Writing a book. #WhatIDontKnow #quicktip

The book I’m currently working on is a technical book on Database Application Security. While writing, I frequently find myself trying to explain something and I can’t quite come up with a good explanation. This normally indicates I don’t understand something well enough to explain it; therefore it goes into my “What I don’t know book.” (we can discuss that another day.)

So I’m working on a book, and get stuck. The first thing I do is write down what I don’t know in the form of a question. Case in point, working on the Unified Audit section and I wanted to explain, “how come unified audit does not immediately write to the database, you have to turn immediate write on.” Many years ago, I learned not to go with the first answer that comes to my mind. It may be right, it may be wrong.

To keep me moving forward on the chapter, I could either 1) start researching the answer and wind up going down a rabbit hole. Or 2) I can insert the question into the chapter in the form of a question.

<QUESTION> why does unified audit pause writing to the database? </QUESTION> Then scribble that same question into the notebook I carry with me.

I choose to use #2, because it allows me to stay focused on writing. I can then come back to the question, do my research and get an accurate answer.

Inserting and tagging questions is a great way to keep the focus on the work you are currently doing. You can research later, then maybe talk a walk and ponder just how your are going to answer the question.


A common #infosec error in @Oracle applications #DBA granted to application account

I’ve been doing this a long time, and there two infosec errors that I keep seeing. Granting DBA to an application and people using the application account. The problem of granting DBA to an application account is compounded when people actually logon to the application account to work.

Oracle has the DBMS_PRIVILEGE_CAPTURE package that is now licensed to Enterprise Edition. It’s a powerful tool to fix over privileged accounts; yet when someone logs on as the application to do dba work, then all bets are off.

1) Don’t grant DBA to application accounts. Figure out what privileges the account needs and grant those privileges.

2) Don’t use an application account to do your work.

3) Use the DBMS_PRIVILEGE_CAPTURE package to analyze what privileges your users are using and dial back over privileged accounts.