Upcoming #POUG17 and #tajoug #techconftj* #Oracle #plsql #infosec #fun

99% of my presentations are technical, addressing our information security needs. Then every now and again, I get to do something fun. There was “Hacking The Human Brain” last June at BGOUG.

My next trip in September is taking me to Krakow Poland, Moscow Russia and Dushanbe Tajikistan. While in Krakow, I’ll be presenting on “Secure Coding in the Cloud” and taking part of a panel discussion. On to Moscow, to see a concert on Red Square, and dinner with friends. Then off to Dushanbe where I’m privileged to present, “Secure Coding in the Cloud,” “Holistic Database Security,” and something fun. “Make a Difference, My 10 rules for a full life.” This will be a fifteen minute talk on, the rules I live by. Come on out to the Polish Oracle Users group or Tajikistan Oracle Users Group, September 7th. We are going to learn a lot and have fun doing it.

If you can’t make it to either of these two fine conferences, meet me in Moscow for a beer or two at Hotel Metropol.

What is it like on the Oracle User Group Speaking circuit?

This is how most of my trips start, a ride to the airport with my headset on. Listen to some easy listening music such as AC/DC or Iron 20161114_195431Maiden to get me in the mood for travel. Once at the airport; check into the business class lounge at Air France or British Airways to have a glass of Champagne wile waiting for my flight.

UPDATE: I pay for my own business class travel. Thanks for pointing that out Kent Graziano.

 
20170515_131521 20161107_114624
On some of my trips in the US, I’ll fly my 1948 Ryan Navion to the conference site. Many OSH1times while in Europe, I get asked if I flew my plane there. The answer is no. Single engine airplanes don’t do well when flying over thousands of miles of open ocean.
Who are you going to meet when you are out speaking. The most interesting people in the world. These people are some of the top experts in the world who volunteer their time to educate people. Once the best side effect of hanging around them, is they will inspire you to be better everyday. All if these people here have one other thing in common. They are all wonderful people who I’m happy to call friends.
20160124_132354 20170129_195220 
20170509_185627 20170517_174938
20170601_213052 20170603_210720
20170626_121538 IMG_3554
20170524_134852 20170624_213408
20170207_212104 20170207_195927
What happens when you get there. Well, there is the hotel you need to check into. Then you are going to need to find out where the reception is, head out to see the city, find out what the local beer is, and have a bit of fun.
20170520_080839 20161029_160629
20170530_195313 20170520_130123
20161113_222936 20170527_215202
FB_IMG_1484440268333 FB_IMG_1499123988544
20170527_183403 20170529_201317
20170530_122345 20160123_191934
IMG_5640 20161108_205224
You’ve found the reception, and taken in some of the city’s culture – it’s time to get ready to speak. No matter how many times you have done a presentation, it’s important to go through your presentation and demos before you get in front of your audience. You need to be ON. This may be your 20th time giving this presentation, but remember this is the first time this audience has heard it. Deliver your presentation like your reputation depends on it. Also remember, you may be asked a question that you’ve heard a hundred times. Again, the person you are talking to does not know the answer, that is why they are asking; so show that person the respect he/she deserves. You will also be asked questions that you don’t know the answer to. Write down the question, go back and research it; then provide that person the answer to their question.
FB_IMG_1492451855539 FB_IMG_1499123977327
FB_IMG_1499123992635 IMG_3020
IMG_5469 IMG_5471
You did a great presentation, you got to see the city and make new friends but don’t forget all the other great session that are being offered. Besides, because you are a speaker, you get to sit in on these sessions too. You also need to find time to get some work done.
IMG_5314 IMG_6104
FB_IMG_1499123999647 20170510_131025
IMG_5319 20161103_111804
It’s done, you finally made it home, you have customers that you need to take care of. In the past week, you traveled the equivalent of round the world. Get some rest, you really need it. The customer can wait for tomorrow, they wont mind. Smile

20161229_220300

NATCAP-OUG @HelenJSanders is coming to Columbia Maryland

Mark you calendars; Friday October 20th Helen Sanders will be coming to the Columbia Maryland to speak to National Capital Area Oracle Users Group. Helen is an interesting and dynamic speaker who will captivate you with tales from behind the keyboard.

Title: The Good, the Bad & the Ugly: A SQL Saga

Coding Standards? Good testing procedures? Data validation? Who needs them? We all do! Come and learn from some of the bad coding practices and sloppy SQL mistakes that I have seen (and maybe a few I’ve committed!). We’ll share a few laughs and most likely some groans, and also talk about how testing and more testing can help you check yourself.

Helen is an Assistant Director of Applications Development and Support Services in the Student Collaboration Center at Temple University. She is also an Oracle database developer and enthusiast.

Helen has been active in the Oracle Development Tools User Group (ODTUG) for several  years,  is  a graduate of their Leadership Program, served as the Program Coordinator for the 2016-2017 year, and is very active in their Database and Women in Technology Communities.

Helen obtained her M.Ed. at Temple University in 2013, and is currently pursuing an MS-MBA in Business Analytics at the Fox School of Business.

Helen is a track lead for the 2016-2017 Pennsylvania Banner Users Group conference(s), and will be a content chair for the Database track for Kscope18, and has served as a content reviewer for several Oracle Users Group’s conferences.
In her spare time Helen enjoys spending time with her husband, Joe, their blended family of six children, Steven, Julie, Sarah, Bryn, Kelly and Jillian,  and their two dogs-Charlie and Prince Eugene. You can read her tech-based blog at https://helenjsanders.com/ You can also follow Helen on twitter at https://twitter.com/HelenJSanders

#Oracle #sqldev 17.2.0.188 MAJOR improvement

This is going to be quick, I don’t get a lot of time to read new features documentation. I normally reserve that for once a month, print em’ out and read over a nice glass of Scotch. Hey it works for me.

So today, things seem a bit odd, so I opened the SQL Developer Instance Viewer to get a picture of what the database was doing. WOW, thanks Jeff, Kris and team. Love the new look. Check out Top SQL.

Kinda disturbed by an article I just read. #infosec #rant

As most of you know I live on the defense side of infosec. As attack vectors are exposed, I study them to learn how to design systems that can defend against them. There are some biggies, sql injection, cross site scripting, insider threat and encrypted data leaking that burn a lot of my time.

I just read an article giving a detailed technical description on how to use randomized proxy chains to avoid detection. And by using proxies in different countries, it makes it difficult to find out who did the attack. Now of course this article said this should only be used for white hat pen testing and you should not use this for any illegal purposes.

Make no mistake, articles like this are not helping the good guys secure systems. You are only helping the bad guys.

Exciting times. #poug #tajoug #techconftj*

I will making my first trip to Krakow Poland and Dushanbe Tajikistan. This trip will cover over 24,000 miles in air travel and five different airlines.

POUG High Five. The Polish Oracle Users Group will be having their annual tech conference in Krakow Poland September 1 and 2. http://poug.org/en/edycja/high-five-poug/ I’ll be speaking on secure pl/sql coding and taking part in a panel discussion. There is a very impressive group of speakers coming in from all over the world. This is a first class conference that will be held in a brewery.

Tajikistan TechConf. I don’t have a URL for this conference yet, it will be held Thursday September 7 in Dushanbe Tajikistan. Heli “From Finland” Helskyaho and I will speaking along with some local speakers. Heli is famous for her dynamic speaking style; she will teach you new information that will make you better at your job.

Come on out to either one of these two excellent conferences and I’ll help you wrap your brain around Oracle Database Security.

Between POUG and Tajikistan TechConf, I will be spending a couple of days in Moscow to go to a concert and visit with some friends.

Getting to know you, getting to know all about you. #infosec #windows10

Windows 10 has the capability to record everything you say, everything you type and everything you write. Okay, I have a fundamental problem with this. Microsoft implemented this feature in the Beta release of Windows 10 to help the product development troubleshoot problems and improve the product. The product development team loved it so much, they kept it in the production release of Windows 10.

I am not going to discuss Microsoft’s motivation for keeping this in the production product. I will give you my opinion: Information is leaking like a water from a broken colander, so why would we keep this around? Saving this information on your device and the cloud is a massive issue. Here is what you need to do, turn it off and remove the voice, writing, typing from the cloud.

Go to Windows Settings -> Privacy -> Speech, Inking, & typing. If you see Stop getting to know me then click on it and it will turn it off and remove all the data from your local drive. You also need to remove all the data from the cloud. So on that same screen “Go to Bing and manage personal info for all your devices” to clear the Getting to Know You Data from your Microsoft account.

This combined with the setting “Send Microsoft info about how I write” has me very concerned. So turn that off too. On the same screen click on “General” then the third item on the right, “Send Microsoft info about how I write to help us improve typing and writing in the future” Turn that off.

#quicktip #oracle #sqlcl logon.sql #PLSCOPE_SETTINGS and #PLSQL_WARNINGS

Quick Tip. My logon.sql file.

I don’t want plscope_settings and plsql_warnings set when I’m in production; but if I’m in my test / dev / sandbox environments, then I do turn them on.

This helps. Enjoy; this should be self explanatory.

set linesize 90
set pagesize 1000
col table_name format a35
col owner format a20
set timing on
--
DECLARE
 sInst varchar2(1);
BEGIN
 select upper(SUBSTR(instance_name, 1,1))
 INTO sInst
 FROM SYS.V_$INSTANCE;

-- test to see if this is a production instance
 -- all production instances start with P so ...
 -- if it's not a production instance set up
 -- session properties approiate for dev / test / sandbox.
 IF sInst != 'P' THEN
   execute immediate 'ALTER SESSION SET PLSCOPE_SETTINGS=' || '''IDENTIFIERS:ALL''';
   execute immediate 'ALTER SESSION SET PLSQL_WARNINGS=' || '''ENABLE:ALL''';
 END IF;
END;
/
--
define _editor=vi
SET SQLPROMPT "_USER'@'_CONNECT_IDENTIFIER > "

-- setup aliases for sqlcl
alias tab=select table_name from user_tables;

#GDPR – RIGHT TO ACCESS. Security is a feature #3 Right to Access Part 1 of 2

The GDPR Right to access can get a bit complicated as it covers a few things that provide some challenges for us.

What is the purpose of the processing? Lets face it, we process data on people for a number of reasons.

First we are going to use the example of an online storefront. When a person places an order, a number of things happen with that person’s data. 1) Is there payment information accurate? 2) Do they have a store credit? 3) Does that person get a discount? 4) The parts that were ordered need to be shipped. 5) Store a history of the persons order, so the next time they want to order something, the system can make recommendations based on past orders.

If the shipping is being done by a third party such as Fedex or UPS, the person’s data is going to be transmitted to the shipping company. So now a person’s data is being held at both the online vendor and the shipping company.

What is the category of the data being processed? For the online storefront, we have payment, order and shipping information. For the shipping company, there is shipping and value information.

The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations. So in this case, let’s say that the package was shipped by FEDEX and let’s assume FEDEX data processing is done in the United States. (NOTE: this is an assumption, not a statement of fact.) Anyway the person’s shipping information has now left the EU for the United States of America. From the perspective of the online store vendor, the shipper will need to address Article 44 of the GDPR. I’ll get to Article 44 later.

Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period. So, how long will the data be stored? Certain types need to be kept for a defined period of time. ie. Financial information may need to kept for five or seven years that is defined by either applicable law or regulation. Other types of information may be kept for very short periods of time. I once worked on a system where the data was only resident for thirty days. This system packaged up the data and sent it to downstream system for further processing. Once the data was sent downstream, it was no longer needed. But, once the data was sent downstream, we would need to track what downstream systems received the personal data.

The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing. You should be seeing a pattern here. It is going to be critical that we identify all PII (Personally Identifiable Information) in our systems. If a person identifies information we hold that is inaccurate, there needs to be a process in place to correct the information. If a person wants their information removed from our system, there needs a process in place to remove the information without corrupting or compromising the integrity of the system. Reference the Right to be forgotten and Article 17 of GDPR.

The right to lodge a complaint with a supervisory authority. We need to get into the definition of “Supervisory Authority.” I’ll address that in a later post. What kind of complaints can we expect? And what is the process to resolve those complaints? We need to spend time developing the process to address data complaints.

Where the personal data are not collected from the data subject, any available information as to their source. We feed downstream systems, and to be honest, there are a number of companies that sell our personal data. Say your company purchases mailing and phone list from a series of companies, you are now going to need to track the source of that data, so when the question arises, and it will; you can answer the question. What was the source of the data?

More to come.

#SQLDeveloper Unit Testing

I’ll get back to the GDPR series tomorrow.

Can I get a show of hands, How many people do unit testing? I’ve been in a lot of shops where unit testing and code reviews have been passed up in the name of Agile. First off, this is a misunderstanding of what Agile is. You do need to do Unit Test when doing Agile and code reviews are still highly recommended. Because this is not a post on Agile, that’s all I’ll say on that.

I’ve been working on a fairly complex problem for the past few months, that involves advanced analytics, and some simple test against a data set. This wound up being several thousand lines of code that had to be fast, accurate, secure and stable. Here is a shameless plug for SQL Developer, there is an awesome and flexible unit testing module built in to it. It’s quite easy to setup, and give you testing that is repeatable. Jeff Smith has a good write up on setting up and using Unit Testing. Oh, and did I mention, it’s free! Thanks guys.

So after building all my code, I was able to design some test to exercise all the procedures and functions for both successful execution and generate exceptions; so I know my code and deal with any exceptions that may come up.

If any test fail, the entire test fails. When all the test pass, than the testing has past. Really this made my job a lot easier. Identifying what code has bugs is easy, knowing what the input is, what is expected and what failed is easy.

Now that unit testing is complete, integration testing can start. Life is good.