What is our primary use case?
This product is primarily used for cloud security applications and exclusively for performance management.
The solution uses SCS, Secure Coding Standards. It is the framework of the program which is used to build an application. It's basically how the programming methodologies are built. It lays out how code is written and how configurations will be developed so the solution can work in unison with EPM.
Using tools such as Burp Suite, Wireshark, et cetera, we find out whatever are the code snippets or whatever are the code blocks being deployed are as per the security standards. There is a third-party code approval protocol. In a third-party code approval use case, whenever we see that these applications involve integration with any other application, rather than the one which you are dealing with, for example, say EPM is integrated with another product like SAP, we need to figure out the mode of integration. We need to ensure that the third-party application is able to be in sync from a security perspective,
We also use the solution as an architecture-based model. We can do risk modeling. If there is any kind of risk involved due to which product performance, product security, or product modulation gets affected. For example, if a Microsoft Windows operation system goes under an update. If OSSA goes down or ransomware is detected in MS operating system, we have risk models in place to initiate protocols.
How has it helped my organization?
In 2019, a very big conglomerate in the energy sector used this solution. In this use case, the data was extremely dynamic in nature, due to the nature of power consumption.
For example, if your house is consuming 200 watts today, you can't be sure that tomorrow it will be 200 watts. It can go to 205, 210 or it can go even down. Considering this dynamic, the company needed to ensure this dynamic process could not be attacked by any kind of ransomware, as ransomware are common in energy management companies. I had to analyze the data, and I found out that the processing was done in batches.
Ransomware was more prone to attack in alternative energy areas, such as wind. It will look like a virus on the surface and then activate. Without proper security, it could take out the energy completely.
I observed that there was ransomware coming from two provinces, Victoria and North Australia, and furthermore, I could see that ransomware was attacking non-conventional data which was not frequently processed. I was able to advise the company to move data to another server and follow the algorithms which I suggested.
The result was that they could see that non-conventional energy, wind energy, in these two provinces was performing well in terms of security. With this product, they could see that data was not getting stolen.
What is most valuable?
The solution offers very good security and prevention. It helps improve and protect against vulnerabilities quite effectively.
The solution offers very good cloud and on-premises deployment models. When a customer uses the on-premises version, they can configure it; the security gets confirmed within a particular design.
When it comes to the design, there are certain products that are designed and integrated with the solution in order to provide software security assurance. For example, Burp Suite, and Wireshark. Beyond that, Oracle has its own vulnerability scanners as well. These scanners provide programmable logic that protects against malware, ransomware, and more.
The solution works well with the Agile methodology.
The ARM, the architecture risk model, is very good. It's the most important feature in terms of the third-party code integration or code approval process.
The initial setup is pretty straightforward.
What needs improvement?
The solution could improve its storage capabilities.
On the cloud, additional security is required. They need to provide additional system algorithms, such as SHA-256, SHA-512 secure hash algorithms. Cipher needs to be encrypted even more strongly.
The vulnerability processing needs to be much stronger. It needs to happen at a particular frequency to make it more effective. It shouldn't happen at regular intervals either. It has to happen with the inception of every single process.
There needs to be a formal release sign-off. I insist that annual maintenance releases for the patches happen at the monthly or periodical levels, however, that has to happen at an even higher frequency to ensure security is maintained.
What do I think about the stability of the solution?
The stability of the product is evolving, as security is something that is dynamic. It is stable, however, everything evolves. The performance is excellent. As far as EPM is concerned, it is behaving nicely and it is meeting the requirements we have. One thing I would flag is that Oracle proprietary products will have a certain divergence in behavior. Other than that, the performance is good.
What do I think about the scalability of the solution?
The scalability is good. Scalability, as far as individual devices are concerned, is supported. The same application can be used by multiple business users, no problem. There might be a slight performance delay, however, it's minimal.
How are customer service and technical support?
I have not dealt with Oracle technical support. I wouldn't be able to really rate it effectively, as I have no first-hand experience.
Which solution did I use previously and why did I switch?
We had other security products in the past.
How was the initial setup?
The initial setup is pretty straightforward.
When deploying on the cloud, Azure can be a bit complex, however, OAC, Oracle Analytics Cloud, is quite simple. The scanning codes are already built-in.
If you are using Windows 10 and using Secure Copy Protocol, SCP, you will be able to transfer all coding snippets, and algorithms, and all that into the Linux cloud. You have to execute every use case according to the build, according to what is required. If there are manual and automated processes, they need to be dealt with seperately.
If you want to make items automated, then you can use batch automation or you can write a scheduler, and you can schedule an Oracle DB scheduler.
In an on-premise deployment, the difference is that as it is located on a solid-state server. After transfer, the moment deployment is done, you need to restart your servers. Then, according to the requirement, according to the use case, you will run everything one at a time, if it's manual. If it is automatic, you can just set the schedule.
Deployment in my experience takes me close to 30 minutes, depending upon the network speed and all contingencies. A cloud deployment actually takes a little bit less time, as with a solid-state server, some restarts are required. The cloud doesn't consider all these factors. It has its OCI, Oracle Cloud Infrastructure, which has an in-built restart mechanism. The moment you transfer into the cloud, it reassembles all the design and it does itself.
What was our ROI?
Purchasing this product indeed is a value addition. It's not going to be a bomb, it's not going to add any kind of liability. It will have quite a positive impact on a company.
What's my experience with pricing, setup cost, and licensing?
While I cannot speak to the exact pricing, I can say that I find the costs to be reasonable.
Which other solutions did I evaluate?
We did evaluate other products. It was part of the decision-making process.
What other advice do I have?
We are partners with Oracle.
This product actually is focused on performance and product management-based solutions. It's used in healthcare, shipping, banking, microfinance - all of these domains which use the performance management product for balance sheet planning, profit and loss calculations, GL maintenance, et cetera, for which actually Oracle has designed a product called EPM, Enterprise Performance Management. Under this EPM there are close to 14 to 16 products, and this is one of them.
I'd rate the solution at a nine out of ten.
I'd advise the people are implementing OSSA to start with SCS, secure coding services, and practices. If you observe any kind of vulnerability or any kind of violation, then, of course, you have to come with the remedy first. I'd also caution that third-party integration has to be done with extreme care. No compromise should be accepted, as once you do a compromise with respect to security, it can affect your entire design and your implementation as well.
In terms of the ARM, architecture risk model, users need to be clear with the data, be clear with the numbers there. You need to be careful.