TEAM Zarate Tarrani Notes From the Field

A Challenge. In my last entry I didn't really take Linda's spot - XLM and Oracle (or any database) have a natural affinity. XML is the magic. You can stuff the results of a SQL query into a DTD, which is the stuff of application and database integration. However, there are also security challenges. The topic of this entry is XML and database security, and is based on two excellent books I recently finished reading.

The first book is Translucent Databases. This book contains an innovative and viable approach to securing databases, and one that I've not encountered anywhere else. In a nutshell the author provides techniques, based on standard SQL and Java, for securing sensitive data without restricting general access of less sensitive data to authorized users. The core of this approach is based on encryption and one-way functions, including PKI and secure hashing, and accepted authentication techniques such as digital signatures.

What makes this book unique is that while it's based on solid theoretical ground, the material is practical. As the techniques are discussed they are illustrated by 15 different scenarios, all of which contain problems faced by e-commerce, HIPAA and other high security environments, and code examples that show how to solve the problems. I like the way the author shows how to implement his solutions in common database environments (PostgreSQL, MySQL and Oracle - the approach should also work in the MS SQL Server environment). As I read this book I saw interesting possibilities for implementing role-based access controls and securing against SQL-based statistical attacks using the author's approach.

This book is essential reading for DBAs, system architects and IT security professionals, especially those in healthcare who are struggling with meeting HIPAA requirements, and in e-commerce who are challenged by protecting credit card and account information. This book shows the DBA how to secure his or her database, and the system architects and security professionals what is possible using SQL and Java. The book also has an associated web site which is supposed to have soft copies of all of the source code contained in the book. As of this entry the link to the source code is on the site, but the code itself is not yet available. When it is the value of this book will increase even more because of the time it will save by not having to manually create the code from scratch.

If you are new to the cryptographic techniques introduced in this book I recommend Cryptography Decrypted by H. X. Mel and Doris M. Baker, which is one of the best introductions to this complex subject. I also recommend reading Secrets and Lies: Digital Security in a Networked World by Bruce Schneier, which covers the technical, organizational and social aspects of security and gives a clear description of the technical underpinnings discussed in this book.

The second book is XML Security. Given the fact that XML is a key component of web services, and extensively used in e-commerce and enterprise applications integration, this book addresses a genuinely important topic. For one reason, XML is text-based and can expose proprietary information, which is a vulnerability for competitive intelligence specialists and corporate spying.

Before going into what the book contains it's important to know that much of the material is based on RSA's view of the security. This isn't a criticism, but an up-front statement of fact because if you're looking for a book that is 100% vendor neutral you are going to have to wait until one is written - this is the only book I know of that is solely about XML security.

The book starts with primers on security and XML to set the context. It then covers, in succession, digital signatures (chapters 4, 5 and 6), and XML encryption. These chapters are consistent with work and specifications produced by XML Signature WG (joint the Working Group IETF and W3C for digital signatures) and the W3C working group for XML Encryption.

Chapter 8 is specific to RSA products. It shows how to implement XML encryption using RSA BSAFE© Cert-J, which can be downloaded in a trial version from RSA's website. Chapter 9 covers XML key management specification, which are consistent with the W3C working group's specifications, and how XML security relates to web services.

Despite the slight bias towards RSA this book is an invaluable reference. It provides an in-depth discussion of major security issues, as well as how they are being addressed by the W3C. It goes without saying that anyone who is responsible for system architecture, design and/or security should carefully read this book.

Taking Linda's Spot. The boxed set of Oracle books that Linda discussed in her last entry are a bargain for someone who is immersed in a training program. However, who really has the time to wade through thousands of pages and a stack of CD ROMs? (Unless you're facing a certification exam). What if you merely want to gain basic Oracle skills and are overwhelmed by the six inch thick books out there? A refreshingly slender book is So You Want to Be an Oracle DBA?. First, you need to know that this book is based on version 9i and is focused on the UNIX environment. If you're using Oracle 8i and have no immediate plans to upgrade you will find that the previous edition to be more suitable.

The ideal audience for this book is the new Oracle DBA or UNIX system administrators who have either inherited DBA responsibilities or who want to gain cross-functional skills. Experienced DBAs will find much of this book too basic, and may complain that it doesn't cover the full range of database administration topics.

In my opinion the relatively narrow scope of this book is one of its strengths. Instead of overwhelming the new DBA with hundreds of pages it sticks to the essentials. Another point in its favor is that the author doesn't attempt to go into gory details about how things work (information that you can get from other books as your comfort level and self-confidence improve), but remains focused on what you need to do in order to effectively manage and support an Oracle 9i instance.

While I liked the Getting Started and Some DBA tasks (Sections I and II) that start this book, I especially liked Section III, which covers tuning. This is the essence of what a DBA does, and the basics are well covered. This section also gives some excellent scripts that the new DBA will find invaluable. Section IV, is somewhat useful, but Section V is another favorite because it shows how to begin building your own set of tools, which is the hallmark of an experienced DBA. The scripts that are provided in this section are the foundation of database administration, and will spark ideas for additional and more specific scripts. The value is that you can learn much from what is provided.

Each topic in this book is given a brief 2-3 pages, which makes it somewhat terse. In many cases you'll have to go to other books for deeper explanations, but at least you'll be quickly functional.

If I had to choose a single book with which to get started this would be it. Of course you'll outgrow this as your skills and experience evolve, but it will get you started and does so using good practices and workable techniques.

Trapped in a Time Warp? Are you currently stuck in the mainframe or mid-range world and are seeking an escape? Or perhaps you realize that your skills are growing obsolete and you want to remake yourself. Programming the World Wide Web may be your ticket out. If you're trying to break into development and are seeking a basic book that will prepare you for a career as a web developer, this isn't what you're looking for. It's neither a programming tutorial nor a book on specific environments, such as .NET. However, if you're doing maintenance programming in, say, RPG/400 or writing JCL and are wondering how you can refactor your skills and get out of the mid-range and mainframe environment this book is ideal.

Solid programming skills are assumed (preferably in C or C++, but that isn't essential). You should have a basic understanding of databases and data structures. If you have these skills this book will systematically familiarize you with the web programming environment and common tools and programming languages that you'll need to master in order to transition out of the data center. I like the way the book touches all of the key knowledge areas, starting with HTML and going through javascript, perl and the usual cast of mark-up, scripting and programming languages. More importantly, this book doesn't skim the surface - it does into databases, XML and server-side development. If you've read the table of contents and are tempted to question why CGI was included in such a relatively new book, bear in mind that most of the information in this book is ideal for maintenance programmers, and there are literally thousands of systems that still employ CGI scripts. This also reinforces my opinion about who will benefit most from this book - maintenance programmers from mid-range and mainframe environments.

In a nutshell, you bring your knowledge of algorithms, data structures and development methodologies, and the book will show you how to apply them to web programming.

Still More XML Resources. I mentioned Definitive XML Application Development in my last entry. If you're a developer this is an excellent resource. Be aware that the book requires a solid working knowledge of XML and associated protocols (XLST, XPath, XML Schema), Python and Java), and is written for practicing developers who are involved with web services, e-commerce and extended supply chain applications. You should also be reasonably familiar with DOM, data structures and relational databases to get the most from this book.

After a quick introduction to the XML processing the author wastes no time getting to the meat by going into processing types in Sections II (Event-Based Processing), III (Tree-Based Processing) and IV (Declarative Processing). Each of these sections are comprised of chapters and topics that cover the strengths and weaknesses of each approach, common tools and example applications, and tips and techniques.

Section V is focused on Java development, including SAX in Java, DOM in Java and XSLT In Java Applications. This section covers APIs, tools and specific considerations for each topic.

The final section addresses XML processing in detail, and deals with alternative processing approaches (including hybrids of event-, tree- and declarative-based models), schemas, and RSS.

In addition the appendices are informative and add to the value of this book. In particular, Appendix A, A Lightning Introduction to Python, will get seasoned developers up-to-speed (augmented by Appendix C which covers Python XML Packages). Appendix B is a glossary that goes into considerable detail, making it a handy reference.

More XML Resources. It's one thing to have a book of spcifications, such as the one cited in my last entry, but such books are more useful as references than as learning tools for mastering the underlying technology. One of the best collections of XML resources is The Definitive XML Professional Toolkit. This boxed set contains three books that have been published in December 2001 and represent the essentials for anyone who is working with XML and web services. The books are:

1. Charles F. Goldfarb's XML Handbook (4th Edition) by Charles F. Goldfarb and Paul Prescod. Goldfarb invented SGML, upon which XML is based and which had a significant influence on the design of HTML. At 1200 pages this book is probably one of the most complete references that one can have. It covers every conceivable topic, ranging from a good description of XML and how it evolved from SGML, to semantic web and web services (each of which are disciplines onto themselves).

   Expected topics are given in-depth treatment (XML, schemas, DTDs, datatypes, XSLT, XSL-FO, XLink, XPath, XPointer, XSDL, namespaces, topic maps, RDF, SOAP, UDDI, WSDL and VoiceXML), with a focus on the following:

   • integration of XML and the older EDI approaches to e-commerce and extended supply chain systems
   • a sound approach to content management - how XML fits into the web services framework
   • chapters on important topics such as portals, databases, content acquisition, conversion and publishing
   • a series of chapters devoted to tutorials on XML basics, schemas, and transformation and navigation protocols
   In addition this book comes with two CD ROMs that are packed with applications such as IBM's AlphaWorks suite and NeoCore XMS Native XML Database (Personal Edition). A trial version of TurboXML IDE & Schema Editor is also included among the 175 programs on the CD ROM set.

   This is an overwhelming book for beginners, but is a valuable resource for anyone who is deeply involved in web services, XML and related technologies. If you fit the latter category this is probably the only XML reference you'll need.

2. Definitive XML Schema by Priscilla Walmsley. In a nutshell this book gives a detailed description of the XML schema and associated topics. The author is a member of the W3C working group that created XML Schema, and the material in this book is consistent with W3C recommendations. See the editorial description and reviews on this book's product page for specifics.
3. Definitive XSLT and XPath by G. Ken Holman. Covers everything you need to know about transforming information structured vocabularies and output formats. The author is the chair of OASIS's XSLT/XPath Conformance Technical Subcommittee. See the editorial description and reviews on this book's product page for specifics.

What's not included in this set, but worth getting is Definitive XML Application Development by Lars Marius Garshol. However, the books that do come this this boxed set will provide you with a solid foundation of the basics as well as software tools that you can evaluate as candidates for your own development environment.