards consulting services worldwide.
Kaba Workforce Solutions, an Oracle Gold
Partner, achieved the status for integrating
B-COMM for Oracle Time and Labor 7 with
Oracle E-Business Suite 12.2. Kaba Workforce
Solutions is a wholly-owned operating subsidiary of Kaba Holding, a global provider
of enterprise workforce management and
access control solutions with a focus on time
and attendance, workforce scheduling, data
visualization and analytics, regulatory compliance, and more.

Transcepta, an Oracle Gold Partner,
achieved the status for integrating
Transcepta E-Invoicing and Supplier
Onboarding Service Version 4.1 with Oracle
E-Business Suite 12.2. Transcepta provides
accounts payable and procurement professionals with cloud-based procure-to-pay
solutions, including e-invoicing, spend management, VAT compliance, supplier information management, and supplier enablement.
Ventureforth, an Oracle Platinum
Partner, achieved the status for integrating
vAudit 7.0 with Oracle E-Business Suite 12.2.
Ventureforths technologies extend Oracle
Applications to mobile users.
VoltDelta, an Oracle Gold Partner,
achieved the status with integration of its
DeltaACD 2.0 Cloud Contact Center with
Oracle Service Cloud. VoltDelta is a global
cloud-based contact center provider specializing in data-driven contact management.
crawfordtech.com
it-cross.com
kaba-benzing-usa.com
transcepta.com
ventureforth.com
voltdelta.com
Partners Achieve Oracle PartnerNetwork Specialized Status for

Oracle Cloud Solutions
Three partners have achieved Oracle
PartnerNetwork Specialized status for
their Oracle Cloud solutions. Specialized
status spotlights the strengths and special
skills of experienced and committed
Oracle partners.
Kaygen, an Oracle Platinum Partner,
achieved Oracle PartnerNetwork
Specialized status for Oracle Fusion
Customer Relationship Management
Cloud Service, part of Oracle Sales
Cloud. Kaygen is a professional services
firm specializing in information management with expertise
spanning master
data management,
data quality, business intelligence,
analytics, and enterprise integration.
Performance Architects, an Oracle

Platinum Partner, achieved Oracle
Oracle Business Intelligence Cloud Service.
Performance Architects is a business and
technology consulting company that
partners with clients to improve enterprise performance.
Quarry Integrated Communications,
an Oracle Gold Partner, achieved Oracle
Oracle Eloqua and Oracle Content Marketing
Cloud Service, both part of Oracle Marketing
Cloud. Quarry is a buyer experience agency
that helps organizations accelerate brand
growth, reignite brand innovation, and
redefine brand advantage.
kaygen.com
performancearchitects.com
quarry.com
I-HUA CHEN
14
PARTNER NEWS
Partners Achieve Oracle Gold Partner Status

Four Oracle partners have achieved Gold
membership in Oracle PartnerNetwork.
ConnectLeader, the developer of Personal
Dialer and Team Dialer sales dialing solutions, is recognized for its commitment to
establish Oracle-related knowledge in delivering sales dialing technology and solutions,
and for uniquely addressing the challenges
of joint customers.
Continuity Software, a provider of service
availability risk management solutions, is
recognized for its commitment to establish
Oracle-related knowledge in delivering solutions that mitigate downtime and data-loss
risks across the enterprise IT environment
including disaster recovery, high availability,
and cloud environments, and for uniquely
addressing the challenges of joint customers.
MAXIMUS, an operator of government
health and human services programs in the
United States, United Kingdom, Canada,
Australia, and Saudi Arabia is recognized
for its commitment to establishing Oraclerelated knowledge in delivering Electronic

Work Opportunity Tax Credit prescreening
I-9/E-Verify management, and solutions
that uniquely address the challenges of joint
customers who seek to maximize their tax
credit potential and maintain hiring compliance requirements.
Talentoday, creator of an online social
career guidance solution, is recognized
by Oracle as an international and reliable test editor and for its commitment to
deliver assessment tools to professionals.
Talentodays solution provides a free
assessment for individuals and a cloudbased framework with which career and HR
experts can scale and optimize effective
job placement.
connectleader.com
continuitysoftware.com
maximus.com
talentoday.com
MorganFranklin Consulting Achieves Oracle Platinum Partner Status

Washington DCbased professional advisory, business consulting, and technology
solutions company MorganFranklin
Consulting recently announced it has
achieved Oracle Platinum Partner status in
Oracle PartnerNetwork. Oracle recognizes
MorganFranklin for its expertise using

Oracle products to help companies improve
their business agility and resiliency, as well
as for uniquely addressing the challenges
of joint customers.
morganfranklin.com
I-HUA CHEN
Two Partners Achieve Oracle Exastack Ready Status

Two partners have achieved Oracle Exastack
Ready status for their solutions. Oracle
Exastack Ready status indicates that these
partners support their applications with
Oracle Exadata Database Machine, Oracle
Exalogic Elastic Cloud, Oracle Exalytics
In-Memory Machine, Oracle SuperCluster,
Oracle Database Appliance, Oracle Big
Data Appliance, or Oracle Virtual Compute
Appliance, and the latest major releases of
their component products.
Oracle Diamond Partner Capgeminis
OCommerce achieved Oracle Exadata Ready,
Oracle SuperCluster Ready, Oracle Exalogic
Ready, Oracle Exalytics Ready, Oracle
Database Appliance Ready, and Oracle Big
Data Appliance Ready status. OCommerce
is a new solution, co-architected with
Oracle, to help streamline customer inter-
actions across all channels with a focus

on increasing conversion rates and loyalty
through proactive targeting and marketing
to customers.
Oracle Gold Partner MicroStrategy
achieved Oracle Exadata Ready, Oracle
Exalogic Ready, Oracle SuperCluster Ready,
Oracle Database Ready, Oracle WebLogic
Ready, Oracle Linux Ready, Oracle Solaris
Ready, and Oracle VM Ready status for
MicroStrategy Analytics Platform 9.
MicroStrategy Analytics Platform helps organizations transform
big data into intuitive dashboards and
reports for greater
analytical insights.
capgemini.com
microstrategy.com
Partner Offerings Available on

Oracle Cloud Marketplace
To meet the growing demand for business
applications that leverage cloud, mobile,
and social technologies, and to create new
opportunities for its partners, Oracle offers
the Oracle Cloud Marketplace, where applications and services
developed by Oracle
partners and leveraging Oracle Cloud
platform services and
Oracle software-asa-service applications are available.
Customers can browse, evaluate, and buy
solutions to address their business needs.
Offerings include
Data8 Advanced Company Information,
part of Oracle Gold Partner Data8s data
validation offerings. Data8 provides data
quality solutions including comprehensive
data cleansing, real-time data validation,
and data supply services.
Peloton CloudAccelerator for Oracle
Planning and Budgeting Cloud Service,
developed by Oracle Platinum Partner
Peloton Group. Peloton offers advisory,
implementation, and outsourcing services
to aid business transformation in the areas
of business planning, financial consolidation and reporting, business analytics, data
integration, and technology infrastructure.
data-8.co.uk
pelotongroup.com
Kalido Achieves Oracle Exastack

Optimized Status
Oracle Gold Partner Kalido has achieved
Oracle Exastack Optimized status for its
Kalido Information Engine, a development
and deployment platform for analytics.
Kalido is a provider of business-driven
data governance software. The Oracle
Exastack Optimized program enables Oracle
partners to develop, test, and tune their
applications on Oracle Exadata Database
Machine, Oracle Exalogic Elastic Cloud,
Oracle Exalytics In-Memory Machine,
Oracle SuperCluster, Oracle Database
Appliance, and Oracle Big Data Appliance
engineered systems.
kalido.com
15
16
Community Bulletin
BY ROLAND
SMART
News, People,
Happenings
in and
Oracle
Happenings
Technology
in the
Network
Oracle Technology
Network
Deploying Oracle
Database 12c on
Oracle Solaris 11
Get Certified
in Oracle
Mobile
Development
A four-part Oracle Technology Network (OTN) ArchBeat

podcast series, featuring Oracle Fusion Middleware and
service-oriented architecture (SOA) experts, examines
the rise of API management lifecycle solutions. As the
interviewees point out, increasing API adoption across the
organization is just one reason to invest in an API management strategy. Other reasons include the opportunity to
track developer usage of different APIs, as well as replacing
outdated methods of gathering API documentation (such as
spreadsheets) with more developer-friendly resources.
Stream the entire podcast series at bit.ly/api-managementpodcast. Then, visit Oracle Community to discuss API management and SOA governance with other OTN members at
bit.ly/api-management-chat.
NEW BOOK:
Data Visualization
for Oracle Business
Intelligence 11g
Data Visualization for Oracle Business

Intelligence 11g, written by Oracle ACE Director
Dan Vlamis and data visualization design
expert Tim Vlamis, provides an end-to-end
guide to using graphs, pivot tables, and rich
multivariable dashboards to unlock immediate
business value.
Among other best practices, youll learn
how to choose the most effective graph
type (bar, waterfall, histogram, radar, and
so on) for your data sets, how to incor-
Available Now:
MySQL Cluster 7.4
Designed to deliver 99.999
percent availability, MySQL
Cluster 7.4 provides improved
performance for both readonly workloads and read/write
operations. It also includes
a host of new geographic
redundancy features, enabling
update-anywhere replication
between distant clusters.
MySQL Cluster 7.4 is available in both open source and
commercial editions. Download
the quick start guide, evaluation
guide, and complete software
package at bit.ly/downloadMySQL-Cluster.
porate advanced visualizations (such as

jQuery sparklines) into your Oracle Business
Intelligence 11g dashboards, and how to
create interactive business intelligence
reports and scorecards for both technical
and nontechnical decision-makers.
Published by McGraw-Hill and Oracle
Press, Data Visualization for Oracle Business
Intelligence 11g is available in both paperback
and e-book formats. Read a sample chapter
and buy the book at bit.ly/obi-book.
I-HUA CHEN
PODCAST ROUNDTABLE
ON API MANAGEMENT
If you have solid experience in Oracle mobile

development solutions,
consider getting certified via the Oracle Mobile
Development 2015
Essentials Exam. Offered
by Oracle PartnerNetwork,
a comprehensive exam
with more than 100 questions verifies your knowledge of a number of key
competencies, including
Oracle Mobile Application
Framework, mobile user
interface design, and
application security across
multiple mobile platforms.
Learn more about the
exam requirements and
specialist certification at
bit.ly/omd-cert-2015. You
can also prepare for your
test day by consulting the
official study guide at
bit.ly/omd-study-guide.
A new how-to guide from Oracle

Solaris experts Glynn Foster
and Ginny Henningsen provides
detailed instructions for installing Oracle Database in a nonglobal Oracle Solaris Zone.
The authors present the five
key steps for installing Oracle
Database 12c on Oracle Solaris
11, covering server installation,
zone configuration, software
prerequisites, Oracle Database
installation, and final validation.
Find the step-by-step
instructions and explanatory
screenshots at bit.ly/12c-fivesteps, and review the full directory of Oracle Solaris how-to
articles at bit.ly/Solaris-articles.
Roland Smart is vice president of social and community marketing at Oracle.

MJ15_Community_R1_gtxcel.indd 16
5/12/15 4:03 PM
ARCHITECT BY BOB RHUBART
Get Where Youre Going
Training and certification decisions are key junctures on

your career path.
ook around you. How did you arrive at

the spot you currently occupy? Im not
talking about your GPS coordinates. Im
talking about where you are in your career.
Somewhere along the timeline that connects the latest version of you with your
various prior releases are points at which
you made certain decisionsamong them
choices about training and certification to
enhance your skills and your marketability.
Curious about how community members
approach those decisions, I set up a
thread in a discussion forum on the Oracle
Communities website and sent out an open
invitation for people to tell their stories.
Andre Araujo, senior system engineer
at Oi S.A., a Brazilian telecommunications
company, has earned certifications as an
Oracle WebCenter Content 11g Presales
Specialist, Oracle WebCenter Portal 11g
Presales Specialist, and Oracle ServiceOriented Architecture Presales Specialist,
among others. This year he plans to add
Oracle Certified Associate, Oracle Certified
Java Professional, and Linux Professional
Institute certifications. My goal is to
achieve excellence in everything Im doing,
he says. As a systems and operations engineer, every day comes with a new challenge.
To meet these challenges, I must know a
little bit of everything.
Antn R. Yuste, a solutions architect at Optare Solutions, holds Oracle
Communications Services Gatekeeper
Implementation Specialist, Oracle
Communications Converged Application
Server Implementation Specialist, and Oracle
Communications WebRTC Session Controller
Sales Specialist certifications. The implementation specialist certifications are the
best Ive achieved, he says. The courses were
instrumental in increasing his understanding
of how to deploy those products. The certifications help raise the visibility of my skills,
CONNECT:
blogs.oracle.com/archbeat
My goal is to
achieve excellence
in everything
Im doing.
Andre Araujo, Senior System Engineer, Oi S.A.
increase access to industry opportunities, and
also help my company on its path to gaining
Oracle PartnerNetwork Specialized status.
Next up on his list to pursue are Oracle
Communications Session Border Controller
Certified Implementation Specialist and
perhaps Cisco Network Programmability
Design Specialist certifications.
Oracle ACE Associate Rodrigo Radtke de
Souza is a consultant, solution architect, and
software development advisor at Dell. For
me, certifications were always a very good
way to consolidate my knowledge around a
specific technology. Back in the days when I
was a Java developer, I wanted to be sure that
I knew the details and nuances of that technology. He credits the Sun Certified Java
Programmer (SCJP 6) and Sun Certified Web
Component Developer (SCWCD 5) certifications as essential in achieving that goal. But
his journey didnt end there.
When I migrated to Oracle development, Oracle Database SQL Expert certification helped me to create a solid knowledgebase around the basic principles of SQL, he
says. His latest certification is Oracle Data
Integrator 11g Certified Implementation
Specialist. Having a certification, he says,
allows you to demonstrate to others that
your knowledge is compatible with market
expectations for that technology. For his
next round of certifications, Souza has his
sights set on Oracle Hyperion Planning,
Oracle Essbase, and Oracle Business
Intelligence Enterprise Edition.
The stories of these three individuals
facebook.com/brhubart
twitter.com/brhubart
represent their specific interests and strategies. Architect Enterprise Applications with
Java EE and SOA Adoption and Architecture
Fundamentals are the most popular courses
among Oracle Universitys architecturerelated offerings. Not surprisingly, database
courses are the most popular overall.
Oracle ACE Director Eric Helmer, vice
president of Global IT Services at ADI
Strategies and a board member of the
Oracle Applications Users Groups Oracle
Hyperion special interest group, highly
recommends database certification as a
starting point. Every enterprise solution
has a database back end, he explains. I
guarantee it will not be long before you will
grow into corporate systems and solutions
that could catapult your career in myriad
directions. It happened to me.
If you plan to load yourself into the career
catapult, what target will you aim for? What
skills, certifications, or other enhancements
do you plan to add to You 2.0? Join the discussion and share your plans: bit.ly/1EyeYhN.
Bob Rhubart
(bob.rhubart@oracle.com)
is manager of the
architect community
on Oracle Technology
Network, the host of the
Oracle Technology Network ArchBeat podcast
series, and the author of the ArchBeat blog.
NEXT STEPS
READ training/certification stories
bit.ly/1EyeYhN
EXPLORE Oracle Universitys architecturerelated training/certification resources
bit.ly/1EyfPiq
LEARN about the Oracle PartnerNetwork
Specialized program
oracle.com/partners
linkedin.com/in/bobrhubart
17
Convert to Digital!
Act now to convert to digital and continue to receive your

Oracle Magazine subscription and
Get the latest issue early
Share your favorite content
Bookmark your favorite articles
Get exclusive video and content
We hope you enjoy the digital magazine and will elect to

continue your free subscription!
Sign up for digital today!
Go to bit.ly/omagdigital
Copyright 2015, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be
trademarks of their respective owners.
PEER-TO-PEER BY BLAIR CAMPBELL
Thinking Green
These peers recall monochrome monitors, enjoy the outdoors, and optimize energy use.
REN VAN WIJK
Company: Axis into ICT, a firm offering support

services to users of Oracle technologies
Job title/description: Middleware specialist,
helping companies set up their software
infrastructure, including the design of highavailability architectures, capacity planning, and
troubleshooting
Location: Utrecht, the Netherlands
Length of time using Oracle products:
Seven years
How did you get started in IT? It was in

high school, with those 5-inch floppies,
green-lettered screens, and keyboards you
could pound on. It sort of felt like you were
engraving things in stone using a hammer
and chisel. It certainly gave a great feeling
once the code actually executed, and even
did the things that you intended.
Whats your favorite tool on the job? I like
tools that give good insight into what a Java
Virtual Machine is doing. One great example
is the Java Mission Control feature of Java
Platform, Standard Edition. When its used
with the Oracle WebLogic Server plugin,
you can trace a request from a servlet to
Enterprise JavaBeans to JDBCso you can
show developers where things are going
wrong, and that Oracle WebLogic Server is
not to blame.
Which new features in Oracle technologies are you finding most valuable? All the
features that make the configuration of an
environment easiersuch as the dynamic
clusters, server templates, and Oracle
Coherence integration in recent Oracle
WebLogic Server releases.
FRANK MUNZ
Company: munz & more, an IT consulting firm

with a focus on service-oriented architecture and
cloud computing
Job title/description: Director, responsible for
handling all consulting tasks, running workshops,
and speaking at conferences
Location: Munich, Germany
Length of time using Oracle products: 15 years
What advice do you have about getting into
application development? I always recommend downloading the software from
Oracle Technology Network and trying out
your own installation. Creating your own
little Hello, World example is much more
valuable than following dozens of pages
of course instructions. Learning is try, fail,
improve, repeatwithout any silver bullet.
What technology has most changed your
life? The omnipresence of the internet,
which will be driven even further with the
Internet of Things. The metadata of your
pictures stored in the cloud, taken by that
tiny camera in your phone, will disclose to
your grandparents the location on Google
Maps of that perfect little beach that you
discovered in New Zealand many years ago.
We live in an amazing world!
Whats your favorite thing to do that doesnt
involve work? Traveling and exploring. Last
year after Oracle OpenWorld San Francisco,
we went to Yosemite. After an intense week of
Oracle ACE Director briefings and conference
talks, it was a fabulous experience to leave
the city behind. Driving into the rugged green
beauty of the national park and climbing
some waterfalls was such a pleasant contrast.
TOSHIKAZU FUKUOKA
Company: Fujitsu Social Science Laboratory

Limited, part of the Fujitsu Group offering
system consulting and integration services
Job title/description: IT architect/engineer,
responsible for designing, implementing, and
supporting systems
Location: Kanagawa, Japan
Oracle credentials: Oracle Master Platinum (a
certification level available only in Japan), with
23 years of experience using Oracle products
How did you get started using Oracle

technologies? I started my career as an OS
engineer. At one point early on, when I was
creating a customer management system,
I was asked by the customer to propose a
system configuration. I suggested that we
go with Oracle7 and Visual Basic.
Which new Oracle Database features are
you finding most valuable? Support for
Entity Framework 6 Code First and Code
First migrations in Oracle Data Access
Components 12c is my favorite new
feature. I also like that I can install Oracle
Data Provider for .NET by using NuGet.
How are you using mobile computing
these days? I use mobile for everyday
information gathering and social networking. In addition, Ive developed
mobile apps at hackathons.
What green initiatives are you focusing
on in your software architecture work?
Im working on a project that aims to optimize household power usage through the
use of carbon reduction support systems.
I think the appropriate use of power is the
key to protecting our environment. t
Learn more about the Oracle ACE program at bit.ly/OracleAce.

19
Database 12c
Built for
the Cloud
Use Less Hardware
Lower Operating Costs
Manage Many as One
No Application Changes
oracle.com/database
or call 1.800.ORACLE.1
Copyright 2015, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates.
21
BY TOM HAUNERT
GUARD THE
CROWN JEWELS
SECURE YOUR MOST IMPORTANT BUSINESS DATA
WHERE IT LIVES: IN THE DATABASE.
D
I-HUA CHEN
ata breaches continue to make headlines, and they are not just
about stolen credit card information anymore. Data breaches
are now targeting different industries and different types of
information. Whats going on, and what can organizations do to protect
their corporate data?
Oracle Magazine sat down with Vipin Samar, vice president of Oracle
Database security, to talk about the latest data breaches, how data
breach threats are evolving, and how to work with the wide variety of
data that needs protection in the enterprise.
22
Encryption Is Key
Oracle Magazine: Data breaches continue to make news, but they

also seem to be changing. What patterns do you see in recent
company data breaches?
Samar: The last 12 to 18 months have seen data breaches grow
in size, number, and scope. Whether attacks are against retail,
telecom, financial services, or entertainment, tens of millions of
users are getting breached directly or indirectly. And the attackers
are no longer going after just credit card information. Attackers are
after the PIIthe personally identifiable informationincluding
name, address, e-mail, and so on. And now more than ever before,
attackers are going after the IP of the company under attackwhich
can include e-mail messages, for example, as it did recently with a
media company.
Once an attacker has become an insider, that attacker can map

the network; read unencrypted, or clear, network traffic; mine the
operating system for passwords stored in clear text; and finally get
to database targets.
Oracle Magazine: Who and where are the attackers, and what are
their strategies?
Samar: The attackers are different types of people with different
motivations: they may be curious insiders, criminals, hacktivists,
or even nation-states. But just as the attackers are diverse, the
attack vectorshow the attackers attempt to break inare many
and varied. There is no one way to attack information technology.
Looking at the common data breach themes over the last 18 months,
however, a key strategy of many recent successful attacks has been
to get inside the company network not by brute force, but through
the use of social engineering, a phishing attack, or some malware to
gain access to the company network or endpoints as an authorized
user. And once an attacker is inside the network, the company assets
are only as safe as the remaining IT security.
Oracle Magazine: Why are databases the target of attacks?

Samar: Businesses and public sector organizations store much of
their customer, partner, employee, and citizen data in databases.
And a lot of that data is quite sensitive, ranging from names and
addresses to transaction, credit card, supply chain, and customer
relationship information. Databases organize this information very
well, not only for applications, but also for attackersif they can get
in. Databases store a companys IP crown jewels, and hence they
have become the target of attacks.
When network and endpoint security are breached and the
attackers are inside the company gates, they can try different
techniques to get at databases. They can attack a database from
the network or the operating system, attempt to steal database
passwords, or try to bypass database security controls in improperly
Encryption is an important level of defense for digital assets in general

and databases in particular. But theres one big challenge with encryption: how do you manage and protect the encryption keys?
Oracle Key Vault manages your encryption keys, wallets, and credentials, all in one single centralized location. It allows those credentials to
be sharedsafelyacross trusted servers, says Vipin Samar, vice president of Oracle Database security.
Learn more about Oracle Key Vault at bit.ly/orclkeyvault.
All data is not equal.

Organizations should start by
classifying their database data
and assigning priorities to it.
BOB ADLER/GETTY IMAGES
Vipin Samar, Vice President of Oracle Database Security
23
this information because the host database

systems are rarely secured or monitored.
Attackers can use these systems to underALL DATA IS NOT EQUAL
stand more about your security infrastrucPLATINUM
ture, and they can use that understanding to
Highly Sensitive/Restricted:
GOLD
launch subsequent attacks. For this level of
SILVER
Corporate
intellectual
Regulatory:
Corporate/Internal:
property includes data in
data, focus on making sure the latest security
BRONZE
Customer facing,
Data in business
quarterly results, M&A plans,
Nonsensitive:
personally identifiable
patches have been applied, the databases
transactions
and
source
code
Data in internal
information subject
and orders
are properly configured, and privileged
portals, organization
to compliance and
directories, and
other regulation
user database auditing is in place. I call this
test/dev systems
bronze-level security.
The next data priority level includes corMAP SECURITY CONTROLS TO DATA
porate internal information, such as order
tracking and transaction data. For this level of
PLATINUM
Command and Control:
GOLD
data, confirm that you have bronze-level secuSecure Access:
SILVER
Control database operations
rity, and then secure your data with encryption
Secure
Data:
BRONZE
Analyze runtime privileges
Redact application
on production databases and on the network.
Secure Configuration: Encrypt stored
data
Block unauthorized
SQL traffic
Restrict DBA
data
Scan and patch
And because sensitive production data ends
access
Audit comprehensively
Encrypt network
software
Monitor SQL traffic
traffic
up on unsecured test and development
Secure database
Mask and
configuration
systems, mask the data on those unsecured
subset
data
Audit sensitive
activities
systems. I call this silver-level security.
The next data priority level includes information that has specific regulatory requireDatabase data is assigned four different priority levels and prescribed four levels of data protection.
ments, such as PII, credit card, or health
configured databases. Attacks can also come from the web, through
information. For this level of sensitive data, confirm that you have
SQL injection attacks that exploit application design flaws.
silver- and bronze-level security and then focus on restricting
access. For example, you can redact sensitive fields for call centers,
Oracle Magazine: Organizations may have dozens to thousands of
restrict privileged users from accessing sensitive data, and monitor
databases. How can they develop a comprehensiveand practical SQL traffic for unauthorized use. I call this gold-level security.
database security strategy for so many databases?
The last and highest data priority level includes the corporate
Samar: All data is not equal. Organizations should start by clasIP crown jewelsquarterly report information, M&A plans, source
sifying their database data and assigning priorities to it. Then they
code, and so on. For this level of data, confirm that you have gold-,
should assign security controls proportional to the value of the data. silver-, and bronze-level security and then focus on command
Lowest-priority data includes internal information portal
and control by controlling database operations, analyzing and
content, internal organization directories, test/development
revoking unused privileges, blocking unauthorized SQL traffic,
system data, and other nonsensitive content. Attackers often target
and auditing comprehensively.
This platinum-level security minimizes database attack vectors
and helps secure your databases from attackswhether they are
IN THIS ISSUE
coming from operating systems, internal privileged users, or even
SQL injection.
PRIORITIZE DATA AND SECURITY
Oracle ACE Director and PL/SQL evangelist Steven Feuerstein explores

when to use and not to use dynamic SQL in his column for this issue:
Dynamically Dangerous Code (see page 43). As part of that journey,
Feuerstein looks at how to protect your companys data by protecting
against SQL injection.
In this issues On More-Secure Applications (see page 51), database
evangelist and Oracle Magazine technology advisor Tom Kyte addresses a
question about how to maximize security in database application design.
Kytes answer features multiple security design priorities (including
least privilege, multiple schemas, and bind variables), pointers to several
Oracle Database security references, and a discussion of different levels
of defense available for Oracle Database.
Read more about Oracle Database security at bit.ly/sqlinjproof,
bit.ly/2daysecure, and bit.ly/odsavdf.
Tom Haunert is editor in chief of Oracle Magazine.

NEXT STEPS
LEARN more about Oracle Database security
oracle.com/database/security
oracle.com/technetwork/database/security
WATCH a discussion of Oracle Database security solutions
bit.ly/omagdbsecvid
24
BREAKAWAY SPEED
Specialized Bicycle Components pulls ahead with Oracle
engineered systems and software solutions.
hen Ron Pollard joined Specialized Bicycle

Components in 1996, the company
was already growing fast. A pioneer in
e-commerce, Specialized had implemented a B2B
web portal to take online orders from its dealers.
But as the years passed and the business grew
from 6 subsidiaries throughout North America to
40 subsidiaries throughout the world by 2015it
became clear that Specialized lacked the hardware
infrastructure it needed to keep up with escalating
customer demands.
ROBERT BIRNBACH
BY DAVID BAUM
Thanks to what we can

learn from social media,
relationships are getting tighter
between manufacturers and
consumers, says Ron Pollard,
CIO at Specialized Bicycle
Components. New types
of data are supplementing
traditional datasources to help
us gain insight and connect with
our customers.
Pollard, who now serves as CIO for the Morgan Hill,

Californiabased company, found himself at a crossroads when Specializeds order-entry system started
to bog down under the crushing load of 20,000
dealers in 40 countries.
It used to take seconds to submit an order, but we reached
the point where it sometimes took minutes, he recalls. We were
getting crippled by order volume as our business expanded. We did
have very reliable hardware, but after adding three or four subsidiaries every year for eight years, it was time to upgrade to a more
powerful platform.
In addition to difficulty supporting the growing transaction
volume, Specializeds legacy infrastructure lacked the availability,
virtualization, and scalability that management needed to move
forward with plans for expansion in Asia and elsewhere. There
was no redundancy or failover for the companys core information
systems, so if a critical application or hardware component failed,
the B2B portal would go down.
Super and
More
Oracle SuperCluster
engineered systems
are ideal for Oracle
Database and DBaaS
implementations.
Oracle ZFS Storage
Appliance delivers
enterprise-class
network-attached
storage. Through
coengineering and
integration with
Oracle Database,
Oracle ZFS
Storage Appliance
complements the
extreme performance
of engineered
systems, including
Oracle SuperCluster.
STREAMLINING IT WITH ENGINEERED SYSTEMS

As Pollard and his team set out to address these performance
and availability issues, they didnt just want to upgrade to a more
powerful server. They sought a transformative solution that would
26
simplify IT and modernize the data center.

with our implementation, Pollard says. We
SNAPSHOT
After a thorough evaluation, they decided
expected a 3x performance improvement for
Specialized Bicycle Components
to replace legacy servers with an Oracle
our critical information systems, but Oracle
specialized.com
SuperCluster T5-8. Specialized also purwasnt satisfied with that. They kept working
Headquarters: Morgan Hill, California
chased an Oracle ZFS Storage ZS3-2 appliwith us and tuning the system until we had
Industry: Manufacturing
Employees: 300
ance and a StorageTek SL150 modular tape
achieved much more.
Oracle products and services: Oracle
library to replace a legacy NetApp system,
E-Business Suite, Oracles Agile solutions,
providing a more modern environment for
USING INFORMATION TO TIGHTEN THE
Oracle Business Intelligence Enterprise
development, production, disaster recovery,
SUPPLY CHAIN
Edition, Oracle Hyperion solutions, Oracle
and archiving.
Specialized depends on Oracle Applications
Database, Oracle SuperCluster T5-8,
SPARC T4-2 servers, Oracle Exalytics,
Today the Oracle SuperCluster and
and Oracle technology products to run its
Oracle ZFS Storage ZS3-2, StorageTek
attached storage environment anchors
business, including Oracle E-Business Suite,
SL150, Oracle Consulting
Specializeds B2B portal, which handles 70
Oracles Agile solutions, Oracle Hyperion
percent of corporate revenue. The Oracle
solutions, Oracle Business Intelligence, and
SuperCluster system also runs the companys
Oracle Database. Because this software runs
enterprise resource planning applications, Oracle Taleo Enterprise
so well on the Oracle SuperCluster platform, Specialized has had
Cloud Service applications, and production Oracle Database. The
no trouble ramping up its order processing capacity from 10,000
hardware/software platform optimizes performance while minito 40,000 transactions per hour. Its Oracle-based information
mizing complexity in the data center.
systems have also enabled the accounting department to reduce
When we went to Oracle SuperCluster from the legacy system, we the average financial book closing from seven days to five.
saw a night-and-day difference for our dealer base, Pollard reports.
The inherent synergy among Specializeds Oracle-based
We benchmarked 60 critical processes, and the performance was an business processes enables a lean manufacturing environment
average of 17 times fasterin some cases much morewith Oracle
in which order entry, inventory management, supply chain planSuperCluster. For example, our account reconciliation report used to
ning, and assembly operations are tightly integrated. Sharing
take 20 hours to run and now it takes 20 minutes.
real-time information between assemblers and dealers removes
Specialized also experienced marked improvements with the
waste from the supply chain and eliminates repeated queries
new Oracle ZFS storage environment, which currently holds 60
about product availability.
TB of data. For example, the average time to back up production
We are constantly posting availability dates from our assemdatabases dropped from 8 hours to 9 minutes. In addition, system
blers so our dealer base knows what is available, and we can assess
administrators saw a 12-fold increase in the speed with which they
our monthly order quantities to regional distribution centers,
could clone databases in their dev/test environment.
Pollard explains, adding that without these real-time status
The interoperability between Oracle SuperClusters embedded
updates Specialized would end up with too much inventory in the
ZFS storage system and the external Oracle ZFS Storage ZS3-2
wrong places.
appliance enables direct replication of data, allowing for identical
Specialized is in the process of setting up automated replencapabilities among the production and dev/test environments.
ishments at its global distribution center in Hong Kong to create
InfiniBand network connections between the two systems ensure
a pull-based replenishment system for its inventory. Once this
exceptional performance for data transfer and load activities.
system is online, instead of front-loading inventory at the regional
I really have to hand it to the Oracle engineers who assisted
distribution centers, Specialized will be able to monitor daily
Big Data, Social Analytics, and the Internet of Things

As part of its evolving business intelligence (BI)
strategy, Specialized Bicycle Components plans
to use its Oracle Exalytics engineered system
with Oracle Business Intelligence for a wide range
of analytic activities. For example, Specialized
plans to analyze customer feedback from social
media channels by gathering information from
social media feeds, tweets, blog entries, search
indexes, and click streams to gain greater insight
into customer preferences, purchase patterns,
and service histories.
Specialized CIO Ron Pollard sees this type of BI
initiative as an important step for the manufacturing sector. Thanks to what we can learn from
social media, relationships are getting tighter

between manufacturers and consumers, he
explains. For example, we are very interested in
learning more about our customers riding habits.
What do you like about your bike? Are you getting
the best use out of the product? When do you
need a tune-up?
Analysts at Specialized are starting to gather
data from the companys enterprise applications and combine it with the data from social
networks to better understand customer attitudes. Specialized is also forming tighter online
relationships with its riders and athletes, both
on the road and at its test facility, where the
company has a highly advanced wind tunnel to

test Specialized bikes and components under all
types of conditions.
In a related effort, Specialized plans to collect
and analyze data from sensors that measure
the performance of certain bicycle components
in conjunction with the riding performance of
participating cyclists, both on the road and in the
wind tunnel. The Internet of Things allows us to
pull together data about everybodys riding activities and ultimately make the community much
tighter, Pollard notes. New types of data are
supplementing traditional datasources to help us
gain insight and connect with our customers.
At the company
headquarters in
Morgan Hill, California,
Specialized Bicycle
Components analyzes
rider position and
bicycle performance
in its state-of-the-art
wind tunnel.
ROBERT BIRNBACH
inventory depletion and automatically replenish the regional distribution centers from the global distribution center. Over time,
Pollard expects that this system will shorten lead times and speed
up inventory turns for the burgeoning Asian market, especially for
items that have relatively constant demand.
This system will make us much more efficient and ensure that
dealers receive their fair share of inventory each month, Pollard
explains. Our long-term goal is to give dealers visibility clear back
to the assembly phase. They will know the delivery dates by which
we will have inventory replenished. Having accurate visibility into
inventory gives us a huge competitive advantage.
CRAFTING A BI STRATEGY TO GUIDE THE FIRM
Specialized is the #1 bike brand in the world, and arguably one of
the most popular bike brands in history. To ensure that the company
can continue to deliver the products its customers demand, Pollard
and his team are defining an advanced analytics strategy based on
Oracle Business Intelligence software and an Oracle Exalytics engineered system.
The Oracle Business Intelligence implementation will give us
real-time information that people can react to daily, rather than
reports that are often a week old, says Pollard. With our current BI
system, our inventory is moving so fast that by the time somebody
pulls together a report the situation may have changed and the data
may be out of date.
By contrast, the new Oracle Exalytics system will enable managers to drill into real-time inventory and sales data, from highlevel summaries to low-level details. This type of analysis is especially important for demand planning. Specialized has 900 types of
bikes and thousands of equipment SKUs. Demand planners have to
create monthly forecasts so the factories can adjust their capacity
to meet dealer expectations. Previously, it was nearly impossible

for dealers to analyze their inventory positions and submit their
orders on time.
In the past, data analysis was very inefficient, confirms
Pollard. We believe Oracle Business Intelligence will give us the
insight we need to better interact with our dealer base about
current inventory.
The evolving BI environment will also help Specializeds marketing department allocate funds among social media, advertising,
direct response, and other marketing campaigns.
Oracle Applications tie directly into Oracle Business Intelligence
so the data flows naturally, without a lot of setup on our part, concludes Pollard. Now that we are running our business on one cohesive infrastructure, we have not only improved performance but also
dramatically simplified maintenance and administration. Thats the
real selling point of Oracle engineered systems.
David Baum is a freelance writer who specializes in the intersection of

science, technology, and culture.
NEXT STEPS
WATCH Specialized in action
bit.ly/1IEkEuE
LEARN more about
Oracle SuperCluster
oracle.com/engineered-systems/supercluster
Oracle Exalytics In-Memory Machine
oracle.com/engineered-systems/exalytics
Oracle ZFS Storage Appliance
oracle.com/storage/nas
28
MEMORABLE
PERFORMANCE
Swiss insurance leader Die Mobiliar deploys Oracle Database

In-Memory to speed business analytics.
BY PHILIP J. GILL
As you can imagine, its very difficult to deliver

ounded in 1826, Die Mobiliar is the oldest
three different database systems simultaneously,
insurance firm in Switzerland. From its headquarters in Berne, the national capital, the
says Paolo Kreth, team leader for database mancompanys network of 160 offices and more than
agement systems at Mobiliar. You need different
4,000 employees provides
technicians for each, you
home, car, accident, and risk
need different hardware for
Database Storage:
management insurance and
Row Format Versus Column Format
each, and you need different
Transactions
run
faster
in
row
format.
other financial services to more
licensing for each.
Analytics run faster in column format.
than 1.6 million individuals
Management at Mobiliar realized
ROW
and businesses throughout
that maintaining three databases was
Sales
Row format is
no longer feasible, nor did that fit the
the Alpine countrys 26
best for fast
processing of
companys long-term plans. We had
cantons. In late 2014, Mobiliar
few rows and
decided to get off the mainframe and
many columns.
found itself with a database
move toward Java and open systems,
Use case:
Insert or query
explains Jochen Maas, head of base
inventory not uncommon
one sales
service, IT operations, at Mobiliar. The
to firms with long histories
order.
key to getting off the mainframe was
and technology acquired via
finding the right database to support
COLUMN
that strategy.
mergers and acquisitions. The
Column format
Sales
Mobiliar was running several
is
best
for
fast
companys IT included IBM
accessing of
instances of Oracle Database 11g,
mainframe and DB2 database
few columns
including one that supports its call
and many rows.
centers Siebel Customer Relationship
technology, Microsoft SQL
Use case:
Report on sales
Management (Siebel CRM) applicaServer, and Oracle Database,
totals by region.
tions from Oracle, and the company
as well as a raft of legacy
decided its new strategic database
platform going forward would be
COBOL applications.
29
DARRIN VANSELOW/GETTY IMAGES
Management at Die Mobiliar

decided to move off the
mainframe. The key to
getting off the mainframe
was finding the right
database to support that
strategy, explains Jochen
Maas, head of base service,
IT operations, at Mobiliar.
Oraclespecifically, Oracle Database 12c with the Oracle Database

In-Memory option.
We chose Oracle to become our strategic database, says Kreth.
We plan to stop using DB2 over the next 10 years. We need that
time frame because all our core applications on the mainframe are
written in COBOL.
Oracles stewardship of Java was one factor in the database decision, says Kreth. Going with Oracle Database will closely align us
with Java technology, he notes.

But more important in the database decision were the performance improvements that the Oracle Database In-Memory option
offered to existing applications without changes or fine-tuning.
With the Oracle Database In-Memory option, we can improve an
applications performance in minutes, says Kreth.
Oracle Database In-Memory adds a new in-memory column store
to Oracle Databases existing row format. The row format provides
30
SNAPSHOT
Die Mobiliar
mobi.ch
Headquarters: Berne, Switzerland
Industry: Financial services
Employees: More than 4,000
Revenue: CHF 596.4 million in 2014
Oracle products: Oracle Database 12c,
Oracle Database In-Memory option, Oracle
Database 11g, Siebel Customer Relationship
Management applications
For the first test, the team chose a recurring business operation. We selected a
typical business case at Mobiliar today, says
Kreth. When we sell to a new customer,
that customers information is entered in a
DB2 database, but that data isnt visible to
the sales data warehouse until the contract
is signed. But that happens later, and we
cant go back two days after a customer has
signed a contract and say, Hey, if you also
bought car insurance from us, we could give
you this extra discount.
Oracle Database 12c (Release 12.1.0.2)
was installed on a seven-blade, Intel Xeon
Jochen Maas, head of base service, IT operations (left), and Paolo Kreth, team leader for database
based server with 384 GB of main memory
management systems at Die Mobiliar, directed a move from the mainframe to Java, open systems, and Oracle
Database 12c with the Oracle Database In-Memory option.
per blade and the Linux operating system. It
was then populated with the same data that
optimal performance for online transaction processing (OLTP), and
ran on the firms sales data warehouse.
the in-memory column format delivers the best performance for
For the first test, the team enabled Oracle Database In-Memory
analytics. (See the Best of Both Worlds sidebar for information on
on the seven-blade server and essentially tested the system as is,
Oracle Database In-Memory.)
changing only one table partition. Says Kreth, We wanted to see
what would happen if we just took the data, activated the Oracle
THREE SCENARIOS
Database In-Memory option, and did nothing.
To prove the performance benefits of the Oracle Database
The answer confirmed the companys new database strategy, he
In-Memory option, Kreth and his team set up a proof of concept to
says. Some queries were faster, some were slower, but overall the
test three different database scenarios that are typical of the firms
Oracle Database In-Memory option increased query performance,
current operations.
he notes. Our management was very happy. They did not have to
The Oracle Database In-Memory option is a technology whose time has come, thanks to the availability of inexpensive RAM and a new generation
of 64-bit operating systems, says Maria Colgan,
master product manager at Oracle.
Organizations are demanding to be able to
analyze their data in real timewithout having
a negative impact on OLTP [online transaction
processing] performance and without having to
wait for the classic ETL [extract, transform, and
load] process to load into the data warehouse,
says Colgan. Analytic queries tend to hit a
subset of columns out of a table with millions
or billions of rows, whereas OLTP applications
hit all the columns for a very small number of

rows. Having the data structured automatically
for bothcolumn-wise for analytic queries
and row-wise for OLTPis a capability that
businesses demand.
To provide the best performance for both
OLTP and analytics, the Oracle Database
In-Memory option adds a new in-memory
column store that allows data to be simultaneously populated in memory in both the traditional row format for OLTP and an in-memory
column format for analytics. The new column
format complements but does not replace the
existing buffer cache, so the data can be held in
memory in both column and row formats.

The Oracle Database query optimizer automatically routes queries to the correct format
the column format for analytic queries and the
row format for OLTP queriestransparently
delivering best-of-both-worlds performance.
Oracle Database automatically maintains full
transactional integrity and consistency between
the formats. And because the new in-memory
column format is purely in memory and not persistent on disk, there remains only a single copy
of the table in storage (in row format), so there
are no additional storage costs or synchronization issues.
DARRIN VANSELOW/GETTY IMAGES
Best of Both Worlds
31
worry about a loss of performance because of the change in our

database strategy.
In the second scenario, the team tested the Oracle Database
In-Memory option on a new executive data warehouse that was
under construction. We worked with the executive data warehouse team to come up with some simulated queries that probably
will happen, explains Kreth. For some queries, we saw very big
improvementsfor instance, we had one report that was running in
200 to 300 seconds and it now runs in a second.
For the third scenario, the test team wanted to see how the companys 20-year-old risk management system, dubbed RICO, would
perform on Oracle Database In-Memory. The team made only a few
changes to the partitioning schema of the application, which has its
own 1 TB database. On average, the Oracle Database In-Memory
option improved RICOs application performance between 50 and
200 times, says Kreth.
Oracle Database In-Memory option was Mobiliars new enterprise

data warehouse, in April 2015. The new data warehouse runs on
the same blade server hardware used for the proof of concept; four
blades are being used for development, testing, and integration.
Currently we have licenses for two blade servers for the Oracle
Database In-Memory option, says Kreth. But we have signed a
contract to license the Oracle Database In-Memory option for even
more blades, and over the next year we intend to activate the Oracle
Database In-Memory option for all our other production databases.
With the current performance results, the Oracle Database
In-Memory option has proven its worth, says Kreth. We will now
be looking to optimize our database designs to work more effectively in memory.
IN-MEMORY FOR ALL

As a first step, Mobiliar is upgrading all its existing Oracle Database
11g installations to Oracle Database 12c, and from there, it will activate the Oracle Database In-Memory option on all its Oracle databases over time. The first application to go into production with the
NEXT STEPS
Philip J. Gill is a San Diego, Californiabased technology writer and editor.
LEARN more about Oracle Database In-Memory

bit.ly/1G3MoWv
blogs.oracle.com/in-memory
[PARTNER Q & A
ADVERTISING SUPPLEMENT
Achieving High Performance and Availability

QLogic and Oracle provide uncompromising availability and
native performance in virtualized systems.
ata centers are being

pushed to their limits by
a number of recent advances in infrastructure
technologies. The escalating deployments of servers with multicore
processors, aggregation of applications on virtualized servers, and
convergence of data and storage
infrastructures, along with demanding, high-traffic applications such as
database clusters, video-on-demand,

and other mission-critical, highthroughput applications, are driving
the need for high-bandwidth networking infrastructures and faster
server input/output (I/O) solutions.
QLogic offers complete solutions to some of the most complex
and newest issues facing the data
center. Now, QLogic and Oracle
have teamed up to offer virtual-
ization in servers and storage.

Michael Geroche, senior OEM sales
manager at QLogic, discusses the
benefits of single root input/output virtualization (SR-IOV) and the
Oracle/QLogic partnership.
What is the most pressing
challenge businesses currently
face with storage?
Our customers enterprise storage
workloads require both the highest level of performance and the
highest level of availability. These
workloads must have bare-metal
input/output (I/O) performance that
is multipathed, without exception.
What is SR-IOV, and how does it
help deliver performance and
availability?
SR-IOV is a standards-based architecture for high-performance I/O in
virtual environments. Storage I/O
resources are made available to
each virtualization instance, and
these resources are managed by
the adapter hardware, not the virtualization Hypervisor. This reduces
I/O overhead, maintaining high
performancethroughput and low
latencywhile at the same time
scaling to the demands of customers with the highest workload
consolidation environments.
What is the importance of I/O
resiliency?
I/O resiliency ensures that these
virtualized storage connections
are available via multiple server
For more information, please visit www.qlogic.com.
resources, and that the highest

level of reliability, availability, and
service (RAS) is maintained. The
storage I/O is resilient to errors
and problems that might occur. I/O
resiliency greatly improves availability in an SR-IOV environment,
and our customers accept nothing
less. Multipathing alone is not sufficient to guarantee availability of
SR-IOV-based storage. I/O resiliency
ensures virtualized storage connections are available when elements
of the storage server infrastructure
are no longer available, resulting in
the highest level of RAS for enterprise storage in a virtualized server
architecture.
How are QLogic and Oracle working
together to provide cutting-edge
innovation in storage?
Oracle and QLogic have partnered
to bring networking virtualization
techniques to both the server
domain, with Oracle VM Server for
SPARC, and the storage domain.
This is very innovativeweve all
heard of SR-IOV on the network
side of the server, but now we are
bringing it to storage. QLogic and
Oracles development of advanced
storage I/O technologies for the
virtual enterprise data center has
brought cutting-edge, standardsbased solutions to the most
demanding customer environments.
Together, we are adding unique
value for our most demanding enterprise customers, in areas of high
performance and extreme RAS.
Mobile Developer
ORACLE MOBILE APPLICATION FRAMEWORK BY CHRIS MUIR
ORACLE MOBILE APPLICATION FRAMEWORK, ORACLE JDEVELOPER
Get Mobile and Connected
Consume enterprise web services from mobile apps via

data controls in Oracle Mobile Application Framework.
I-HUA CHEN
racle introduced Oracle Mobile

Application Framework in early 2014,
with the goal of making the mobile development experience as simple as possible. As
you start creating applications for enterprise users with Oracle Mobile Application
Framework, small development projects can
help you quickly build up your skills while
supplying immediate value to those users.
For example, mobile workers might
need to contact a fellow employee urgently
when traveling but not have that colleagues
information on their smartphones contact
list. In this columns hands-on exercise,
youll solve that problem by using the Oracle
Mobile Application Framework extension
in Oracle JDeveloper to build a corporate
phone book app for users of iOS or Android
devices. The app taps into an existing HR
employee web service to retrieve employee
contact data and populate the phone book.
With the basic skills and Oracle Mobile
Application Framework features you learn
from this exercise, youll be well equipped
to start building more-sophisticated
apps that can help on-the-go workers be
more productive.
GETTING STARTED
Ensure that youre using the studio edition
of Oracle JDeveloper 12c (12.1.3)available
as a free download on Oracle Technology
Networkwith the Oracle Mobile
Application Framework v2.1 extension.
You also need either Apple Xcode 6.1 or
the Google Android SDK with API 21, configured for deploying and testing Oracle
Mobile Application Framework from Oracle
JDeveloper. Apple Xcode is available for
Macs only; the Android SDK is available for
both Mac and Windows PCs. The Oracle
Mobile Application Framework documentation provides relevant setup instructions at
bit.ly/mafinst.
Download the sample application at
bit.ly/omagmaf1, and save the o35maf2432441.zip file to a local folder on your
computer. (Do not use spaces in the folder
name.) Unzip the o35maf-2432441.zip file,
and then unzip each of the two extracted
files. The local folder now contains two
subfolders, each containing an Oracle
JDeveloper workspace:
The HrServicesSubset folder contains a
demonstration REST HR web service that
youll run on your PC. (For a real-world

application, the web service would be
deployed from your corporate infrastructure, not on your local PC, and would be
reachable behind the company firewall.)
The web service will provide the employee
data for your mobile phone book application to retrieve.
The PhonebookStarterApp folder contains a prebuilt Oracle Mobile Application
Framework application workspace that
is partially configured to save you time.
Items such as the application name, icons,
and a hook to the web servicea data
controlare prebuilt for you.
Data controls are a major productivity
booster for developers that youll learn
about in detail in a future column.
1. In Oracle JDeveloper, select File -> Open
and navigate to the directory containing
the unpacked zip file content.
2. Open the PhonebookStarterApp folder,
and select the Phonebook.jws file. Click
Open to load the workspace.
3. Open the HrServicesSubset folder, and
open the HrServices.jws workspace.
Youll work with this workspace first, so
Figure 1: ViewEmployees.amx page and the initial state of the phone book app in the iOS Simulator
33
34
ORACLE MOBILE APPLICATION FRAMEWORK
leave it open in the Application Navigator.

4. In the Application Navigator, expand
RestServices -> Application Sources ->
oracle.hr.rest, right-click the RestService
.java file, and select Run.
5. If you are running Oracle JDeveloper for
the first time, youll be presented with
the Create Default Domain dialog box.
Create a password for the default Oracle
WebLogic Server domain associated
with Oracle JDeveloper, leave the other
fields as they are, and click OK. Oracle
JDeveloper then creates the default
domain and configures it.
6. When the service is up and running, you
should see a message like the following
in your Oracle JDeveloper log window:
Target URL -- http://127.0.0.1:7101/
HrRestServices/
Copy the target URL into your browser,

and add the /employees suffix:
http://127.0.0.1:7101/HrRestServices/
employees
The page should return a payload of

employee data, proving that your web
service works as expected.
Next, ensure that your environment is set
up correctly for mobile development:
7. In Oracle JDeveloper, switch to the
Phonebook workspace.
8. For iOS development only:
a. Select Run -> Choose Active Run
Configurations -> Manage Run
Configurations -> Edit Shared
Settings -> iOS Simulator -> Edit ->
Mobile Run Configuration, and
change the Simulator option to
iPhone 5S.
b. Close all the dialog boxes by clicking
OK.
c. In the Application Navigator, expand
ViewController project -> Web
Content -> oracle.phonebook
.employees, right-click the
ViewEmployees.amx page, and
select Run.
The app is now deployed to the iOS
Simulator, where it has a heading of
Employees and a message that makes it
clear that you still have work to do, as shown

in Figure 1.
9. For Android development only:
a. Set up and start the Android emulator, by following the instructions
in the Oracle Mobile Application
Framework documentation, at
docs.oracle.com/middleware/
maf210/mobile/install/
mafig_setup.htm#MAFIG164.
b. Select Run -> Choose Active Run
Configuration -> Android Emulator.
c. In the Application Navigator, expand
ViewController project -> Web
Content -> oracle.phonebook
.employees, right-click the
ViewEmployees.amx page, and
select Debug.
d. Start the app, and look for the
Employees blank page.
e. In the Application Navigator in
Oracle JDeveloper, select Application
Resources -> Connections -> REST,
right-click the HrServiceConn connection, and select Properties.
f. In the Edit REST Connection dialog
box, replace 127.0.0.1 in the URL
Endpoint field with 10.0.2.2. (This
value enables the Android emulator
to access the web service running on
your PCa change that isnt required
for the iOS Simulator.)
If you encounter any issues, again
refer to the Oracle Mobile Application
Framework installation documentation.
You can also search or post to the Oracle
Mobile Application Framework forum,
at community.oracle.com/community/
oracle-mobile/oraclemaf.
BUILDING THE PHONE BOOK APP
The apps Employees page is where youll
build a vertical list of employee names and
contact details derived from the external HR
web service:
10. If the Employees page isnt open
already, reopen it, by first expanding the
ViewController -> Web Content -> oracle
.phonebook.employees nodes.
11. Double-click the ViewEmployees.amx
file, which contains the source code for
the Employees page, to open its editor.
Each AMX file is a page (or a view) in
Figure 2: Drilling down into a data control
your Oracle Mobile Application Framework

application, made up of UI components
represented by XML tags at design time. At
the moment, the Employees page is made
up of a parent-level amx:view tag and then
an amx:panelPage tag with an amx:facet
header (a named placeholder of the
panelPage tag) displaying the Employees
text as an amx:outputText tag. (Note that
the tag names themselves describe the
behavior of each component fairly well to
help flatten the developer learning curve.)
To meet the requirement to display
employee data in the app, you could take
a code-centric approach by working in the
editoradding XML tags to represent the
list of employee detailsand then somehow
wire the components to the external web
service. But Oracle Mobile Application
Framework data controls give you a quicker
way to construct pages based on data,
whether the data is from an external datasource such as a web service, plain old Java
objects (POJOs), or other datasources:
12. On the ViewEmployees.amx page, delete
the amx:outputText tag with the value
This page intentionally
left blank.
35
13. In the Application Navigator, expand

the Data Controls panel and then
HrServiceDataControl.
14. Note the getEmployees() method, which
represents the external HR REST web
service. Expand the method to see the
Return object and then the employees
resource. Expand employees to see that
the method returns individual Employee
objects, as shown in Figure 2.
15. Drag the Employee object into the
ViewEmployees.amx source code, dropping the object immediately after the
closing </amx:facet> tag and before
the closing </amx:panelPage> tag. The
resulting menua good indicator of the
productivity boost that data controls
providelists all UI layouts and components to which you can wire the web
service datasource.
16. Select MAF List View to open the
ListView Gallery, shown in Figure 3,
where you can choose among several
predefined list layouts. Leave the
default Simple option selected in the
List Formats section. In the Variations
section, select the second option from
the left, in which the list items are
grouped by dividers. Click OK to open the
Edit List View dialog box.
17. The Edit List View dialog box determines
which data to show in the list and configures the dividers. For the first (and
only) element under List Item Content,
change Value Binding from EmployeeId
to LastName. Then change Divider
Attribute from EmployeeId to LastName,
and set Divider Mode to First Letter.
These selections cause employees to be
displayed alphabetically by last name.
18. Click OK, and then select File -> Save All.
Note the new XML tags added to
your page, including amx:listView,
amx:listItem, and amx:outputText, representing the list of employee last names
to display. Each tag has its own properties
representing what the tag should do at
runtime. Among the properties, you can see
code such as
#{bindings.Employee.collectionModel}
This is an expression that binds back to
Figure 3: ListView Gallery selections
the web service data control that was

created for you in the initial application.
Data controls and the expression language
eliminate the need for you to wire up the
components to the data yourself, helping
you avoid having to write repetitive, errorprone boilerplate code.
Youre now ready to rerun the app to
see the results in the iOS Simulator or the
Android emulator:
19. For iOS, right-click the ViewEmployees
.amx page and select Run. For Android,
right-click the ViewEmployees.amx page
and select Debug.
20. Note the employee names, the alphabetical dividers, and the alphabetical selectors down the right side. Try flicking the
list up and down to watch how the list
view works at runtime, including how the
index on the right builds itself as more
rows are fetched and displayed.
ADDING FIRST NAMES
Your app now contains a list of employees
fetched from the remote web service,
but because it displays only last names,
employees with the same surname are
indistinguishable from one another.
Modify the list to include the employees
first names, too:
21. With the ViewEmployees.amx page open,
select the Bindings tab at the bottom
of the editor. The bindings page reveals
the apps plumbingthe bindings that
connect the UI components with the data
objects read from the web service. Note
the getEmployees() method you used

earlier and the Employee object that was
returned as a result.
22. Select the Employee object and then the
pencil icon to open the Edit Tree Binding
dialog box. At the bottom of the dialog
box are the attributes of the Employee
object that are available for your page
to use. Currently only LastName is on
the Displayed Attributes list. Shuttle
FirstName, Email, PhoneNumber,
and ImageBase64 from the Available
Attributes list to the Displayed
Attributes list, in any order. Click OK.
23. Return to the editor, and select the
Source tab at the bottom.
In the code, note that the
amx:outputText component has the
value property whose value is the #{row
.LastName} expression. Looking at the
parent amx:listView and its value property, note that, via the expression, listView
works with a collection of employees,
stamping out its child tags for every element
in the employees collectionin this case,
the amx:outputText component. You
can think of the listView components as a
UI for loop. To reference each element,
amx:listView defines var="row"which
you see is used in the amx:outputText
value for the current row.
24. Change the expression for the value
property to
value="#{row.FirstName +
' ' + row.LastName}"
36
ORACLE MOBILE APPLICATION FRAMEWORK
25. Save all your changes, and run your app

againremembering to select Run for
iOS and Debug for Androidto check
the changes.
PUTTING FACES TO THE NAMES

Remember that a few steps back, in the
Bindings tab of the ViewEmployees.amx
page, one of the attributes from the web
Code Listing 1: amx:image tag added to amx:listItem

<amx:listItem id="li1">
<amx:image id="im1" styleClass="Avatar"
source="data:image/png;base64,#{row.ImageBase64}"/>
<amx:outputText id="ot2"
value="#{row.FirstName + ' ' + row.LastName}" id="ot2"/>
</amx:listItem>
Code Listing 2: amx:goLink tags added to amx:listItem

<amx:image id="im1"
value="#{row.FirstName + ' ' + row.LastName}" id="ot2"/>
<amx:goLink id="gl1" url="tel:#{row.PhoneNumber}">
<amx:image id="im2" styleClass="Icons"
source="/images/phone.png" />
</amx:goLink>
<amx:goLink id="gl2" url="mailto:#{row.Email}">
source="/images/email.png" />
</amx:goLink>
</amx:listItem>
service you added was ImageBase64. In the

external web service, this Base64-encoded
string contains an image of each employee.
Because youve already made this attribute
available to the page, its trivial to add an
image component to the app:
26. On the ViewEmployees.amx page,
change the amx:listItem tag so that it
now also includes an amx:image tag, as
shown in Listing 1.
27. Save everything and then run your app
(Run for iOS, Debug for Android). Now
you can see the (mostly) smiling faces of
your colleagues.
YOU NEVER WRITE, YOU NEVER CALL
A phone book application on a mobile
device isnt of much use unless its users can
call or send e-mail to contacts through the
app. So now youll add buttons to invoke the
devices native phone and e-mail apps via
the phone book.
28. Along with the ImageBase64 attribute, you also made the PhoneNumber
and Email attributes of the remote
web service available to the page.
Code Listing 3: Three tags added to amx:listItem

<amx:tableLayout id="tl" width="100%">
<amx:rowLayout id="rl1">
<amx:cellFormat id="cf1" width="20%"
halign="start" valign="middle">
<amx:image id="im1" styleClass="Avatar"
</amx:cellFormat>
value="#{row.FirstName + ' ' + row.LastName}" />
</amx:cellFormat>
<amx:goLink id="gl1" url="tel:#{row.PhoneNumber}">
source="/images/phone.png"/>
</amx:goLink>
</amx:cellFormat>
halign="end" valign="middle">
<amx:goLink id="gl2" url="mailto:#{row.Email}">
source="/images/email.png"/>
</amx:goLink>
</amx:cellFormat>
</amx:rowLayout>
</amx:tableLayout>
</amx:listItem>
Figure 4: Employee phone book app layout
37
To hook them into the page, add the

two amx:goLink tags as children
to the amx:listItem tag after the
amx:outputText component, as shown
in Listing 2.
Note that the amx:goLink components
use a URL with the tel: and mailto:
prefixes. On mobile devices, these URL
schemes enable one application to call
another and pass values for the other app to
use. In this case, you invoke the phone and
mail apps on your mobile device, passing
in the phone number and e-mail address,
respectively. (Your apps can use the same
mechanism to call other apps, such as
Twitter or LinkedIn, with their respective
URL schemes.)
Now make a few final changes to the
layout so that all the information for each
employee is on a single line in the phone
book, as shown in Figure 4.
29. Add amx:tableLayout, amx:rowLayout,
and amx:cellFormat tags, as shown

in Listing 3.
30. Run (use Debug for Android) your app
one more time, and view the results.
31. If youre using the Android emulator,
select one of the contacts and then the
phone or mail icon for that contact to see
the results. (The iOS Simulator doesnt
emulate invoking either the phone or
e-mail app from your Mac.)
In the Android emulator, the phone
and e-mail apps open with the preseeded
contact details. (Ensure that youve set up
an e-mail account on the e-mail app beforehand, so that the e-mail app doesnt fail
with a nonaccount error.)
CONCLUSION
This column introduced you to some of the
basic concepts and features in Oracle Mobile
Application Framework: AMX pages, web
service consumption through data controls,
arranging components on a page, and more.

You are now on the path to building mobile
applications to help others do their everyday
jobs without being tied to their desks.
Chris Muir is a senior principal product

manager of mobility and development tools
at Oracle.
NEXT STEPS
DOWNLOAD the sample application for
this article
bit.ly/omagmaf1
READ more about Oracle Mobile
Application Framework
oracle.com/maf
WATCH Oracle Mobile Application
Framework YouTube training channel
youtube.com/user/OracleMobilePlatform
JOIN the Oracle Mobile Application
Framework Google+ community
bit.ly/1A4h5sd
TOGETHER ORACLE AND

NATIONAL GEOGRAPHIC EDUCATION ARE
Leading the Way

in Ocean Education
and Marine Research
National Geographic Education supports the

mission of the National Geographic Society to
inspire people to care about the planet by
creating compelling educational materials for
young people and the adults who teach them.
NG Education provides unique learning
experiences to educators and advocates for
improved education in geography, the
environmental sciences, and other disciplines
that are critical to understanding our world.
With support from Oracle, National Geographic
Education is engaged in a major project to
develop teacher leaders in marine ecology and
create materials about ocean science and
geography for students, families, the ocean
recreation community, and the general public.
Support our work today.

Visit nationalgeographic.org/education.
National Geographic is a 501(c)(3) organization. PHOTOGRAPH BY ENRIC SALA
Cloud Developer
BUSINESS ANALYTICS BY MARK RITTMAN
ORACLE BUSINESS INTELLIGENCE CLOUD SERVICE
Upload, Model, Analyze,

and Report
Quickly load information to Oracle Business

Intelligence Cloud Service and share the reporting
with your coworkers.
I-HUA CHEN
racle Business Intelligence Cloud

Service brings the analysis and dashboard capabilities of Oracle Business
Intelligence to Oracle Cloud, along with a
new self-service interface that makes it easy
for nontechnical users to upload and report
on departmental data sets. In this article, Ill
demonstrate how to upload a spreadsheet
containing sales data to Oracle Business
Intelligence Cloud Service, model the data
into a dimensional star schema, and then
create analyses and a dashboard to be used
in a department.
ORACLE BUSINESS INTELLIGENCE CLOUD
SERVICE: BRINGING ORACLE BUSINESS
INTELLIGENCE TO THE CLOUD
Oracle Business Intelligence Cloud Service,
part of the Oracle Cloud platform as a
service (PaaS), gives users the ability to
upload spreadsheet, file, and other data sets
to a secure cloud-based database environment, create simple data models, and then
use these to build rich interactive analyses
and dashboards that can be secured and
shared within a department. Data can be
uploaded with Oracle SQL Developer; the
Oracle Application Express web services API;
or, as I will describe in the article example,
Oracle Business Intelligence Cloud Services
web-based data upload service.
A typical use case for Oracle Business
Intelligence Cloud Service is departmental
knowledge workers who want to take a set of
data they are working on and make it available to others in the organization quickly,
without having to involve the IT department
in the process.
The example, which uses a Microsoft
Excel spreadsheet document as the data-
source, steps through the process, from

data upload to the final dashboard. To follow
along with the example in this article, you
will require access to an Oracle Business
Intelligence Cloud Service instance, and you
will need to download the spreadsheet file
Ill be using from bit.ly/omagbics1.
UPLOAD THE SPREADSHEET AND CREATE
THE DATA MODEL
To upload the spreadsheet and create a
simple data model to present its data to
report developers, follow these steps:
1. Using your web browser, navigate to
your Oracle Cloud login page and enter
your User Name, Password, and Identity
Domain details. After you have logged
in, go to the Oracle Business Intelligence
Cloud Service home page and click Load
Data, as shown in Figure 1.
2. On the Select Data page of the data
loader, click Load Data at the top of the
page to start the upload process. When

prompted, click Upload and select the
product_sales_100_rows.xls file from
your local file system. After the file contents have uploaded, check the details
shown in the preview pane to confirm
that the file contents look correct. (There
should be rows of transaction data, and
the transaction elements should be separated by commas.) Leave the The first line
contains header names checkbox checked
to tell the data loader that the first row
of the file contents contains the column
header names, and click Next to continue.
3. On the Select Destination page of the
data loader, select New Table for Data
Destination and name the table SALES_
TRANS_DATA. Then click Next, Next, and
OK to accept the upload defaults and
complete the upload process.
4. Now that you have uploaded the spreadsheet containing rows of transaction
Figure 1: The Oracle Business Intelligence Cloud Service home page
39
40
BUSINESS ANALYTICS
data, you can use the Model feature

of Oracle Business Intelligence Cloud
Service to create a simple star schema
data model for report users to employ
when accessing the spreadsheet data. To
create this model, return to the Oracle
Business Intelligence Cloud Service
home page and this time click Model.
5. When the Data Modeler page is displayed, first click Lock to Edit to lock
the model so that only you can make
changes to it. Then select the SALES_
TRANS_DATA table in the Database
panel on the left side of the page and
click the Table Actions icon to the right of
the table name. Select Add to Model ->
as Fact and Dimension Tables, as shown
in Figure 2.
6. A dialog box displays the columns from
your source table, SALES_TRANS_DATA,
on the left and areas for the fact table
and dimension tables on the right.
Update the fact table name to SALES,
change the existing dimension table
name to CHANNELS, and click Add (next
to the Dimension Tables area) to add two
more dimension tables, and name them
CUSTOMERS and PRODUCTS. Then drag
and drop the Source Table columns into
the following data model table areas to
create your initial data model:
Figure 2: Adding the table to the data model
SALES: AMOUNT_SOLD, QUANTITY_

SOLD, TIME_ID
CHANNELS: CHANNEL_ID, CHANNEL_
DESC, CHANNEL_CLASS
CUSTOMERS: CUST_ID, CUST_CITY,
CUST_STATE_PROVINCE
PRODUCTS: PROD_ID, PROD_DESC,
PROD_CATEGORY
Then, within each of the dimension
table areas, check the checkbox next to
the primary key columnsCHANNEL_ID,
CUST_ID, PROD_IDto designate them
as primary keys and automatically add
those same columns to the SALES fact
table; the dialog box looks like Figure 3.
Click Next, Create, and Done to create
the initial data model and the database
view objects.
7. There are two more steps you will want
to carry out before creating reports
Figure 3: Creating the initial data model
against this data, the first of which is

mandatory and the other optional. The
mandatory step is to set the default
aggregation method for the measures in
your fact table. To do this, click the fact
table name (SALES) on the New Data
Model page (which is now showing).

In the Aggregation column for each
fact table column, set the aggregation
method to Sum for the AMOUNT_SOLD
and QUANTITY_SOLD columns, and then
click Done.
41
8. The final data modeling step,

which is optional but recommended, is to create a time
dimension table containing
dates over the usual business
periodwith attributes to
identify the month, quarter,
and year for each of those
datesand link the table back
to the SALES fact table. To
create this table automatically, click the Model Actions
icon (next to Publish Model at
the top right of the page) and
select Create Time Dimension
from the menu. Then in the
Create Time Dimension dialog
box, name the Database Table
DATE_TRANS; check the Year,
Quarter, and Month Hierarchy
Levels checkboxes; and then
click Next and Create. When the
dialog box reports that the time
dimension was created successfully, click Done.
To join this time dimension
table to the fact table, click
Create Join on the New Data
Model page and join the two
tables on SALES.TIME_ID =
Time.Date Timestamp. When
the join is complete, click the
green Save Changes icon (next
to the join definition) and
then, to complete the data
model definition process, click
Publish Model to save your
changes and make the data
model shown in Figure 4 available to other users.
Figure 4: The completed data model
Figure 5: Creating graphs with recommended visualization types
CREATING YOUR ORACLE BUSINESS

INTELLIGENCE CLOUD SERVICE ANALYSES
AND DASHBOARD
To create a set of sample analyses and
include them in a new dashboard, follow
these steps that use the data model you
created in the previous set of steps:
1. On the Oracle Business Intelligence
Cloud Services home page, click Create
an Analysis. Using the list of tables and
columns displayed in the Subject Areas
panel, double-click the CHANNELS ->
CHANNEL_DESC column to add it to

the Selected Columns area on the right,
and then do the same for the SALES
-> AMOUNT_SOLD column, so that
both columns are listed in the Selected
Columns area.
2. Click the Results tab at the top left of the
page, and you will see the Amount Sold
measure listed by channel name. To
show these results graphically, click New
View (above the Compound Layout area)
and select Recommended Visualization
for -> Comparing Percentages to see
the Oracle Business Intelligence Cloud

Service set of recommended graph
types for this type of analysis, as shown
in Figure 5.
From the list of visualization types
displayed, choose Pie (Recommended)
from the list and click the Remove View
from Compound Layout icon (x) within
the Table view to leave just the pie graph.
Save this analysis to the catalog by
clicking Save Analysis at the top right of
the page. Then, using the Save As dialog
box, first create a new folder called
42
BUSINESS ANALYTICS
board. You can use it to view and interact

with the analyses displayed within it,
and you can create additional analyses,
dashboard pages, and dashboards as well
as upload and add new data to your data
model. Other users within your Oracle
Business Intelligence Cloud Service instance
can view the analyses and dashboards you
have created, and you can set up roles to
control access to data and reports. Refer
to the Oracle Business Intelligence Cloud
Service online help, videos, and tutorials at
bit.ly/oraclebicshelp for more information.
Figure 6: The Oracle Business Intelligence Cloud Service dashboard
First Reports within the Company

Shared folder and then save the analysis
into this new folder, using the name
Sales by Channel Breakdown.
3. Now repeat these steps to create a
second analysis called Quantity Sold
Over Time using the Time -> Date and
SALES -> QUANTITY_SOLD subject area
columns, and use the Recommended
Visualization for menu to create a timeseries line graph that graphs the amount
sold over time.
4. Create a third analysis, using this
same approach, that shows SALES
-> AMOUNT_SOLD broken down by
PRODUCTS -> PROD_CATEGORY, and
use the Recommended Visualization for
menu again to select the best graph type
for comparing values, the bar graph. Save
this third analysis to the First Reports
folder as Product Sales.
5. Finally create a performance tile to show
the sales for the last month in the data
set. To do this, create a new analysis
using the SALES -> AMOUNT_SOLD and
Time -> Month columns, and use the
Filter menu item for the Time -> Month
column in the Selected Columns area to
filter the returned values with Month is
equal to / is in 1998 / 03.
Then, on the Results tab, click Add
View to add a new Performance Tile view
to the analysis, and when it is added
to the compound layout, click Edit

Analysis in the view to change the label
to NEW SALES and the tile style to the
second style (which uses white text on
a gray background). Click Done and the
Results tab, and then click the Remove
View from Compound Layout button
in the Title and Table views to remove
these from the compound layout of the
analysis. Save the analysis to the First
Reports folder as Amount Sold Tile.
All thats left now is to create a dashboard to hold these analyses. To do this,
from the Oracle Business Intelligence
Cloud Service home page, click Create
a Dashboard and name the dashboard
Sales Dashboard. Save the dashboard
in the /Company Shared/First Reports/
Dashboards folder, and click OK to start
adding content.
With the dashboard editor now open,
drag and drop two column objects from
the Dashboard Objects panel to create two
vertical columns in your dashboard, and
use the Catalog panel under the Dashboard
Objects panel to add the Amount Sold Tile
and Product Sales analyses to the left-hand
column and the Quantity Sold Over Time
and Sales by Channel Breakdown analyses to
the right-hand column. Save the dashboard,
which should look like Figure 6.
You have now created your first Oracle
Business Intelligence Cloud Service dash-
CONCLUSION
Oracle Business Intelligence Cloud Service
makes it possible to quickly deploy
analyses and dashboards as part of the
Oracle Cloud platform without the need
for on-premises software installs or the
help of the IT department. In this article,
youve seen how to quickly create reports
and a dashboard that can be shared with
coworkers within your department, using
simple self-service tools and the ability
to upload spreadsheets and other files to
create your reporting data set.
Mark Rittman is an
Oracle ACE Director and
cofounder of Rittman
Mead, an Oracle Gold
Partner based in the UK,
with offices in the US,
India, and Australia. Rittman has worked with
Oracles business intelligence, data integration,
and data warehousing products for more than
15 years, and he writes for the Rittman Mead
blog, at rittmanmead.com/blog.
NEXT STEPS
LEARN more about
Oracle Business Intelligence Cloud Service
bit.ly/1Cft0Dc
bit.ly/oraclebicshelp
bit.ly/oraclebicsoll
READ more Rittman
Rittman Mead blog
rittmanmead.com/blog
Oracle Magazine business intelligence columns
bit.ly/omagbi
DOWNLOAD sample data for this article
bit.ly/omagbics1
Database Application Developer
PL/SQL BY STEVEN FEUERSTEIN
ORACLE DATABASE
Dynamically Dangerous Code

Theres a right time to use dynamic SQL, but theres
never a right time for SQL injection.
got a call last week from Bob at

extremememe.info. He sounded a little
bit irritated.
Ive got a real problem on my hands,
Steven, he said. I followed your advice to
create reusable program units rather than
one-offs with similar functionality. But now
my program is raising errors that I cant sort
out and doing things I never intended.
Its never good to hear a programmer worrying about a program with a will of its own,
so I hopped into my bright-red PLSQLmobile
and raced over to Bobs cubicle.
Take a look at this, said Bob. Im
using my program in our HR system. Youre
familiar with the employees table, right? So
lets update the salary of employee 100.
.EM_UPDATE_COL_VALUE", line 11
ORA-06512: at line 2
How, wondered Bob, with a pained

expression on his face, can it work for one
column and not another?
Without even glancing at Bobs code,
I already had a pretty good idea of the
problemor problems. I grabbed his keyboard and typed.
And how about this? I asked.
BEGIN
em_update_col_value ('employees',
'employee_id=employee_id;
delete from employees
where employee_id',
100,
'salary',
BEGIN
1000);
'employee_id',
END;
100,
'salary',
1000);
SELECT * FROM employees
END;
WHERE employee_id = 100
Value of salary updated to 1000
No rows found
No problem, right? OK, now lets try to

update the department name and...kaboom!
Exactly! shouted Bob, pointing at the

screen. Whats with that? How can my
program delete a row from a table when all it
contains is an UPDATE statement?
To Bob I merely said, Lets take a look.
BEGIN
em_update_col_value ('departments',
'department_id',
10,
'department_name',
'Jolly Fun');
END;
/
ORA-00933: SQL command not properly ended
ORA-06512: at "SYS.DBMS_SQL", line 1053
ORA-06512: at "QDB_BETA
ALL IT DOES IS AN UPDATE?

Even before looking at the em_update_col_
value procedure, I was pretty certain of a few
things, based on what Id just witnessed:
The procedure was executing dynamic SQL.
Bobs error handling was minimal or
nonexistent.
Bob had taken no precautions against
SQL injection.
But I must admit that I was not quite

prepared for the awfulness that presented
itself to me when Bob opened em_update_
col_value in Oracle SQL Developer, as shown
in Listing 1.
See? said Bob, No deletes. Just an
update. A nice generic procedure for executing an update against any column in any
table. Really neat, huh?
I decided to break the news gently. Bob,
this procedure is a total abomination, but I
like your energy and enthusiasm.
I shared my questions and concerns
with him:
Is this program too reusable to be useful?
Why is it using DBMS_SQL?
Wheres the error handling?
Your program is wide open to SQL injection.
But dont feel bad, Bob, I concluded.
This will be a great learning moment. Shall
we explore? Bob nodded a bit glumly.
WHEN IS REUSABLE TOO REUSABLE?
Tell me why you wrote this procedure, I
started off.
Bob recounted to me a session from one
of my trainings: You urged us to find every
opportunity to reuse code instead of writing
the same or similar code in multiple places. I
noticed that in at least five places in our code,
we executed updates of a single column in a
single row. So I figured I could write a single
procedure with dynamic SQL and that we
then could call that one procedure instead of
writing updates over and over again.
Bobs justification sounded reasonable on
the surface, but in fact it was a big mistake.
It is better to reuse code whenever possible, but only when that is appropriate. There
are several reasons this guideline does not
apply to single-column updates: dynamic
SQL is more complex than static SQL, it executes more slowly than static SQL, its harder
to make secure, and its harder to debug.
43
44
PL/SQL
So you want to use it only when absolutely

necessaryand that is certainly not the case
here. In em_update_col_value, dynamic SQL
was used for the sake of convenience.
When it comes to writing SQL in your
PL/SQL code, I admonished Bob, you
should use dynamic SQL only when it is
requiredwhen a user needs to supply
some additional information at runtime to
complete the SQL statement.
So I suggest that you abandon
em_update_col_value and instead go to
wherever the procedure is called and replace
it with a new procedure call, such as em_
update_salary or em_update_last_name.
But then I end up with dozens of different
procedures! Bob exclaimed. Why not just
execute the UPDATE directly in my code?
You could do that, but if you put each
UPDATE inside a procedure, then it is possible you will reuse that procedureand
not duplicate the UPDATE statement, I
responded. You are also more likely to
write better error handling, and you can add
functionality to the update laterin just one
placeas your requirements change.
Bob nodded sadly. I could tell he didnt like
having to throw away his generic procedure.
But I tell you what, Bob: lets still go
through this procedure and draw out some
lessons for the right way to construct a procedure that relies on dynamic SQL. You are
sure to run into the need soon. Bob brightened, and off we went.
WHY ARE YOU USING DBMS_SQL?
First of all, I told Bob, lets do some basic
cleanup in your program so that it is easier
to focus on the bigger issues. You should use
DBMS_SQL only if you have very complex
requirements, such as not knowing at
compile time how many columns you are
querying or how many variables you must
bind. Because that is not the case here,
EXECUTE IMMEDIATE is a better fit.
In addition, your IF statement after
the UPDATE is verbose and distracting. I
tapped at the keyboard for a minute or two.
Here. What do you think of this? I asked,
pointing to the code in Listing 2.
Oh, right, said Bob, you used a nested
subprogram to hide the reporting details.
I like the inline CASE expression, too. And
Code Listing 1: The originaland awfulem_update_col_value procedure

PROCEDURE em_update_col_value (
table_in
IN VARCHAR2,
pkey_col_in
IN VARCHAR2,
pkey_value_in
IN INTEGER,
update_col_in
IN VARCHAR2,
value_in
IN VARCHAR2)
IS
l_cursor
PLS_INTEGER := DBMS_SQL.open_cursor;
l_feedback
PLS_INTEGER;
BEGIN
DBMS_SQL.parse (
l_cursor,
'BEGIN update '
|| table_in
|| ' set '
|| update_col_in
|| ' = '
|| value_in
|| ' where '
|| pkey_col_in
|| ' = '
|| pkey_value_in
|| '; END;',
DBMS_SQL.native);
l_feedback := DBMS_SQL.execute (l_cursor);
IF l_feedback > 0
THEN
DBMS_OUTPUT.PUT_LINE (
'Value of '
|| update_col_in
|| ' updated to '
|| value_in);
ELSE
'Update of '
|| update_col_in
|| ' to '
|| value_in
|| ' failed.');
END IF;
DBMS_SQL.close_cursor (l_cursor);
END;
/
really thats all I need to do with EXECUTE

IMMEDIATE? All that other code disappears?
Thats correct, I replied. Theres no
need to declare and manage cursors, no
need to parse and then execute. Thats all
taken care of for us. Nice, eh?
WHERES YOUR ERROR HANDLING?
Were still far from done, though, I pointed
out. Right now this program assumes that
everything is going to proceed without any
problem. Whats the chance of that happening? Assume there will be an error. What
can we do, then, to make it easier to figure
out what went wrong and fix it?
The challenge with most dynamic SQL

requirements is usually not figuring out how
to use EXECUTE IMMEDIATE; its a simple,
elegant statement. No, programmers are
much more likely to run into problems
constructing the dynamic SQL at runtime.
The smallest mistake (forgetting to leave
a space between keywords, for example)
results in SQL that cannot be parsed.
So any program that contains dynamic
SQL should do the following:
Assign the dynamically constructed SQL
statement to a variable and then use
EXECUTE IMMEDIATE on that variable
Add an exception handler that logs the
45
error along with the variable containing the

SQL statement
Reraise the exception so that the calling
program knows that something went wrong
Applying these principles, Bob and I
updated the em_update_col_value procedure to the code in Listing 3.
The new em_error_log_pkg.log_error
procedure (called in the updated em_
update_col_value procedure) should write
out to a log table all of the following:
SQLCODE the current error code
DBMS_UTILITY.FORMAT_ERROR_STACK
the current error message and/or stack
(I recommend that you use this instead of
SQLERRM)
DBMS_UTILITY.FORMAT_CALL_TRACE
the execution call stack, answering the
question How did I get here?
DBMS_UTILITY.FORMAT_ERROR_
BACKTRACE the trace back to the line
number on which the error was raised
Any information passed to the procedure
by the application developer (in this case,
the value of l_statement)
Assume for this article, however, that
the log_error procedure simply displays the
value of l_statement with a call to DBMS_
OUTPUT.PUT_LINE.
I asked Bob to run the following block
again, against the latest version of the
em_update_col_value procedure, to see
if it would help with the ORA-00933:
SQL command not properly ended error
message he received when he ran the block
against the first version of em_update_col_
value. Bob ran
Code Listing 2: The updatedbut still flawedem_update_col_value procedure

table_in
IN VARCHAR2,
pkey_col_in
IN VARCHAR2,
pkey_value_in
IN INTEGER,
update_col_in
IN VARCHAR2,
value_in
IN VARCHAR2)
IS
PROCEDURE report_results
IS
BEGIN
'Value of '
|| update_col_in
|| CASE SQL%ROWCOUNT WHEN 0 THEN ' NOT' END
|| ' updated to '
|| value_in);
END;
BEGIN
EXECUTE IMMEDIATE
'BEGIN update '
|| table_in
|| ' set '
|| update_col_in
|| ' = '
|| value_in
|| ' where '
|| pkey_col_in
|| ' = '
|| pkey_value_in
|| '; END;';
report_results;
END;
Doh! Bob groaned. Well thats

obvious enoughnow that I can see the
string. I forgot to put single quotes around
the value. When its a number, no problem.
When the value is a string, big problem!
Bob grabbed the keyboard and a moment
later had the problem fixed.
l_statement :=
sion to a variable so you can easily trace

and log the value. You will then be able to
diagnose the problemand achieve the
proper dynamic SQL statement constructionmuch more quickly.
Bob smiled. One less bug to worry about.
Then he frowned. But what about the deletion from my table? That was really weird, and
I have a feeling we havent fixed that yet.
'BEGIN update '
BEGIN
em_update_col_value ('departments',
|| table_in
'department_id',
|| ' set '
10,
|| update_col_in
'department_name',
|| ' = '''
'Jolly Fun');
|| value_in
END;
|| ''' where '
|| pkey_col_in
|| ' = '''
And then we saw this output, in addition

to the error stack:
BEGIN update departments
set department_name = Jolly Fun
where department_id = 10; END;
|| pkey_value_in
|| '''; END;';
I nodded. Yep, that fixes the specific

problem caused by string values, but the
main lesson here is this: assign that expres-
WHAT IS SQL INJECTION?

You read my mind, Bob. Thats right. That
problemand it is far and away the most
serious problem with your procedurestill
lurks. And it has a name: SQL injection.
SQL injection occurs when users insert
their own text into your SQL statement and
cause it to do things you never intended
such as delete a row.
Two questions: How could that possibly
happen, and how do I make sure it cant
happen? Bob asked.
Right, I responded. Lets go back to that
delete example I gave you and run it with our
46
PL/SQL
new, error-handling-enriched version of the

em_update_col_value procedure, but this
time I will comment out the semicolon (;)
before the delete to force an error.
BEGIN
'employee_id=employee_id /*;*/
delete from employees
where employee_id',
100,
'salary',
1000);
END;
/
BEGIN update employees set salary = 1000
where employee_id=employee_id
/*;*/ delete from employees
where employee_id = 100; END;
With a semicolon just before the

DELETE keyword, a malicious user terminates the UPDATE statement (which is
setting everyones salary to 1000) and then

starts a brand-new statement inside the
block, performing a DELETE. Those semicolons embedded in PL/SQL blocks can
really wreak havoc!
Bob sighed and nodded. OK, now I see
what is going on. What can I do about it?
First, Bob, I need to set expectations
properly. SQL injection is a security issue.
This means that you need to engage with
your chief security officer to make sure
you are following all of extremememes
guidelines. It is also a very specialized topic,
and I am not a security specialist. So I will
share with you some basic steps you should
take to shore up your defenses, but I also
encourage you to check out the excellent
How to write SQL injection proof PL/SQL
white paper, available on Oracle Technology
Network at bit.ly/sqlinjproof.
I then presented the following concerns
regarding the latest version of the em_
update_col_value procedure to Bob:
1. The procedure includes unnecessary
construction and execution of a dynamic

PL/SQL block.
2. Users can pass their own strings directly
to the procedure.
3. The procedure does not check to make
sure the table or column names are valid.
I elaborated on each of these to Bob:
1. Dynamic PL/SQLa string that starts
with DECLARE or BEGIN and ends
with END;is much more vulnerable
to injection than dynamic SQL (a data
manipulation language [DML] or data
definition language [DDL] statement),
because you can execute procedural logic,
invoke stored program units, and so on.
So if you are not actually executing
PL/SQL code, do not put your SQL statements inside a PL/SQL block. In the
em_update_col_value procedure, the
assignment to the local variable should
be nothing more than
l_statement :=
'update '
Take the Challenge

Each PL/SQL article offers a quiz to test your
knowledge of the information provided in it. The
quiz appears below and also at PL/SQL Challenge
(plsqlchallenge.com), a website that offers online
quizzes on the PL/SQL language. Your quiz:
I execute the following statements:
CREATE TABLE plch_persons
( pky
INTEGER PRIMARY KEY,
nm
VARCHAR2 (100))
/
CREATE TABLE plch_trees
( pky
INTEGER PRIMARY KEY,
nm
VARCHAR2 (100))
/
BEGIN
INSERT INTO plch_persons
VALUES (1, 'Sam');
INSERT INTO plch_trees
VALUES (1, 'Oak');
COMMIT;
END;
/
Which of the following choices create(s) a procedure named PLCH_SHOW_NAME so that after
the following block executes, both Oak and
Sam are displayed on the screen?
BEGIN
plch_show_name ('PLCH_TREES', 1);
plch_show_name ('PLCH_PERSONS', 1);
END;
/
a.
c.
CREATE OR REPLACE PROCEDURE plch_show_name

(table_in IN VARCHAR2, pky_in IN INTEGER)
IS
BEGIN
EXECUTE IMMEDIATE
'DECLARE l_value VARCHAR2(100);
BEGIN SELECT nm INTO l_value
FROM '
|| table_in
|| ' WHERE pky = '
|| pky_in
|| '; DBMS_OUTPUT.PUT_LINE (l_value);
END;';
END;
/

IS
l_value
VARCHAR2 (100);
BEGIN
EXECUTE IMMEDIATE
'SELECT nm FROM ' || table_in || '
WHERE pky = ' || pky_in
INTO l_value;
b.
IS
l_value
VARCHAR2 (100);
BEGIN
EXECUTE IMMEDIATE
'BEGIN SELECT nm INTO :val FROM '
|| table_in
|| ' WHERE pky = '
|| pky_in
|| '; END;'
USING OUT l_value;
DBMS_OUTPUT.PUT_LINE (l_value);
END;
/
END;
/
d.
IS
l_value
VARCHAR2 (100);
BEGIN
EXECUTE IMMEDIATE
'SELECT nm FROM '
|| DBMS_ASSERT.sql_object_name (table_
in)
|| ' WHERE pky = :pky'
USING pky_in
INTO l_value;
END;
/
Go to where the
conversation lives.
Connect with Oracle Magazine on your favorite social
channel and be a part of our growing community.
Join Us.
OracleMagazine
Oracle Magazine
@OracleMagazine
Print. Digital. Mobile
Copyright 2013, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
48
PL/SQL
|| table_in
Code Listing 3: The further updated em_update_col_value procedure, with error handling
|| ' set '

|| update_col_in
|| ' = '''
|| value_in
|| ''' where '
|| pkey_col_in
|| ' = '''
|| pkey_value_in
|| '''';
2. An end user should never be able to

directly insert text into a string executed
dynamically. If this is allowed, it will
always be very difficult to stop injection.
User inputs should be tightly constrained and then checked before they
are used in a dynamically constructed
string. There is no general solution for
performing this task. You must analyze
each use case and decide how to guard
your database from injection. The first
step is to avoid concatenation whenever possible and instead bind variable
values into the string. You cannot inject
into variables!
I updated em_update_col_value to
use bind variables and showed it to Bob:
BEGIN
l_statement :=
'UPDATE '
|| table_in
|| ' SET '
|| update_col_in
|| ' = :my_value WHERE '
|| pkey_col_in
|| ' = :my_pky';
EXECUTE IMMEDIATE l_statement
USING value_in, pkey_value_in;
table_in
IN VARCHAR2,
pkey_col_in
IN VARCHAR2,
pkey_value_in
IN INTEGER,
update_col_in
IN VARCHAR2,
value_in
IN VARCHAR2)
IS
l_statement
VARCHAR2 (32767);
PROCEDURE report_results ...
BEGIN
l_statement :=
'BEGIN update '
|| table_in
|| ' set '
|| update_col_in
|| ' = '
|| value_in
|| ' where '
|| pkey_col_in
|| ' = '
|| pkey_value_in
|| '; END;';
EXECUTE IMMEDIATE l_statement;
report_results;
EXCEPTION
WHEN OTHERS
THEN
em_error_log_pkg.log_error (l_statement);
RAISE;
END;
before binding to ensure that it is a valid

SQL statement. Theoretically, injection
could still occur if there is concatenation.
So, I explained, first make sure that
users can never enter a table name or a
column name directly. It sounds unlikely
that theyd be able to, doesnt it? But make
sure! Next, you can further guard against
injection via object names by using DBMS_
ASSERT subprograms to check that the
string is the name of a database object and/
or is a valid object name.
So now with a call to DBMS_ASSERT

.SQL_OBJECT_NAME, if I pass a bad name
for the table, I will see
BEGIN
em_update_col_value(
'employees; more code here',
'employee_id',
1000000,
'salary',
1000);
END;
/
OK, said Bob. I see now that users

cant inject through the values, but what
about the table and column names?
Right, I responded. That brings us
to the final point.
3. This procedure accepts the name of a
table and a column and then concatenates them directly into the string. You
cannot bind a table name into a SQL
statement with the USING clause; the
SQL engine needs all that information
l_statement :=
'UPDATE '
ORA-44002: invalid object name
|| DBMS_ASSERT.SQL_OBJECT_NAME (
table_in)
|| ' SET '
|| DBMS_ASSERT.SIMPLE_SQL_NAME (
And if I try to play games with the

column name, Oracle Database will reject
my effort:
update_col_in)
|| ' = :my_value WHERE '
|| DBMS_ASSERT.SIMPLE_SQL_NAME (
pkey_col_in)
|| ' = :my_pky';
BEGIN
em_update_col_value(
'employees',
'employee_id;more code here',
49
1000000,
'salary',
1000);
promises. You need to do the lions share

of the work to ensure that your code is not
vulnerable to SQL injection.
END;
/
ORA-44003: invalid SQL name
Bob smiled broadly. I like it when

Oracle Database takes care of the heavy
lifting for me.
Indeed, I agreed. But when it comes
to SQL injection, Oracle Database makes no
Answer to Last Issues Challenge
The PL/SQL Challenge quiz in the last issues
Four Resolutions for Better Code presented
three code blocks and asked which block(s)
would display -6502 after execution. All
three answers are correct, but only the first
(a) follows the native PL/SQL paradigm for
error raising and handling. The other two
techniques should, therefore, be avoided.
DYNAMIC AND REUSABLE?

AN UNLIKELY PAIR
Programmers should always strive for a
single point of definition (usually a subprogram) for rules, formulas, SQL statements,
and magic values. Reuse those subprograms, and look for opportunities to build
generic utilities, such as error loggers, that
can be reused throughout an application.
Nevertheless, programs that execute
dynamic SQL statements are unlikely to
be a good fit for reusable code. Dynamic
SQL should be utilized only when static
implementations are impossible. And
when you write a subprogram with dynamic
SQL, the need for solid error handling and
proactive protection against SQL injection
rises significantly. t
Steven Feuerstein
(steven.feuerstein@
oracle.com) is an
architect for Oracle,
specializing in PL/SQL.
His books, such as
Oracle PL/SQL Programming, and more
than a thousand PL/SQL quizzes at PL/SQL
Challenge (plsqlchallenge.com) provide in-depth
resources for PL/SQL developers.
NEXT STEPS
TEST your PL/SQL knowledge
plsqlchallenge.com
READ more Feuerstein
bit.ly/omagplsql
READ more about
PL/SQL
oracle.com/plsql
SQL injection
How to write SQL injection proof PL/SQL

bit.ly/sqlinjproof
Polar Bears International

is a trusted voice focused
on funding scientific research
for the survival of this
magnificent animal.
Polar Bears International
also funds educational
programs that are inspiring
people to reduce their
carbon emissions.
Conservation through Research and Education
www.polarbearsinternational.org
Help Us Help the Polar Bear

Photo R&C BuChanan
Database Application Developer and DBA
ASK TOM BY TOM KYTE
ORACLE DATABASE
On More-Secure
Applications
Our technologist shows how to build security into

application design.
m worried about the security of my

applicationthings like SQL injection,
for example. What can I do to minimize the
chances that my application will be hacked?
This is a great question, because not a day
seems to go by without news of yet another
hack. Whether it be someone stealing identities, credit card information, personal information, or whatever, new security incidents
seem to happen often. Too often.
There are a few things you can do in your
application design to eliminate or reduce your
exposure. Securing an application is something that needs to be done as the application
is being developedit is very hard to retrofit
security into an existing application. Trying
to fix an existing application to be secure is
sort of like trying to patch a leaky foundation
of a house rather than building a waterproof
foundation in the first place.
Here are some of the most important
things you can do for your application
design architecturally:
Make sure you have read the Database 2
Day + Security Guide (bit.ly/2daysecure)
and the Database Security Guide (bit.ly/
oradbsecurity). They will give you an overview of what you need to be thinking about
security-wise and an excellent look into
the capabilities Oracle Database offers in
the area of security.
Employ the concept of least privilege.
Use multiple schemasmany more than
oneto separate objects and help enforce
the concept of least privilege.
Use bind variables! They are not only a
scalability and performance feature; they
also help secure your application from SQL
injection attacks.
Employ multiple levels of defense. Do not
put security only in the application code;
repeat it as many times as you can within
the database, using different techniques.

In that way, a bug in one layer of defense
wont leave your database exposed.
Read on for details of some of these security strategies.
LEAST PRIVILEGE
This is a key tenet of database security:
grant the fewest (least) privileges possible
to everyonefrom your DBAs down to the
application schemas and out to the schemas
used to connect to the database from the
middle tier.
All too often, application developers
request a privilege in the database simply to
make their lives easier. For example, if they
are working on an application that requires
data from other application schemasfrom
many tables in many other schemasthey
might request the SELECT ANY TABLE privilege. With that privilege, no matter what
table they need from those other schemas,
they will have it. The application developers
might feel that it makes them more agile
able to pump out code fasterbecause they
never have to ask for a SELECT grant again.
If attackers can find a SQL injection
flaw in the developed application, they will
almost certainly be able to gain at least read
access to everything in the databasenot
just the tables the application accesses but
every single table in the entire database.
The SELECT ANY TABLE privilege will also
make it very hard to survive a true security
audit. There will be no way to justify why the
application truly needs SELECT ANY TABLE
privileges. Additionally, there will be no
documentation for the tables the application truly needs.
No ANY grant should ever be given to an
application schema. The power of a grant
with the ANY keyword in itsuch as CREATE
ANY CONTEXT, SELECT ANY TABLE, DROP

ANY TABLEis beyond what any application needs. There is always another way for
developers to achieve what they need to do.
For example, Ive seen DROP ANY TABLE
granted to an application schema with the
reasoning that the application developers
needed to truncate a table in another
schema. In reference to truncating a table, the
Database SQL Language Reference, at bit.ly/
sqltrunc, states: To truncate a table, the table
must be in your schema or you must have the
DROP ANY TABLE system privilege.
That is true, but you do not need to have
the DROP ANY TABLE privilege to achieve
the goal of truncating a table in another
schema. That is whats importantthe goal
is to truncate table T in schema X. There are
at least two ways to achieve that:
1. Use the powerful and dangerous DROP
ANY TABLE privilege.
2. Implement a stored procedure that
executes as schema X (the owner of
the table) and performs the truncate.
And then grant EXECUTE privileges on
this procedure.
If you were to grant DROP ANY TABLE to
the application schema and an attacker discovered a SQL injection flaw in the application, the attacker would have the DROP ANY
TABLE privilege. Think about how damaging
that would be!
The other approach, achieving the goal
with the minimum privilegeswith the
least privilegesis the right way to go.
Consider the following:
SQL> create user a identified by a;
User created.
SQL> create user b identified by b
2
default tablespace users
51
52
ASK TOM
quota 5m on users;
User created.
SQL> grant create session to a;
Schema B allows schema A to read table

T and to execute the stored procedure
B.TRUNCATE_TABLE_T.
Ill log in as A and see what I can do:
Grant succeeded.
SQL> connect a/a
SQL> grant create session,
2
create table,
3
4
Connected.
create procedure
SQL> select count(*) from b.t;
to b;
Grant succeeded.
COUNT(*)
---------------------
I now have two schemasA and B. A has

just the privilege to log in, and B can log in
and create tables and procedures. Now Ill
log in as B and create my objects:
55
I can see that table B.T exists, I can query

it, and it has data. Now Ill try to truncate
table B.T as user A:
SQL> connect b/b

Connected.
SQL> truncate table b.t;

truncate table b.t
*
SQL> create table t

2
as
ERROR at line 1:
select *
ORA-01031: insufficient privileges
from all_users;
Table created.
SQL> create or replace
2
procedure truncate_table_t
authid DEFINER
as
begin
I am not privileged enough to truncate

this table. For that truncate to succeed as
executed by A, I would need the DROP ANY
TABLE privilege. But that doesnt mean I
need to have the DROP ANY TABLE privilege
in order to truncate B.T! I can just execute
that stored procedure:
execute immediate
'truncate table B.T';
end;
Procedure created.
SQL> grant select on t to a;
Grant succeeded.
SQL> exec b.truncate_table_t;

PL/SQL procedure successfully completed.
SQL> select count(*) from b.t;
COUNT(*)
--------------------0
SQL> grant execute

2
3
on truncate_table_t
to a;
Grant succeeded.
Schema B now has a table T with some

data in it and also a definers rights procedure that truncates table B.T. A definers
rights routine (the default type of stored
procedure) runs with the privileges granted
directly to the owner of the procedurethat
is, all the privileges of schema B minus
any privileges granted to B via a role.
Using stored procedures is a great way to

reduce the strength of a grant you need to
give across schemas. They definitely help
achieve the least privileges concept. Here
schema A needs the EXECUTE privilege only
on a procedure that can truncate exactly the
one table that A needs.
NOTE: Oracle Database 12c includes a new
privilege analysis tool to help enforce the
concept of least privileges. See the Database
Vault Administrators Guide, at bit.ly/dbvault,
for details.
I have achieved the goalto truncate

B.Tbut did not require the DROP ANY
TABLE privilege. I have greatly limited the
exposure to risk, but I have not eliminated
it. An attacker finding a SQL injection bug in
code executed by schema A would likely be
able to execute the B.TRUNCATE_TABLE_T
procedure, but Ive still achieved a huge
reduction in exposure. Ive gone from risking
the loss of every table in the database to the
loss of data in one table, a table that is truncated on a recurring basis already.
USE MULTIPLE SCHEMAS

This idea probably gets more pushback from
developers than any other security idea I
suggest. Im going to reproduce a question
from a previous Ask Tom column (at bit.ly/
asktommultischema):
A data architect at work has proposed that
we start using separate database accounts to
hold the code (packages, procedures, views,
and so on) and the data (tables, materialized
views, indexes, and so on) for an application.
Ive never come across this idea before, and
it seems to be contrary to the concepts of
encapsulation, in that the application will
be spread across at least two schemas and
require more administrative overhead to
maintain the necessary grants between them.
Are there any situations you can think
of where this would be a recommended
approach? And if you did this, how would
you recommend referencing objects in the
data schema from the application schema?
Finally, would you put any views into the
code or data schema?
You can see my original response to this
question at bit.ly/asktommultischema, but
in looking at this question again, I can see
that the questioner is trying to find reasons
to not do something that would be greatly
beneficial to security. Developers may throw
out words such as encapsulation (although
having multiple schemas actually promotes
encapsulation) and claim that it will require
more administrative overhead to maintain
the necessary grants, while missing the
point that the production application will
need to have the concept of least privileges
in place. What some developers view as
drawbacks, I see as positives.
My approach would be to have at least
53
one schema that contains table data, and

maybe more than oneprobably more than
onebut at least one schema that owns
just the table data and, if need be, a few
procedures like the one described in the last
section. There would be a second schema,
and this schema would own code (PL/SQL,
Java stored procedures, and so on) that
accesses these tables. It would also contain
views of the various tables as needed. The
first schema, the one that contains table
data, would grant just the privileges needed
on a table to the second, code schema.
(There would be no GRANT ALL ON T TO
another_schema.) The data schema would
grant just the access necessary: INSERT,
UPDATE, DELETE, and/or SELECT.
Then there would be a third schema. This
schema would be granted nothing more than
CREATE SESSION to log in and the bare privileges on the second schema the application
needs in order to execute the procedures
and access the views. This third schema, the
database account, is the one your application
server would use to connect to the database.
Think about the benefits this would
bring you. If hackers get into the application
schema, the damage they can do will be very
limited. They wont be able to read every
tabletheyll be able to read only a few. And
if you use stored procedures as a data access
layer, they may not be able to access any
tables at all! All theyll be able to do is run
your application. They wont be able to drop
any tables, which they would be able to do if
you used a single schema for everything, or
update anything they choose, as they would
be able to if you used a single schema. And
so on. Hackers will be very restricted in what
they can and cannot do.
Lets make this a bit more concrete.
Suppose your application has an application audit trail (as it and every application
should). Your typical application user needs
to be able to insert into this audit trail, but
that user should never be able to read it,
delete it, or modify it. You might also have
an administrative application that needs to
read the audit trail, but it doesnt ever need
to insert into it, update it, or delete from
it. If you go with a single schema, both the
application and the administrative application users will have full READ/WRITE access
on this table. You might say, Our application enforces securitydont worry. But
that does worry me, because you will have
a bug in your applicationsomewhere,
someday. And then the audit trail will be
100 percent exposed to tampering.
If instead you put the audit trail into its
own schema and create two code schemas
one for the typical application user and the
other for the typical administrative application user, youll be able to grant INSERT privileges on the audit trail table to the first code
schema and SELECT privileges on the audit
trail to the second code schema. Now the
first schema can create the code that inserts
into the audit trail. The second schema can
create some views for reporting or use stored
procedures that return ref cursors instead.
Last, youll create a schema that has
CREATE SESSION and EXECUTE privileges
on the code in the first application schema
and then create an administrative login that
has CREATE SESSION and EXECUTE privileges on the code in the second schema.
This is the concept of least privileges put
into action to the fullest. The administrative schema will use code in the application
schema to audit itself and will be able to
report onbut not modifythe audit trail.
The application schema will also be able
to audit itself but not read the audit trail
(because it has no reason to).
To witness this multischema architecture idea in actionwith all the details,
code, and moresee the Database 2 Day
Developers Guide, Chapter 9, Developing a
Simple Oracle Database Application, at
bit.ly/devguidemultischemaapp.
SELECT * FROM EMP WHERE ENAME

LIKE '" + some_variable +"'
it will be far too easy for your code to be

SQL-injected.
In my experience, many, if not most,
database attacks are performed by SQL
injection, whereby the attacker sends you
input that makes your resulting SQL different
from what you intended. There are programmatic ways to combat this. For example,
you can use the DBMS_ASSERT package in
PL/SQL when building SQL, write your own
sanitizer routines to verify that the inputs
are safe to concatenate, and write lots of
code. Youll still have to worry about attack
vectors you havent thought of (see bit.ly/
tkbinject for an interesting example of a SQL
injection attack most people would not see
coming). So whatever programmatic strategy
you use, there will still be concern that your
code is not as secure as you think it is.
Or you can use bind variables. If you use a
bind variable, it will be impossiblerepeat,
impossiblefor an attacker to change
SELECT * FROM EMP WHERE ENAME LIKE
? into any other SQL. On the other hand, it
would be relatively easy for an attacker to try
to change
LIKE '" + some_variable +"'
into
LIKE '' or 1=1 '
by providing the input

USE BIND VARIABLES
Did you know that if your SQL uses bind variables for all variables that can change from
execution to execution, your code cannot be
SQL-injected? On the other hand, if you use
string concatenation to put these variables
into your SQL, your code can be SQL-injected!
That is, if you issue SQL such as SELECT *
FROM EMP WHERE ENAME LIKE ? and you
bind in a value for the ?, no one will be able
to change the meaning of your SQL, regardless of what they send you. On the other
hand, if you build your SQL statement by
using string concatenation like this:
' or 1=1
That input would change the meaning of

your query entirely. Additionally, attackers
might instead try to input
'UNION ALL SELECT FROM T '
Think about what that would do to your

query. Instead of querying the EMP table,
your attackers would now be querying some
other table T (a SQL injection bug, once
found, typically gives at least READ access to
54
ASK TOM
every object the schema has read access to).

If you do not use bind variables in your
application for inputs into your query, I
firmly believe youll have to
Write lots of additional procedural code to
sanitize inputs (and lose sleep every night
wondering if you did it perfectly every time
and everywhere).
Submit your code to be reviewed by at least
five people who do not like you. The reason
for the do not like you part is that they
must be motivated to search long and hard
for any mistakes you might have made.
If they like youor even worse, respect
youthey might not look hard enough.
But following these steps will not guarantee security. Your code may still be SQLinjectable, because it might not be perfect
and the reviewers might not find everything.
Remember: bugs happen to everyone.
Bugs, including ones that allow for SQL injection, happen to me more times than I can
count. Consider the article I wrote years ago
on SQL injection at bit.ly/tkinjectc. After
you read the section on SQL injection in that
article, I encourage you to read on and look at
the last section. There I used a stored procedure to do selective grantingsimilar to the
truncate example earlier in this article. But
note the note there about revised content.
My original stored procedurethe one that
was printed in the hard-copy magazine, never
to be fixedhad a SQL injection flaw in it!
Yes, in an article on SQL injection, I supplied
some code that was SQL-injectable. It can
happen to anyonehighly experienced programmers, novice programmers . . . everyone.
HAVE MULTIPLE LEVELS OF DEFENSE
Having multiple levels of defense is another
basic security tenet, right up there with the
least privileges concept. You want to have
security in depthsecurity at multiple levels.
Suppose you put all your security logic in
the application, so the folks at the network/
database/storage level dont have to worry
about anything. Someone will find a way
around that security. It is not if but a matter
of when attackers will find a way around it.
If, on the other hand, you have multiple
layers of defensemultiple repetitive layers
of defensea hole in any one defense level
wont mean that your data will be com-
promised. For example, suppose for some

reason that your application uses string
concatenation and does not use bind variables. In that case, I would suggest that you
Procedurally sanitize your application
inputs to validate them
Have your string concatenation code
reviewed so that multiple eyes look at it
to validate it
Employ Oracle Database Firewall (bit.ly/
odsavdf) to catch SQL injection flaws
when they inevitably occur (from not using
bind variables!)
Use the concept of least privileges so that
if all other defenses fail, youll minimize
your risk
Use multiple schemas to further mitigate
the security risk (and take least privileges
to the farthest point possible)
Employ auditing at the application level,
firewall level, and database level; consider
using Oracle Audit Vault (bit.ly/odsavdf) to
consolidate all that information; and set up
real-time audit policies that look for suspicious activity as it happens
There are at least six levels of defense
right there, but each of those layers might
have a flaw in it somewherea hole to be
exploited. Use multiple layers of defense in
case oneor moreof them is defeated.
between various components. Again, use

least privileges to put the pieces together.
Avoid the major attack vectors such as
SQL injection entirely by using bind variables. Bind variables are not only good for
performance and scalability but also excellent for security.
Employ as many layers of defense as you
can come up with. They are not redundant,
so do not consider them redundant. They
each add to your security footprint, in a
positive fashion.
And perhaps most importantly,
remember to design this all into your application from day 1. Trying to retrofit least
privileges and multiple schemasand
fixing code that doesnt use bind variables
so that it does use bind variablesis not
only hard but also error-prone. It would be
like working on a leaky foundation.
CONCLUSION
Security is a #1 concern these days. In the
pastbefore the internetsecurity was a
bit easier. Our databases were not exposed
to billions of potential attackers and didnt
have as much sensitive information in them.
Today a child could attack your database just
for fun (search for sql injection toolkit, and
you might be surprised at what is out there).
Attacking a website is not hard.
Fortunately, protecting yourself and minimizing your exposure is not that hard either.
Employ least privilegesyes, that seems
like more work for the development team,
but look at what you get out of it: minimized
exposure, better documentation, and a solid
understanding of who uses what objects and
why. It is not only a security feature; it also
makes your entire code base better, easier to
maintain, and easier to understand.
Use encapsulation and modularization via multiple schemas to set up walls
NEXT STEPS
Tom Kyte is a database

evangelist in Oracles
Server Technologies
division and has worked
for Oracle since 1993. He
is the author of Expert
Oracle Database Architecture (Apress, 2005,
2010) and Effective Oracle by Design (Oracle
Press, 2003), among other books.
ASK Tom
Tom Kyte answers your most difficult technology
questions. Highlights from that forum appear in
this column.
asktom.oracle.com
FOLLOW Tom on Twitter
@OracleAskTom
READ more Tom
bit.ly/omagasktom
READ more about Oracle Database Security
bit.ly/2daysecure
bit.ly/oradbsecurity
bit.ly/dbvault
bit.ly/12cdbsecurity
DOWNLOAD Oracle Database 12c
bit.ly/epBiUG
LEARN more about Oracle Database 12c
oracle.com/database
FOLLOW Oracle Database
on Twitter
@oracledatabase
on Facebook
facebook.com/oracledatabase
Find the Most Qualified

Oracle Professional for
your Companys Future
Introducing the Oracle Magazine
Career Opportunities section the ultimate technology recruitment resource.
Oracle Magazine is the largest IT publication in the

world with a total circulation of more than 500,000.
Place your advertisement and gain exclusive and
immediate access to top talent including:
IT Managers, DBAs, Programmers and Developers.
For more information or to place your recruitment

ad or listing contact: tom.cometa@oracle.com
Copyright 2014, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
56
IN THE FIELD BY KATE PAVAO
Keeping Pace
OAUGs new president knows how to handle

a changing environment.
uring her 17 years as an Oracle

Applications Users Group (OAUG)
member, Melissa English has had many
jobs, including volunteering on the education committee, chairing the marketing and
communication committee, and serving on
OAUGs board of directors. So she was well
prepared when, in January 2015, she began
her term as OAUG president.
What first drew her to OAUG, thelargest
education, networking, and advocacy forum
for Oracle Applications users? I really loved
that it was other people like me providing
content and information, remembers
English, who is manager of instructional
design at Amway.
Here, English talks to Oracle Magazine
about why she stays committed to OAUG, her
plans for growing the organization during its
celebratory 25th-anniversary year, and how
business leaders can better prepare their
workers to evolve in swiftly changing times.
Oracle Magazine: What sparked your interest
in technology?
English: In the mid-1990s, I was working
in accounts payable at the Cincinnati
Department of Human Services. When
I started to train other workers on how
to use Oracle applications, I knew thats
what I wanted my career path to be. I love
being able to help people understand new
technology, and I love knowing I was able
to provide value to them. This passion is
what keeps me going with OAUG, because
OAUG is all about members supporting and
learning from each other.
Oracle Magazine: What are you hoping to
accomplish as OAUG president?
English: I want to continue to innovate and
increase our user involvement, because the
more our members share their experiences,
the better the results for our community.
If that means we can get more end users
to present at events or in our e-learning
We need to
support our new
users and offer
them opportunities
to advance their
careers.
Melissa English, President, OAUG
series, thats terrific. But also we want
to help people connect with each other
through networking opportunities at our
OAUG Connection Point events and at
COLLABORATE conferences.
For example, we host a luncheon
for women in technology each year at
COLLABORATE, which is a great opportunity for women from all walks of life, in all
points in their careers, and from all industries to talk to one another.
Oracle Magazine: How is OAUG growing
its membership?
English: We need to support our new users
and offer them opportunities to advance
their careers. Through our user forums, we

recently established a young professionals
group that brings new workers together
with our seasoned members, so they can
start gaining an understanding of what its
going to take for them to become leaders.
Also, extending our international reach
is top of mind, and during the last few
years our international committee has
made great connections around the world
through our affiliated user groups. We
look at this as a win, win, win, because
as we grow, so do the affiliate groups
that partner with usand their users win
because they can get information from
their local community as well as from
international sources.
Oracle Magazine: You oversee global change
management, communications, and
training for Oracle E-Business Suite. Whats
the secret to change management success?
English: The key is to have a really strong
and clear vision to provide to the team.
Then you have to engage stakeholders at all
levels in order to make the change sustainable. A lot of business leaders think change
management is about communication and
trainings, and those are components of it.
But its also about helping people understand whats going to be different for them.
You need to eliminate their fear and
anxiety, and that comes from providing
information to people and then listening
to them. Its really about connecting with
people and making sure that you are taking
care of them.
Kate Pavao is a frequent contributor to

Oracles Profit and Profit Online publications.
NEXT STEPS
LEARN more about OAUG
oaug.org
BLAKE J. DISCHER
MJ15_InTheField_R2_gtxcel.indd 56
5/12/15 4:06 PM
Only Oracle
Compresses
Your Data 12x
More Data.
Less Storage.
Less Energy.
Run Faster.
Oracle ZFS Storage and
FS1 Flash Storage
oracle.com/goto/compression
12x compression on Oracle database with Hybrid Columnar Compression.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.
Oracle and Java are registered trademarks of Oracle and/or its affiliates.

Oracle20150506 DL

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Oracle20150506 DL

Caricato da

Copyright:

Formati disponibili

Construction project management at the next level

Many have been lost

If conquering the cloud was easy, anyone could do it.

Get Mobile and Connected Consume enterprise

Specialized Bicycles pulls ahead with

Die Mobiliar speeds business

SOLARWINDS DATABASE PERFORMANCE ANALYZER

CHANGES THE JOB FROM

Spend less time isolating performance problems and more time

VOLUME XXIX - ISSUE 3

Specialized Bicycle Components pulls

Swiss insurance leader Die Mobiliar

Cover: I-Hua Chen

FROM THE EDITOR / 5

Consume enterprise web

Get Where Youre Going

Three peers recall

Get Mobile and

Upload, Model, Analyze,

OAUGs new president knows

ORACLE MAGAZINE MAY/JUNE 2015

Printed by Quad Graphics

MAY/JUNE 2015 ORACLE.COM/ORACLEMAGAZINE

FROM THE EDITOR

Good sample data and real examples tell the story.

SEND MAIL TO THE EDITORS

ow do you learn? Do you look at a technology concept description or formula

Longtime Oracle Magazine columnists

Tom Haunert, Editor in Chief

APPS: GRE AT GETAWAYS

News. Views. Trends. Tools.

Turn the journey into

When your high

IT Security First Line of Defense: Employees

Enhance employee training on IT security issues

Add IT security personnel

Contract with third-party vendors or add tools to enhance security

Implement multifactor authentication process

MAY/JUNE 2015 ORACLE.COM/ORACLEMAGAZINE

DO YOU SPEAK TECH?

1. In the term exabyte, the prefix exastands for __________ .

Conferences and sessions to help you stay

June 2125, Hollywood, Florida

ORACLE USER GROUPS

DOAG (German Oracle User Group)

Southern California Users Group

June 10, Huntington Beach, California

New York Oracle User Group Summer

Bulgarian Oracle User Group

May 31June 2, San Jose, California

June 1320, Baltimore, Maryland

Oracle HCM Users Group (OHUG)

June 1718, San Francisco, California

June 811, Las Vegas, Nevada

MAY/JUNE 2015 ORACLE.COM/ORACLEMAGAZINE

June 1214, Plovdiv, Bulgaria

New England Oracle Applications User

DEVOXX United Kingdom

June 1719, London, England

Eastern Canada Regional User

June 2223, Toronto, Ontario, Canada

UKOUG Database Server Special

The Chartered Institute for IT, BCS

Delivering Next-Generation Digital

Accelerate Your Cloud Journey with Oracle