604 Applied Oracle Security Oracle Business Intelligence examples, 580–592 auditing, 582 authentication, 589–592 preparations, 581–583 recommended testing, 586–587 RPD descriptions, 588–592 scripts, 582–583 setup process, 583–586 SSO integration, 592 users and groups, 580–581 web catalog descriptions, 587–588 Oracle Call Interface (OCI), 504 Oracle Data Dictionary DBV integration and, 329 object-owner accounts in, 332 Oracle Database 10 g Release 2 column-level encryption, 38–43 TDE setup, 34–35 Oracle Database 11 g Advanced Security features, 33 DBV integration with, 329–344 tablespace encryption, 44–45 TDE configuration, 45–55 Oracle Database Vault. See Database Vault Oracle Delivers component, 530, 587 Oracle Directory Management, 373–374 Oracle Enterprise Manager Grid Control (OEM GC) DBV policy deployment and validation w ith, 327–329 monitoring and alerting on DBV with, 345–347 Oracle Entitlement Server (OES), 380–381 arch itecture of, 380, 381 developer’s view of, 380–381 Oracle External Tables (OETs), 312–318 Oracle HTTP Server (OHS), 434 enabling SSL in, 452–454 password obfuscation in, 445 Oracle Identity Federation (OIF), 377 Oracle Identity Manager (OIM), 386–403 access policies, 389, 394–396 access reporting, 401 attestation, 399–400 compliance solutions, 399–401 deployment architecture, 402–403 discretionary account provisioning, 391–392 IMOM information and, 362 IT resour ces, 390 or ganizations, 388–389 overview of, 386–390 provisioning integrations, 397–398 provisioning processes, 390–396 reconciliation integrations, 398–399 resource objects, 390 self-service provisioning, 392–393 summary of, 403 user provisioning, 372–373, 386, 390–398 users and user groups, 387–388 workflow-based provisioning, 393–394 See also identity management Oracle Internet Directory (OID), 156, 217, 303, 406–409 ar ch itecture, 407 synchronizations, 373–374, 408–409 Oracle Label Security (OLS) declarative framework of, 99 factor integration with, 174–189, 221–222 identifying tables protected by, 294 Oracle VPD comparison, 228 Oracle Metalink notes, 185 Oracle Proxy Authentication, 184 Oracle Real Application Testin g, 327, 328 Oracle Recovery Manager (RMAN), 342–343 Oracle Role Manager (ORM), 382–383 Oracle Sample Schemas, 294 Oracle Spatial, 332–333 Oracle Streams Adva nced Queuing, 336–341 Oracle Technology Network (OTN), 185, 307 Oracle Text, 329–332 Oracle Virtual Directory (OVD), 307, 374, 409–430 adapter visibility, 426–427 architecture, 410–413 database integration, 419–423 directory tree design, 414–415 explanation of, 410 information access to/from, 412 installing, 413 joining information in, 424–430 LDAP server integration, 415–419 server configurati on, 413–414 summary of, 430 Oracle W allet A uto Login, 36–37 backing up, 35 described, 34, 35 encryption overview, 37 managing, 34–35, 36, 45 TDE and, 33, 34–37 Oracle Wallet Manager (OWM), 36, 453 Index 605 organizational policies conditions based on, 207 factors based on, 217, 318 organizations, OIM, 388–389 ORM (Oracle Role Manager), 382–383 OSAUD collectors, 72, 74, 75 OTHER identity, 169, 170 output filtering, 450 OVD. See Oracle Virtual Directory P P parent factors, 164, 165–166 passwords APEX, 442–443, 445, 463–468, 482 default account, 65–66 obfuscating, 445 Oracle BI, 530 patterns for identity management, 366–372 enterprise maturity levels and, 366–369 hub-and-spoke architecture, 370 point-to-point architecture, 369 PCI standard, 47 PCI-DSS requirements, 47–48 people discovery, 361–362 performance TDE and, 49–51 tracking data on, 564 permissions Oracle BI, 537–538 proxy user, 568 personally identif iable information (PII), 9 PL/SQL ro utines audit trail records and, 280 centralizing for DBV factors/rules, 211–215, 241 custom event handlers and, 348–352 factors used in, 223–224, 325–326 HANDLER_MODULE parameter and, 494 querying program names for, 326 PL/SQL “wrap” utility, 466 point-to-point architecture, 369 Point-to-Point (P2P) integration, 409 policy audit, 84–86 DBV, 106–110, 327–329, 345–347 item-based, 484–486 OAM, 526–527 sessi on context-based, 486–489 violations of, 81, 345–347 VPD, 171–174, 484–489 policy administration point (P AP), 380 pol icy decision point (PDP), 380 policy enforcement point (PEP), 380 policy information point (PIP), 380 policy manager, 375 policy store, 380 prebuilt connectors, 397 preconsolidation databases, 120 predicate parameter, 222 presentation server, 528–529 presentation variables, 508 primary account number (P AN), 47–48 pr imary adapter, 425 primary key/foreign key (PK/FK) relationships, 44 principles of security, 10–12 private keys, 25–26 privilege escalation, 65, 68 privileged accounts, 94–96 privileges application administrator, 235–236 audit policy for, 85 BI Web Services, 576 database administrator, 299 default, 567–568 preventing escalation of, 241–243 validating for rules, 154 process discovery, 361, 363–364 Program Global Area (PGA) memory, 436 programmatic encrypt ion, 32 protected health information (PHI), 9–10 protection patterns for realms, 122–124 provisioning integrations, 397–398 Generic T ech nology Connector, 397–398 prebuilt connectors, 397 provisioning processes, 390–396 access policy-driven provisioning, 394–396 discretionary account provisioning, 391–394 self-service provisioning, 392–393 workflow-based provisioning, 393–394 proxy authentication, 7, 302 proxy server topology , 447 PROXY session variable, 569 proxy users, 568–571 PROXYLEVEL session variable, 569 public key encryption (PKE), 25–27, 452 public users, 533 public-facing applications, 532–533 606 Applied Oracle Security Publisher, Oracle BI authentication, 515–516 authorization, 524 catalog content security, 539–540 configuration, 584–585 sample report, 585 super user, 584 testing, 587 Q Q queries application data manager, 256–257 database feature/option, 326 encrypted data, 50 queuing/dequeuing messages, 336–341 R R RAC architecture, 71, 74 RAID technology, 31 read-only application users, 17, 231, 234, 264–267 read-write application users, 17–18, 231, 234, 264–267 realm authorizations, 130–136, 296–309 database roles and, 296–301 explanation of, 130–131 externalizing, 303–309 object-owner accounts and, 131–132 realm headers, 127 realm-protected objects, 111, 292–296 accessing, 125–126 object-level auditing for, 226–227, 293–294 row-level security on, 227–228, 294 realm-protected schemas EXPLAIN PLAN feature on, 343–344 gathering statisti cs on, 343 realms, 98, 102–104, 1 18–136 access ing objects protected by, 125–126 audit reporting for, 126–127 authorizations for, 130–136, 296–309 command rules and, 137–138 components of, 127–136 consolidation with, 119–121 creating, 124–127 DBV administrators and, 131 direct object privileges and, 131 explanation of, 102–104, 118–119 identifying based on objects, 224–228 identifying roles to protect as, 295–296 named accounts and, 132–135 object-owner accounts and, 131–132, 292 objects protected by , 1 11, 127–128, 292–296 Oracle BI and, 563 participants vs. owners, 130 protection patterns of, 122–124 role provisioning with, 128–130 rule sets and, 135–136 violations of, 119 reconciliation integrations, 398–399 Recovery Manager (RMAN), 342–343 REDO collectors, 72, 74, 75 relative distinguished name (RDN), 422 replication, 408 reports Audit Vault, 79–80 BI Publisher , 585 Database V ault, 108 general security, 108 Identity Manager, 401 request-driven provisioning, 395 Resource Description Framework (RDF), 333 resource objects, 390 resources definition of, 386 optimization/usage of, 68 user access to, 386 restricted items, 480–481 retrieval, factor, 158–162 risk management, 284 RMAN (Oracle Recovery Manager), 342–343 role management, 382–383 role mappings, 7 role mining, 381–383 roles APEX and database, 437–438 application administrator , 235–239, 245–262 A udit Vault, 76–77 Database Vault, 105–106, 128–130 identifying for realm protection, 295–296 identifying for SARs, 310–311 mapping to data, 364–365 operational database administrator, 239–241 realm authorizations for, 296–301 See also SARs role-to-data mapping, 364–365 root accounts, 314 row-level security (RLS), 111 business model filters for, 516 Index 607 configuring on realm-protected objects, 227–228 Oracle BI, 543–546, 559–561 realm object identification based on, 294 VPD security and, 559–561 row-wise initialization, 508–509 RPD descriptions, 588–592 RPD-specific scripts, 582–583 rule expressions, 333 rule sets, 102, 147–157 auditing, 148–149 command rules and, 138 custom event handlers and, 150–151, 348–352 evalu ation mode for, 147–148 eve nt functions, 154–155 factors and, 156–157 realm authorizations and, 135–136 rule configuration, 151–154 rules centralizing PL/SQL routines for, 211–215 configuring, 151–153 security, 101–102 validating, 153–154 rule_set_name parameter, 191 RUNAS session variable, 569, 570 S S Sales History (SH) schema, 14, 15 salt tool, 38–39 sandbox metaphor, 103 SANS Institute, 96 SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY procedure, 222 SA_POLICY_ADMIN.APPLY_TABLE_POLICY procedure, 221–222 Sarbanes Oxley (SOX) Act of 2002, 10 SARs (Secure Application Roles), 194–197 audit report for, 196, 197 command rules vs., 104 establishing from conditions, 281–284 multifactor authentication and, 98 security-sensitive operations and, 194 user access accounts a nd, 310–31 1 SA_SESSION .SET_LABEL procedure, 183 scenarios, 202 example of, 204–205 explanation of, 202–203 scheduler job, 343 scheduler service, 585 schema objects, 84 schemas APEX, 456–459 defined, 12 implementing, 239–267 modeling, 12–16 naming, 18–19 realm-protected, 343–344 security concerns, 14, 228–231 worst practices, 14, 15 Schneier, Bruce, 24 SCN (System Change Number), 494 scripts database, 582–583 RPD-specific, 582–583 setup, 582 SDO_RELATE spatial operator, 333 SEC_ADMIN schema, 491 Secure Application Roles. See SARs Secure T ra nsmission Control Protocol (TCPS), 186–187 security adaptive, 99 addressing gaps in, 94–100 APEX, 439–456 application design and, 200 architecture checklist, 19–20 audit, 62–63 BI features and, 567–576 by command, 100 column-level, 547–551, 590 conditional, 98–99 context-based, 98–99 costs of not applying, 284 factors, 101, 115 folder-based, 537–538 group-level, 537 HAP for, 100 iBot, 538–539 layers of, 11 managing, 11 motivators of, 5, 8–9 multifactored, 163, 171, 183 principles of, 10–12 protecting mechanisms of, 101 Publisher , 539–540 realms, 102–104 reports, 108 row-level, 1 11 608 Applied Oracle Security rules, 101–102 statement-level, 111 web content, 536–540 web-based attack, 449–451 security administrator, 111 Security Assertion Markup Language (SAML), 377 security profiles coarse-grained, 205–208 conditions related to, 207–208 fine-grained, 208–209 process for designing, 202 questions for improving, 207 SEC_USER schema, 491 SELECT command, 143, 144, 259, 268 self-service provisioning, 392–393 sensitive data categorization, 9–10 separat ion of duties, 99 application administrator , 236–239 Database V ault, 110–114 factors based on, 216–217, 318 sequence of transactions, 323–324 sequential conditions, 208, 219–220 server variables, 507 Service Provisioning Markup Language (SPML), 371, 397 service-oriented security (SOS), 370, 371–372 session context-based policy, 486–489 session control commands, 144 session state, 479–480 encrypted, 482–483 protection scenario, 481–482 session variables, 184, 508–509, 575 SESSION_USER environment variable, 491 SET ROLE command, 98, 144 set variable command, 575 setup scripts, 582 SH dashboard, 587–588 SH schema, 97 shadow joiner , 426 Shah, Vi pul, 69 shared accounts, 15–16 SHELPER schema, 97 simple joiner, 425 single sign-on. See SSO Site Data Protection (SDP) program, 47 SOA (Service-Oriented Architecture), 11–12 SOAP privilege, 576 source code modifications, 68 Spat ial, Oracle, 332–333 SQL injection attacks, 449–450, 472–476 bind variables and, 472, 475–476 explanatory overview of, 472 procedures vulnerable to, 473–475 SQL statements audit policy for, 84 factors used in, 221–222, 223–224 predicate parameter, 222 SQL Workshop, 492 SSL (Secure Sockets Layer) protocol APEX and, 454–456 enabling in OHS, 452–454 encryption process, 451–452 Internet security and, 23 mod_rewrite and, 456 symmetric and publ ic key encryption used in, 27 SSL Everywhere feat ure, 530 SSO (single sign-on) Oracle Access Manager for, 375–376, 525–529 Oracle BI options for, 524–529, 592 Oracle eSSO for, 376 statement-level security (SLS), 111 static server variables, 507 statistics gathering, 343 strategic maturity level, 368 strings command, 30–31, 39 strong authentication, 33, 375, 377 subject area security, 542–543 Subject-Verb-Object-Condition table, 210, 234, 267, 285, 311–312, 353 s uperuser account, 95 SYBDB collectors, 73 symmetric key encryption, 24, 25, 27–28, 37 synchronization, OID, 373–374, 408–409 syntax, DBV rule, 153–154 SYS account, 16, 94–96 auditing, 73, 75 DBA role and, 235 SYS_CONTEXT function, 145, 280, 492 SYSMAN account, 229–230 system access accounts, 231, 232–234 SYSTEM account, 16, 94–96, 235 system alterations, 68 system ANY privileges application administrators and, 235 command rules and, 137 queries with no results, 301–303 realms a nd, 103, 1 18, 125, 137, 296 sec urity (continued) Index 609 system control commands, 144 system integration, 386 system privileges, 68 system use cases, 280–281, 289 system-level auditing, 280–281 T T table keys, 37 table of usernames, 463–468 table-based authentication, 511–512, 590 tables authorization process using, 520 dynamic group membership using, 518–520 encrypting columns in, 38–40, 41–43 identifying protected, 294 Oracle External, 312–318 tablespace encryption, 44–45, 50–51 tactical maturity level, 367 target resource reconciliation (TRR), 399 TCPS (Secure Transmiss ion Control Protocol), 186–187 TDE (Tra nsparent Data Encryption), 22, 33–44 Advanced Security option, 33 column-level encryption, 38–43 Data Guard with, 49 DBMS_CRYPTO package vs., 40–41 DBV integration with, 341 exporting/importing data, 52–53 integration with HSM devices, 53–55 key management, 37–38 limitations of, 44 operational concerns, 49–51 Oracle Wallet overview, 34–37 PCI-DSS compliance, 47–48 performance issues, 49–51 setting up, 34–35 summary of, 55–56 testing audit effectiveness, 280–281 BI Publisher , 587 DBV pol icy, 327–329 join view, 429 Oracle BI, 586–587 Oracle Delivers, 587 VPD and BI cache, 556–559 Text, Oracle, 329–332 three-tier systems, 184 time conditions based on, 208 factors based on, 219–220, 319–321 TNS Listener, 445 tracking usage data, 564–565 transaction control commands, 144 transaction profiles, 290, 352–353 transactional systems, 499–500, 501 transactions factors based on sequence of, 323–324 identification of important, 312 limiting availability of sensitive, 312–318 transparency , 12, 99, 1 16 Transparent Data Encryption. See TDE triggers, 116, 177 trust but verify model, 190 trusted source reconciliation (TSR), 399 trust_level parameter, 165 U U UML (Unified Modeling Language), 201 unknown audit patterns, 66–67 UPDATE command, 140, 268, 348 URL tampering, 478–483 checksums and, 481 restricted items and, 480–481 session state protection, 481–482 usage analysis, 225 usage tracking, 564–565 database auditing with, 566–567 notes on configuring, 565 setting up, 585–586 use cases, 202 business, 289 categories of, 285 example of, 203–205 explanati on of, 202–203 system, 280–281, 289 user access accounts, 13, 14–16, 231–239 database administrator , 235–239 i dentifying for SARs, 310–311 overview of categories for, 231–232 read-only/read-write application users, 234, 264–267 system access accounts, 232–234 user accounts APEX settings, 442 dedicated, 15 610 Applied Oracle Security grouping, 16–18 shared, 15–16 user groups, 387–388 user profiles, 16–18 user provisioning, 372–373, 390–398 challenges, 386 integrations, 397–398 processes, 390–396 USER_ENCRYPTED_COLUMNS view, 41 user_has_priv function, 217 user_has_role function, 216 usernames, table of, 463–468 users audit vault, 76–77 BI system, 499, 510 Impersonator, 527–528 OIM, 387 public, 533 read-only, 17 read-write, 17–18 user-specific attributes, 217–218 Utilities dashboard, 588 V V validate_expr parameter, 191 validation DBV policy, 327–329 factor, 189–194 rule syntax, 153–154 VARCHAR2 values, 158 variables bind, 472, 475–476 presentation, 508 server, 507 session, 184, 508–509 Verb Object technique, 205–206 viewing datafiles, 30–31 views audit trail, 290 database, 410 encrypted column, 41 factors used in, 222–223 join, 424–430 virtualization, 373, 409–410 See also Oracle Virtual Directory VPD (Virtual Private Database), 6 APEX integration, 484–489 factors, 220–221 identifying tables protected by, 294 Oracle BI integration, 551–559 Oracle OLS comparison, 228 policy creation, 171–174 row-level security and, 559–561 VPD_TAG session variable, 554–556 VPD_WHERECLAUSE function, 556 W W wallet. See Oracle Wallet web access management, 379 web catalog content, 536–540 BI Publisher security, 539–540 folder-based security, 537–538 group-level security, 537 iBot security, 538–539 web catalog description, 587–588 web catalog groups, 516–517, 523, 537 web services access to Oracle BI, 576 notional database applications and, 200–201 web tier, 402 web-based attacks cross-site scripting, 449, 476–478 preventing in APEX, 449–451, 472–483 SQL injection, 449–450, 472–476 URL tampering, 478–483 webgroups, 516–517 weekly_w indow function, 219 Windows Notepad, 31 workflow-based provisioning, 393–394 workflows, self-service, 307 X X X.509 certificate, 186, 187 XACML (Extensible Access Control Markup Language), 371 XML for Analysis (XMLA), 505 XSS attacks, 449, 476–478 user accounts (continued) t 6QUPEBUFJOGPSNBUJPOPO0SBDMF%BUBCBTF0SBDMF"QQMJDBUJPO4FSWFS 8FCEFWFMPQNFOUFOUFSQSJTFHSJEDPNQVUJOHEBUBCBTFUFDIOPMPHZ BOECVTJOFTTUSFOET t 5IJSEQBSUZOFXTBOEBOOPVODFNFOUT t 5FDIOJDBMBSUJDMFTPO0SBDMFBOEQBSUOFSQSPEVDUTUFDIOPMPHJFT BOEPQFSBUJOHFOWJSPONFOUT t %FWFMPQNFOUBOEBENJOJTUSBUJPOUJQT t 3FBMXPSMEDVTUPNFSTUPSJFT If there are other Oracle users at your location who would like to receive their own subscription to Oracle Magazine, please photo- copy this form and pass it along. Three easy ways to subscribe: Web 7JTJUPVS8FCTJUFBU oracle.com/oraclemagazine :PVMMGJOEBTVCTDSJQUJPOGPSNUIFSFQMVTNVDINPSF Fax $PNQMFUFUIFRVFTUJPOOBJSFPOUIFCBDLPGUIJTDBSE BOEGBYUIFRVFTUJPOOBJSFTJEFPOMZUP+1.847.763.9638 Mail $PNQMFUFUIFRVFTUJPOOBJSFPOUIFCBDLPGUIJTDBSE BOENBJMJUUP P.O. Box 1263, Skokie, IL 60076-8263 1 2 3 FREE SUBSCRIPTION GET YOUR TO ORACLE MAGAZINE Oracle Magazine is essential gear for today’s information technology professionals. Stay informed and increase your productivity with every issue of Oracle Magazine. Inside each free bimonthly issue you’ll get: Copyright © 2008, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. WHAT IS THE PRIMARY BUSINESS ACTIVITY OF YOUR FIRM AT THIS LOCATION? (check one only) o 01 Aerospace and Defense Manufacturing o 02 Application Service Provider o 03 Automotive Manufacturing o 04 Chemicals o 05 Media and Entertainment o 06 Construction/Engineering o 07 Consumer Sector/Consumer Packaged Goods o 08 Education o 09 Financial Services/Insurance o 10 Health Care o 11 High Technology Manufacturing, OEM o 12 Industrial Manufacturing o 13 Independent Software Vendor o 14 Life Sciences (biotech, pharmaceuticals) o 15 Natural Resources o 16 Oil and Gas o 17 Professional Services o 18 Public Sector (government) o 19 Research o 20 Retail/Wholesale/Distribution o 21 Systems Integrator, VAR/VAD o 22 Telecommunications o 23 Travel and Transportation o 24 Utilities (electric, gas, sanitation, water) o 98 Oth er Bu si ness and S er vi ces _________ WHICH OF THE FOLLOWING BEST DESCRIBES YOUR PRIMARY JOB FUNCTION? (check one only) CORPORATE MANAGEMENT/STAFF o 01 Executive Management (President, Chair, CEO, CFO, Owner, Partner, Principal) o 02 Finance/Administrative Management (VP/Director/ Manager/Controller, Purchasing, Administration) o 03 Sales/Marketing Management (VP/Director/Manager) o 04 Computer Systems/Operations Management (CIO/VP/Director/Manager MIS/IS/IT, Ops) IS/IT STAFF o 05 Application Development/Programming Management o 06 Application Development/Programming Staff o 07 Consulting o 08 DBA/Systems Administrator o 09 Education/Training o 10 Technical Support Director/Manager o 11 Other Technical Management/Staff o 98 Other WHAT IS YOUR CURRENT PRIMARY OPERATING PLATFORM (check all that apply) o 01 Digital Equipment Corp UNIX/VAX/VMS o 02 HP UNIX o 03 IBM AIX o 04 IBM UNIX o 05 Linux (Red Hat) o 06 Linux (SUSE) o 07 Linux (Oracle Enterprise) o 08 Linux (other) o 09 Macintosh o 10 MVS o 11 Netware o 12 Network Computing o 13 SCO UNIX o 14 Sun Solaris/SunOS o 15 Windows o 16 Other UNIX o 98 Other 99 o None of the Above DO YOU EVALUATE, SPECIFY, RECOMMEND, OR AUTHORIZE THE PURCHASE OF ANY OF THE FOLLOWING? (check all that apply) o 01 Hardware o 02 Business Applications (ERP, CRM, etc.) o 03 Application Development Tools o 04 Database Products o 05 Internet or Intranet Products o 06 Other Software o 07 Middleware Products 99 o None of the Above IN YOUR JOB, DO YOU USE OR PLAN TO PUR- CHASE ANY OF THE FOLLOWING PRODUCTS? (check all that apply) SOFTWARE o 01 CAD/CAE/CAM o 02 Collaboration Software o 03 Communications o 04 Database Management o 05 File Management o 06 Finance o 07 Java o 08 Multimedia Authoring o 09 Networking o 10 Programming o 11 Project Management o 12 Scientific and Engineering o 13 Systems Management o 14 Workflow HARDWARE o 15 Macintosh o 16 Mainframe o 17 Massively Parallel Processing o 18 Minicomputer o 19 Intel x86(32) o 20 Intel x86(64) o 21 Network Computer o 22 Symmetric Multiprocessing o 23 Workstation Services SERVICES o 24 Consulting o 25 Education/Training o 26 Maintenance o 27 Online Database o 28 Support o 29 Technology-Based Training o 30 Other 99 o None of the Above WHAT IS YOUR COMPANY’S SIZE? (check one only) o 01 More than 25,000 Employees o 02 10,001 to 25,000 Employees o 03 5,001 to 10,000 Employees o 04 1,001 to 5,000 Employees o 05 101 to 1,000 Employees o 06 Fewer than 100 Employees DURING THE NEXT 12 MONTHS, HOW MUCH DO YOU ANTICIPATE YOUR ORGANIZATION WILL SPEND ON COMPUTER HARDWARE, SOFTWARE, PERIPHERALS, AND SERVICES FOR YOUR LOCATION? (check one only) o 01 Less than $10,000 o 02 $10,000 to $49,999 o 03 $50,000 to $99,999 o 04 $100,000 to $499,999 o 05 $500,000 to $999,999 o 06 $1,000,000 and Over WHAT IS YOUR COMPANY’S YEARLY SALES REVENUE? (check one only) o 01 $500, 000, 000 and above o 02 $100, 000, 000 to $500, 000, 000 o 03 $50, 000, 000 to $100, 000, 000 o 04 $5, 000, 000 to $50, 000, 000 o 05 $1, 000, 000 to $5, 000, 000 WHAT LANGUAGES AND FRAMEWORKS DO YOU USE? (check all that apply) o 01 Ajax o 13 Python o 02 C o 14 Ruby/Rails o 03 C++ o 15 Spring o 04 C# o 16 Struts o 05 Hibernate o 17 SQL o 06 J++/J# o 18 Visual Basic o 07 Java o 98 Other o 08 JSP o 09 .NET o 10 Perl o 11 PHP o 12 PL/SQL WHAT ORACLE PRODUCTS ARE IN USE AT YOUR SITE? (check all that apply) ORACLE DATABASE o 01 Oracle Database 11 g o 02 Oracle Database 10 g o 03 Oracle9 i Database o 04 Oracle Embedded Database (Oracle Lite, Times Ten, Berkeley DB) o 05 Other Oracle Database Release ORACLE FUSION MIDDLEWARE o 06 Oracle Application Server o 07 Oracle Portal o 08 Oracle Enterprise Manager o 09 Oracle BPEL Process Manager o 10 Oracle Identity Management o 11 Oracle SOA Suite o 12 Oracle Data Hubs ORACLE DEVELOPMENT TOOLS o 13 Oracle JDeveloper o 14 Oracle Forms o 15 Oracle Reports o 16 Oracle Designer o 17 Oracle Discoverer o 18 Oracle BI Beans o 19 Oracle Warehouse Builder o 20 Oracle WebCenter o 21 Oracle Application Express ORACLE APPLICATIONS o 22 Oracle E-Business Suite o 23 PeopleSoft Enterprise o 24 JD Edwards EnterpriseOne o 25 JD Edwards World o 26 Oracle Fusion o 27 Hyperion o 28 Siebel CRM ORACLE SERVICES o 28 Oracle E-Business Suite On Demand o 29 Oracle Technology On Demand o 30 Siebel CRM On Demand o 31 Oracle Consulting o 32 Oracle Education o 33 Oracle Support o 98 Other 99 o None of the Above YOU MUST ANSWER ALL 10 QUESTIONS BELOW. 1 2 3 4 5 6 7 8 9 08014004 signature (required) date x From time to time, Oracle Publishing allows our partners exclusive access to our e-mail addresses for special promo- tions and announcements. To be included in this program, please check this circle. If you do not wish to be included, you will only receive notices about your subscription via e-mail. Oracle Publishing allows sharing of our postal mailing list with selected third parties. If you prefer your mailing address not to be included in this program, please check this circle. If at any time you would like to be removed from either mailing list, please contact Customer Service at +1.847.763.9635 or send an e-mail to oracle@halldata.com. If you opt in to the sharing of information, Oracle may also provide you with e-mail related to Oracle products, services, and events. If you want to completely unsubscribe from any e-mail communication from Oracle, please send an e-mail to: unsubscribe@oracle-mail.com with the following in the subject line: REMOVE [your e-mail address]. For complete information on Oracle Publishing’s privacy practices, please visit oracle.com/html/privacy/html name title company e-mail address street/p.o. box city/state/zip or postal code telephone country fax Want your own FREE subscription? Yes, please send me a FREE subscription Oracle Magazine. No. Would you like to receive your free subscription in digital format instead of print if it becomes available? Yes No To receive a free subscription to Oracle Magazine, you must fill out the entire card, sign it, and date it (incomplete cards cannot be processed or acknowledged). You can also fax your application to +1.847.763.9638. Or subscribe at our Web site at oracle.com/oraclemagazine 10 . ORACLE PRODUCTS ARE IN USE AT YOUR SITE? (check all that apply) ORACLE DATABASE o 01 Oracle Database 11 g o 02 Oracle Database 10 g o 03 Oracle9 i Database o 04 Oracle Embedded Database (Oracle. o 05 Other Oracle Database Release ORACLE FUSION MIDDLEWARE o 06 Oracle Application Server o 07 Oracle Portal o 08 Oracle Enterprise Manager o 09 Oracle BPEL Process Manager o 10 Oracle Identity. Management o 11 Oracle SOA Suite o 12 Oracle Data Hubs ORACLE DEVELOPMENT TOOLS o 13 Oracle JDeveloper o 14 Oracle Forms o 15 Oracle Reports o 16 Oracle Designer o 17 Oracle Discoverer o 18 Oracle BI