Author Archives: rlockard

PL/SQL Security Coding Practices. Introduction to a better architecture part 1.

I have been seeing this database architecture for over thirty years and it’s high time we stopped using it. Before I go too far, let me tell you I get it, you have pressure to get the application out the … Continue reading

Posted in infosec, Security, Trusted Path | Tagged , , , | Leave a comment

2017 European Security Tour, #Moscow, #London, #Paris, #Helisnki

My 2017 speaking schedule is starting out with a bang. My first stop will be in Moscow Russia where I am trying to arrange a short speaking engagement in conjunction with the Russia Oracle Users Group. Hopefully we can arrange … Continue reading

Posted in Database Stuff, infosec, PL/SQL, Security | Leave a comment

#Hacking The Human Brain

Hacking the Human Brain presentation is coming together, We are going to have a lot of fun in this one. We have programmed our brains with a lot of bullshit rules so we need to question all the rules in … Continue reading

Posted in Database Stuff | Leave a comment

#ORACLE PL/SQL Secure Coding Practices #INFOSEC – Please tell me how your database system is designed @bgoug will get this presentation first

The more you tell me, the more ways I can find I can find to attack your system. All I need is one little sql injection bug and trust me, it is most likely there, you just don’t know it … Continue reading

Posted in infosec, PL/SQL, Security, Trusted Path | Tagged , , | Leave a comment

November is going to be a busy month. #ECOUG and #BGOUG

I stopped tracking the the miles I fly years ago. It seems every other month I’m in another timezone at a conference, learning from the best in the industry. Well in November I will be fortunate to stay in my … Continue reading

Posted in Oracle Users Group | Leave a comment

Security in the cloud. #Snowflake #infosec

I recently had the opportunity to look at Snowflakes security model. This is what I think. http://www.snowflake.net/blog/data-safe-cloud

Posted in Database Stuff | Leave a comment

Turn off the #http #listener in #Oracle #STIG

Locking down a database (applying STIGs) you need to check to see if the listener is running http. If you don’t need the http service, turn it off. Turning off http will reduce the attack surface. Step 1) Is http … Continue reading

Posted in infosec, Life of a Oracle DBA, Security, Trusted Path | Leave a comment

#infosec #Oracle #Migration #Encryption #2MTT

I have seen this twice in the past week. A customer requirement is to migrate their Oracle database to a new server and they want encryption implemented.The steps defined in the request is Migrate then Encrypt. This is backwards. You … Continue reading

Posted in Database Stuff | Leave a comment

You can use #sqlcl with #mkstore

I was struggling last week getting mkstore and sqlcl to work together. sqlcl is Oracle’s new command line interface. For more on sqlcl see http://www.oracle.com/technetwork/issue-archive/2015/15-sep/o55sql-dev-2692807.html. I have been using sqlcl almost exclusively for the past year and love it. I … Continue reading

Posted in Database Stuff, encryption, infosec | Leave a comment

#phishing #infosec short post

Phishing has gotten more sophisticated over the years. Spelling and grammar has gotten better making phishing attempts more difficult to spot. There are some out there who did not get the memo and very easy to spot. You still need to … Continue reading

Posted in Database Stuff | Leave a comment

An enhancement I would love to see in Business class lounges. @aeroflot @icelandair @AmericanAir @KLM @airfrance @british_airways

It goes without saying I spend way too much time traveling and fortunately, most of the time I can fly myself in my 1948 Navion when the hop is less then 1,000 nautical miles. Now quite frankly I love the … Continue reading

Posted in Database Stuff | Tagged , , | Leave a comment

Upcoming speaking engagements two confirmed #oow16 #ecoug16 three waiting #bgoug, #rmoug and ???

The fall is filling out fast. I will be speaking at Oracle Open World 2016 on Holistic Database Security. Then speaking in November at the East Coast Oracle User Group on Holistic Database Security. I currently have papers in to … Continue reading

Posted in Database Stuff | Leave a comment

Four things a developer can do now to improve their applications #infosec posture.

Lets face it, we have deadlines to meet and millions of lines of code in production. I get it, I’ve been a working PL/SQL developer off and on for over 20 years. If we get into the habit of using … Continue reading

Posted in infosec, PL/SQL, Security, Trusted Path | Tagged , , | Leave a comment

Four things a DBA can do now to improve their #infosec posture?

August 13, 2018: NOTE UPDATE TO POST THIS IS SPECIFIC TO Oracle 12.1 and bellow. Oracle 12.2 and above, you can change an unencrypted tablespace to an encrypted tablespace. 1) When we start talking about securing information, the first thing that … Continue reading

Posted in Audit, encryption, infosec, Security, Trusted Path, VPD | Tagged , , , | Leave a comment

#Oracle #Infosec Common Mistakes: Granting DBA to application schema

I’m keep seeing this common mistake; The application schema was granted DBA privileges. Here is the problem, when a sql injection bug is found, then all DBA commands are available to the attacker. The truth is, granting DBA to an … Continue reading

Posted in infosec, Security | Tagged , | Leave a comment

Questions you may want to start with when moving to the #cloud

Last week one of my customers called me into a meeting to discuss moving a critical application to the cloud. This application is very sensitive to the customer and the data it holds is very sensitive to my customers customer. … Continue reading

Posted in Database Stuff, infosec, Security | Tagged , , , | Leave a comment

As promised: here is the link to the slides for my chat with Steve.

Steve Feuerstein and I chat about Securing PL/SQL from SQL Injection. https://docs.google.com/presentation/d/1xAC-BKik-h08I_dTV2cHHba-xAdFkHRftjO1uAoj-wM/edit?usp=sharing Here is a link to the youtube video of our chat.  

Posted in Database Stuff | Tagged , , | Leave a comment

Demo code for Ghost Data in Indexes

NOTE: all demo data is fake. This is the demo code for encrypting data where there is an existing index. We are starting with a table customers_tst that is in the unencrypted tablespace dat. start with dropping the old test … Continue reading

Posted in encryption, infosec, Security | Tagged , , , | Leave a comment

Oracle DBA Interview tips: It’s not Rocket Science!

I have spent the past several weeks interviewing potential Senior Oracle DBAs. Two made the cut. Why did they make the cut? Most people did not make the cut. Why did they not make the cut? Who got hired? Why … Continue reading

Posted in Database Stuff, Life of a Oracle DBA | Tagged , | Leave a comment

#infosec issues on moving to the #cloud #DBaaS

Last week I was at Oracle Cloud World working at the ODTUG booth. This gave me the opportunity to talk to a lot of people who are seriously looking at moving their environment to the cloud. While chatting with these … Continue reading

Posted in Database Stuff | Tagged , , , | Leave a comment

#Oracle #Infosec #Datapump

If you are running a data pump export of your encrypted database and you do not specify encryption or encryption_password then the data will be stored in plain text.  This will give you the ORA-39173 warning.

Posted in Database Stuff, Security | Tagged , , | Leave a comment

#sqldev #outline

Do you spend a lot of time in sql developer working your very large package? Have a look at the quick outline from Jeff Smith of Oracle SQL Developer fame.  Besides being a great Product Manager (hey Uncle Larry, give … Continue reading

Posted in Database Stuff | Tagged , | Leave a comment

My recommendations for making 2016 insanely successful.

We all make new years resolutions but frequently we wind up abandoning them. So make a list of what you want to accomplish. I carry around with me a notebook that I am constantly writing in. What is my top … Continue reading

Posted in Database Stuff | Tagged , | Leave a comment

2015 #InfoSec in review. We get a big fat “F”

We are stewards of our customers data and need to do better. <OPINION> I would give us a big fat “F” for data security in 2015.</OPINION> What happened and what needs to be improved? We saw weak passwords, lack of … Continue reading

Posted in Database Stuff, infosec | Tagged , | Leave a comment

#infosec RSA Encryption Explained

One of my favorite channels on youtube; numberphile explains RSA Encryption better then I could.  

Posted in Database Stuff | Tagged , , | Leave a comment