SAP Shows Solid Earnings, Firm Stance Against Oracle

SAP on Thursday narrowly topped analyst profit estimates in its third quarter, raking in $579 million on sales of $3.44 billion.

Analysts were looking for sales of $3.46 billion in the quarter, a target the German software giant would surely have met or exceeded if not for currency fluctuations related to the strength of the euro. Most analysts pegged SAP for a third-quarter profit of $575 million.

"Given the current currency situation and the concerns of the market, we would assess the report as a success," DZ Bank analyst Oliver Finger wrote in a research note following SAP's earnings report.

While the story this quarter was the company's 11-percent surge in licensing sales, which rose to $1.02 billion, Chief Financial Officer Werner Brandt cautioned that SAP probably wouldn't hit the upper end of its previous estimates of 15 percent to 17 percent growth for the full fiscal year.

"It appears less likely that product or software revenue growth will reach the upper end of the aforementioned ranges," Brandt said during a conference call with analysts. However, he said, the company expects to still top earnings-per-share estimates for the full year, ranging from $7.32 to $7.54 a share.

During the conference call, CEO Henning Kagermann and Leo Apotheker, SAP's president of customer solutions and operations, spent a considerable amount of time defending the company's performance in head-to-head battles with arch-rival Oracle over large customer accounts.

While Oracle has claimed that it consistently dominated SAP in landing new customer accounts, Apotheker said SAP actually had won in 85 percent of the 247 deals for which the two companies competed during the quarter.

The company also announced Thursday that it beat out Oracle for a large contract with retailing giant Wal-Mart during third quarter. According to SAP executives, Wal-Mart will implement SAP ERP Financials to replace some of its legacy software systems, including its JD Edwards enterprise resource planning (define) applications, and integrate it with other internal systems. The first phase of the installation is planned for completion in 2010.

Reaffirming the company's plan to grow its customer base to more than 100,000 clients by 2010 through aggressively targeting the small- and mid-sized business sector, SAP announced that it would invest more than $560 million in the coming year to market and develop Business By Design, its first software-as-a-service (SaaS) (define) offering, announced last month.

SAP also announced it would be launching a new mid-market product that features a flexible architecture and new deployment models -- and implying it too will be delivered to customers in an on-demand model or both on-demand and on-premise. The company said further details and a specific timeline for the new product's delivery will wait until SAP's annual analyst conference in December.

On Thursday, Kagermann reiterated that SAP would continue to follow its long-time plan of making only small, strategic acquisitions -- rather than follow Oracle's strategy of constant acquisition.

That comment come in spite of SAP's contrary move last week, when it broke from tradition to purchase business intelligence and analytics software vendor Business Objects for $6.8 billion.

Less than a week later, Oracle announced its intention to acquire middleware provider BEA Systems for $6.7 billion. According to some industry insiders, SAP's Business Objects deal inadvertently assisted Oracle's acquisition strategy by ensuring the German company would be unlikely to engage in an expensive bidding war so soon after making a massive purchase of its own.

SAP shares pulled back $1.69 a share, or three percent, to $54.61 in Thursday afternoon trading.

Author: Larry Barrett

Read more ...

Oracle Patches 51, Updates Vulnerability-Scoring System

Oracle's October Critical Patch Update (CPU) addresses 51 vulnerabilities spread across the company's product portfolio, a marked improvement over last October's update. The quarterly release also introduces an update to the system it uses to score the severity of vulnerabilities.

Oracle's namesake database products, which have 27 disclosed vulnerabilities, get the majority of the 51 fixes. According to Oracle's advisory, seven of the database vulnerabilities may be remotely exploitable without authentication.

Oracle Application Server gets 11 fixes, seven of which are remotely exploitable without authentication. There are eight security fixes for the Oracle E-Business Suite and one is remotely exploitable without authentication. Oracle Collaboration Suite gets seven fixes. Oracle PeopleSoft Enterprise PeopleTools gets two security fixes, and one new security fix for PeopleSoft Enterprise Human Capital Management.

The 51 flaws addressed in this month's update continue the decrease in reported vulnerabilities, which numbered 65 in the July update and are considerably fewer than the 100 the company fixed last October. That update also marked the first time that Oracle revealed how many flaws were remotely exploitable without authentication. The remote exploit flaws are among the most dangerous in that they are more accessible and hence more easily exploited than local flaws, which first require local access as well as some form of authentication.

This year's update also includes version 2 of the Common Vulnerability Scoring System (CVSS), which provides a benchmarking base metric system in order to score the relative severity of a reported vulnerability. The company adopted the system last year to expand its security information disclosure method.

"It is worthwhile to reiterate again that CVSS provides a standard-based approach for assessing the criticality of vulnerabilities," Eric Maurice, manager for security in Oracle's global technology business unit, wrote on Oracle's security blog.

"In other words, CVSS assists customers to understand the significance of a given vulnerability in their environment, and assess the priority that should be given to patching that specific vulnerability against production requirements."

With CVSS 2.0, he continued, a number of changes have been introduced that make the standard more representative of real-world vulnerabilities.

But while the new version of CVSS has more parameters, Amichai Shulman, CTO of application data security company Imperva, said that the scores have remained the same.

"Based on our analysis, we recommend that security officers take a close look at the details composing the risk score rather than accepting the score itself," Shulman wrote in an e-mail sent to InternetNews.com.

"For example, the highest-ranked vulnerability is only 6.5 out of 10, yet it is easy to exploit remotely and allows the attacker to take complete control of the database. This is a serious vulnerability, but its score does not reflect that fact."

Regardless of how Oracle actually measures the severity of the vulnerabilities, the imperative for Oracle users is to update and do so quickly.

"Oracle users should understand that the period after a CPU has been issued is ironically more risky than the period before the CPU is published, as it gives black hats who may not have known about certain vulnerabilities directions where to look for them," Slavik Markovich, CTO of database security vendor Sentrigo, wrote in an e-mail sent to InternetNews.com.

"Based on the severity level of the vulnerabilities patched in this CPU, users should be sure to take the steps necessary to protect their organizations' data by heeding the advice of Oracle with regard to patch specifications and procedures."

Author: Sean Micheal Kerner @ internetnews.com

Read more ...

It's Confirmed: Wookey Out at Oracle

Oracle's executive shuffling leaves many questions regarding the future of the company's Fusion platform. As has been rumored for days, Oracle is replacing the leadership of its application development platform.

Rumblings Oct. 12 that John Wookey, the company's head of application development for Fusion Applications—the project much vaunted at Oracle—is out, have been confirmed in media reports. Thomas Kurian, senior vice president responsible for Oracle's Fusion Middleware, will take his place.

The executive shuffling of the deck around Fusion leads to some big questions around Oracle's Fusion Applications plans, including whether Fusion Applications will be delayed beyond 2008, and whether Oracle is experiencing development problems in trying to bring together "the best of" functionality from at least four major suites of applications: Oracle E-Business Suite, PeopleSoft, JD Edwards and Siebel Systems.

The analyst community has long been split on Oracle's momentum with Fusion Applications.
ZDNet blogger Dennis Howlett, who runs the Enterprise Irregular community, sourced an internal letter from Oracle CEO Larry Ellison on his blog that detailed the company's moves. The Wall Street Journal later confirmed the departures, quoting sources close to the company.

Oracle officials were not available for comment at press time.

As it stands, Wookey, senior vice president of applications development, is leaving Oracle. Sources close to the company suggested the week of Oct. 8 that Wookey, in a heated argument with Ellison, had already left the company and Oracle was trying to woo him back, though the circumstances around Wookey's departure have not been confirmed.

Fusion Middleware is the underlying platform for Fusion Applications.
The changes come just days after Oracle announced Oct. 12 its intent to acquire BEA Systems for $6.6 billion. BEA, which develops middleware, rebuffed Oracle's overtures, saying the offer undervalued the company. Oracle responded that it would not raise its offer price, despite analyst speculation that it would. The deal, as of Oct. 16, is in limbo, though likely not by any means dead.

The deal for BEA, of San Jose, Calif., led to more questions surrounding Oracle's plans with Fusion—both its middleware platform and applications stack.

As part of the changes with Wookey's departure, Ed Abbo, who had reported to Wookey, will now head application development outside of Fusion—in other words, the continuing development of applications that Oracle, of Redwood Shores, Calif., has acquired, including PeopleSoft and JD Edwards. Through its Applications Unlimited program, Oracle vowed to support those applications forever.

Both Kurian and Abbo will report to Chuck Rozwat, executive vice president at Oracle who will take over responsibility for all product development, according to media reports.

The rumors of Wookey's departure came amidst claims that Oracle would announce at its annual OpenWorld conference in November that Fusion Applications would be delayed through 2009. When Oracle acquired PeopleSoft in 2005, it announced Fusion Applications would be ready sometime in 2008. In January 2006, Oracle officials held a press conference to report that Wookey's teams were "halfway there" with Fusion Applications development.

When asked to comment on the rumors that Wookey was indeed leaving Oracle, Enterprise Applications Consulting principal Joshua Greenbaum (and Enterprise Irregulars blogger) said in an Oct. 12 interview that he would be "shocked" if Wookey were indeed leaving Oracle.

"If I was Oracle and I thought things were in trouble regarding a 2008 release of Fusion, I wouldn't throw in the towel now and act as if it couldn't happen. I would be throwing resources and people at it," said Greenbaum. "It's a little premature to throw in the towel" on Fusion Applications.

Author: Renee Boucher Ferguson @ eWeek.com

Read more ...