Application Security Whitepapers and Ebooks

This sections provides whitepapers on Application Security that details on trends, analysis and latest happenings in the industry.

  • Privacy Monitoring for Healthcare: How to End Patient Health Information Snooping and Identity Theft
    With the proliferation of electronic patient information, hospital administrators, compliance officers, privacy officers and information security officers are required to enforce patient privacy. Motivated by patient-citizen damages from increased healthcare privacy breaches, law-makers across the United States, Canada, and Europe have enacted new regulation protecting patient privacy and penalizing those involved. Snooping, identity theft and general inappropriate access of medical records are now explicitly prohibited. Additionally, a patient's right to know who has accessed their records has been expanded, requiring hospitals and their business associates to account and disclose for personal health information breaches. Beyond putting patients at risk, personal health information breaches are increasingly putting healthcare organizations at a significant risk of financial, and reputational harm. "Deployment of robust processes to ensure privacy and security of electronic medical records is critical to achieving their widespread deployment. The American public will not accept failure when it comes to protecting their healthcare information from privacy breaches." --Barry P. Chaiken, MD, MPH, CMO DocsNetwork and HIMSS Chair, 2009-2010 Additionally, a patient's right to know who has accessed their records has been expanded, requiring hospitals and their business associates to account and disclose for personal health information breaches. Beyond putting patients at personal health information breaches are increasingly putting healthcare organizations at a significant risk of financial, and reputational harm.
  • Fixing Enterprise Search
    Search technology has enabled millions of users to find information via the simple paradigm of the search text box. This simple interface has proven not only functional, but also economical. The consistent interface provides no new training to access information regardless of the diversity and complexity of the systems or data being presented. Since the advent of the World Wide Web and the Web browser, multiple paradigms for finding information in vast data stores, such as the Internet, have existed. However, none have surpassed the search paradigm as the preferred method of finding specific information from a large pool of data. The modern enterprise has become a treasure trove of data. Recent studies have found workers spend between 15 and 35 percent of their time finding information. The requirement to find information quickly and easily in this large pool of data and applications makes search technology a practical and essential tool with a measurable return on investment (ROI) from making this information accessible. The evolution of search as the preferred interface for finding information on the Internet has lead many users to expect the same experience at the local enterprise level. Unfortunately, the same Internet paradigms that enable search the Web � e.g.
  • Predicting Oracle Performance Issues
    Although the database plays a less central role today than it did in the client-server era, database performance is still critical for application performance. Reacting to database performance problems as they occur, however, is an increasingly ineffective strategy for maintaining database performance; SQL optimizer technology has advanced so far that "trivial" SQL issues--those easily fixed by reactively tuning SQL statements--are rare. The remaining problems require non-trivial solutions, such as creating new indexes, partitioning or denormalization. These solutions typically involve significant disruption to production systems and cannot be implemented without significant lead time. Furthermore, database bottlenecks--and the degradations that result in database performance--occur suddenly and without warning. Therefore, a shift in focus is required: instead of trying to improve our ability to reactively tune SQL, or deal with bottlenecks after they occur, we need to develop techniques for better anticipating these problems and correcting them before they occur. This paper describes a practical approach to providing such a predictive capability. Specifically, there are two main categories of Oracle performance problems that we want to predict: � � SQL statements that are degrading (increasing in response time and resource consumption) and that will, if not tuned, eventually overload the system and service-level issues.
  • PCI: A Component of the E-Commerce Strategy
    Because E-commerce is more complex than simply purchasing a shopping cart or setting up a PayPalTM account, businesses that utilize online transactions must first identify potential risks both to the consumer and to the business itself. Once risks are identified, they should then consider how well existing resources can meet those needs and mitigate risks. If the existing resources cannot sufficiently and reliably perform those functions the business should consider a solution that best fits the business and protects all parties according to PCI DSS. Rackspace� Hosting offers guidance that can help identify risk as well as assist in the development of a plan to become PCI compliant.
  • SQL Server Database Backup and Restore Planning
    In simple terms a backup is a copy of the data contained within a system. For a DBA, a backup can consist of either a single file or multiple files for one database to the entire server. These files can be classified into three types: a full backup, a partial or differential backup, and finally, a transaction log backup. By utilising all three types of backups, the amount of data that needs to be backed up at specific times and the overhead placed upon the hardware to complete the backups at critical times is reduced. A Typical Backup Scenario Full Backup at 00:00 Differential Backup at 12:00 Log Backup at 02:00 Log Backup at 14:00 Log Backup at 04:00 Log Backup at 16:00 Differential Backup at 06:00 Differential Backup at 18:00 Log Backup at 08:00 Log Backup at 20:00 Log Backup at 10:00 Log Backup at 22:00 The problem with this "Typical Scenario" is that restoring a database is a time consuming process.
  • Trend Micro - WPF's End-to-End Vulnerability Management: A New Approach to Layered Security
    The growing capabilities of applications and content delivery technologies have created entirely new architectures that have had nothing short of a transformative impact on IT. With this growth, however, have come new complexities--as well as new ways to exploit sensitive and valuable information resources. An explosion in system and application vulnerabilities has been met with new and sophisticated ways to attack these weaknesses and exploit information assets. This, in turn, has called into question many legacy approaches to security in the face of new risks and new threats. It has become evident that traditional or "legacy" approaches to vulnerability remediation are insufficient to address the increasingly aggressive threat landscape. No longer can organizations wait until a patch is available to close a high-risk exposure already targeted by a zero-day attack. Organizations need more responsive strategies in order to deal with a fast-changing threat landscape and limit the risks exposed by high-impact vulnerabilities at every level of IT--from networks and systems to applications, and from the data center to the endpoint. These strategies must not only recognize the complexity and severity of vulnerabilities, but also the malware threats often associated with these security issues. They must also recognize the realities IT as it is today, translating the concept of "defense in depth" into more realistic terms.
  • SQL Query Tuning for Oracle: Getting It Right the First Time
    Introduction As part of my job as a Senior DBA with Confio Software, I get to review Oracle database performance data with hundreds of customers a year. During the review process I provide performance improvement recommendations based on the response time data from Confio's performance analysis tool, Ignite for Oracle. However, I also try to go above and beyond the raw data to provide valuable performance tuning tips for our customers. Over the years, the DBAs at Confio have developed a process that works time and time again. This process is the focus of this white paper and follows four fundamental steps: 1. 2. 3. 4. Focus on the correct SQL statements Utilize response time analysis Gather accurate execution plans Use SQL diagramming Why Focus on SQL Statements When I think about performance tuning for a database environment, the following three types of tuning approaches come to mind: Application Tuning � tune the application code to process data more efficiently. Instance Tuning � tune Oracle itself via modification of database parameters or altering the environment in which the database executes. SQL Statement Tuning � tune the SQL statements used to retrieve data. The third approach, SQL seems to be a point of contention with many of our customers because it is often unclear which group (database administration or development) is responsible.
  • Oracle and Java Database Performance Management: An Executive View
    Transaction systems are the lifeblood of the modern enterprise. Once hidden from view with no direct access to the outside world, they have become the point of entry into your organization for virtually everyone with whom you have a business relationship, including customers, suppliers and employees. Your job is to deliver the service that internal and external customers demand, performance that is measured very simply, by the clock on the wall. Time is the only meaningful measure. It is also one that we all can agree on, whether we are a customer waiting for an order confirmation or a programmer waiting for our code to execute. Meeting time-based performance targets is often the metric upon which Service Level Agreements, (SLAs), are based. No wonder then that avoiding the economic penalties often tied to these SLAs can easily become the overarching focus of your programming and operations staff. Clearly, failing to meet SLAs is not an option. AVOIDING CAPITAL EXPENDITURES: New applications and increasing server workload confronted a Wall Street firm with a Hobson's choice: Upgrade servers from 4-way to 8-way and pay the attendant capital, licensing and maintenance costs or risk costly SLA violations. By installing Ignite for Oracle it was able to obtain the performance of the increased server capacity at one-fourteenth the cost.
  • Get More from Your Oracle Database: Best Practice Performance Management for Real Results
    Wait-time based performance analysis methods are gaining wide use because of their effectiveness. Confio Resource Mapping defines a strict methodology of how to perform an accurate Wait-time analysis. Confio Ignite is a software tool that implements the Resource Mapping Methodology in its entirety, giving DBAs an integrated, cost effective package for performing expert database performance analysis and tuning. Ignite is a tool for skilled DBAs with tough problems to solve. Customers have demonstrated results with ROI exceeding 800% based on savings of hardware investment, reduced consulting fees, and demonstrated SLA compliance. Typical users achieve a 35% increase in database capacity through use of Ignite. With detailed insight into Oracle Wait-events, Ignite identifies exactly where performance is drained from the database. Reports add the ability to communicate long term trends across an organization. Alerts make proactive monitoring an anytime/anywhere reality. Learn more about info@confio.com Ignite from Confio Software at www.confio.com or This white paper looks at the deficiencies in the traditional tools used by database administrators as they are asked to continually increase database performance and keep costs down, and it highlights a new method of performance tuning and the outstanding results that have been achieved with it. We will "Wait-Time" or "Wait-Event" analysis as it has become the industry best-practice and replaced the "event counter" method of measuring database performance.
  • Oracle Performance Tools For IT ROI: Reduce Your IT Infrastructure Investment
    Confio Ignite for OracleTM cuts the total cost of operating Oracle databases, reduces risk and shortens schedule when developing and introducing new Oracle-based applications. Confio customers have achieved Return on Investment (ROI) in excess of 900% in the initial year after implementation of Ignite for their SQL development and Oracle production environments. Savings have been achieved through multiple sources, all tied to "hard-dollar" savings for IT departments and application owners: � � � � � Avoided costs for new capacity to support increasing loads Eliminated needs for new full-time employees to operate growing volume Reduced outside expert consulting costs for database tuning Demonstrated SLA compliance to avoid non-compliance penalties Cut development costs and reduced time to introduce new applications When facing high wait times, dropped sessions, and application lock-ups, the typical company response is to invest in expanded server hardware capacity and additional Oracle licenses, plus the accompanying installation and project management costs. DBAs utilizing Ignite have demonstrated the ability to cut Oracle wait times by 3090%, and eliminate the contention once attributed to insufficient hardware capacity. Through use of Ignite, a typical organization can achieve a 35% performance improvement, generating ROI of 965% first year, based solely on server investment, as illustrated in Case 1 below.