Category Archives: Security
Transparant Data Encryption and Oracle Key Vault with Peter Wahl.
I had the pleasure of chatting with Peter Wahl, Oracle Principle Product Manager for Encryption and Secrets. He gives a great talk on Transparent Data Encryption and Oracle Key Vault.
Posted in encryption, infosec, Security
Leave a comment
#Oracle Database Application #Security book is finally out. #infosec #encryption #audit #SecureCoding #PrivilegeAnalysis #OID #OAM #OIM
https://www.amazon.com/Oracle-Database-Application-Security-Directory/dp/1484253663/ref=sr_1_1?keywords=oracle+database+lockard&qid=1573050833&sr=8-1 It’s been a year long process now the book is finally been released. There are a few things I would have written different and a few other subjects I would have liked to cover. Perhaps that will come in … Continue reading
Posted in Audit, encryption, infosec, PL/SQL, Security, Trusted Path
Tagged Audit, database, Encryption, infosec, oracle, privilege analysis, secure coding, SecureCoding
Leave a comment
Emerging Technology Security Day 2019
Between ongoing data breaches and emerging technologies constantly coming out, you need to ask the question. “Is my information secure?” On October 11th we will be hosting a security day with Oracle Corporation in Reston Virginia. When: October 11, 2019 … Continue reading
Posted in AI, blockchain, encryption, infosec, Machine Learning, Security, Trusted Path
Comments Off on Emerging Technology Security Day 2019
Critical #Oracle Database flaw needs to be patched today. #infosec #exploit #java
Critical Oracle Database flaw needs to be patched. The patch is in the July 2018 CPU patch. The exploit is in the Oracle Java VM. Read: https://nvd.nist.gov/vuln/detail/CVE-2018-3110 This is an easily exploited flaw, that allows a user with low level … Continue reading
Putting #CodeBasedAccessControl to work. #CBAC #Database #infosec #Oracle #TrustedPath
Grab a cup of coffee or a cup of tea. This is not a short post; There is a lot to explain, and many point are repeated. You need to understand all the in’s and out’s of CBAC. However; once … Continue reading
Posted in Code Based Access Control, Database Stuff, infosec, PL/SQL, Security, Trusted Path
Tagged CBAC, Code Based Access Control, infosec, oracle, pl/sql, secure coding, Trusted Path
Leave a comment
The Impossible Password and default accounts. Oracle #LockDown #QuickTip #Infosec
Let’s revisit a customer who was about to go through an IG Audit. There is one finding that always seems to come up. Default accounts with default passwords. I don’t care if the accounts are expired and locked, if the … Continue reading
Posted in infosec, PL/SQL, Security
Tagged Audit, Default Accounts, Default Password, impossible, infosec, oracle, password
Leave a comment
Five things that make me just want to scream. #Infosec
When evaluating the security of a database, and/or the security of an application, there are a few things that will make me start pounding my head against my desk. What prompted this? A customer asked me help evaluate a system … Continue reading
Posted in Audit, Security
Leave a comment
Code Based Access Control, #securecoding #oracle #plsql #MultipleSchemas
You can download the full code from gethub.com CBAC Simple This example depends on the HR Demo schema being loaded. We will be building on this example over the next several months to present a full blown application that includes … Continue reading
#GDPR – RIGHT TO ACCESS. Security is a feature #3 Right to Access Part 1 of 2
The GDPR Right to access can get a bit complicated as it covers a few things that provide some challenges for us. What is the purpose of the processing? Lets face it, we process data on people for a number … Continue reading
@Oracle 12.2.0.1 Cool new features to improve security. Part 1 Enhanced Whitelists PL/SQL
In Oracle 12.1 the ACCESSIBLE BY clause was introduced to the PL/SQL language. This gives the developer the ability mark a package, procedure, function, or type with what was allowed to call it. 12.2 gives us fine grained control over … Continue reading
Posted in Database Stuff, infosec, PL/SQL, Security, Trusted Path
Tagged infosec, oracle, pl/sql, SecureCoding
Comments Off on @Oracle 12.2.0.1 Cool new features to improve security. Part 1 Enhanced Whitelists PL/SQL
PL/SQL Security Coding Practices. Introduction to a better architecture part 2
For this post, we are going to focus on definers rights and invokers rights. Most developers already know about these privilege modifiers, but sadly I rarely see these being used at customer sites. Key to understanding how to secure your … Continue reading
Posted in Security, Trusted Path
Tagged pl/sql authid invokers definer "trusted path"
Leave a comment
PL/SQL Security Coding Practices. Introduction to a better architecture part 1.
I have been seeing this database architecture for over thirty years and it’s high time we stopped using it. Before I go too far, let me tell you I get it, you have pressure to get the application out the … Continue reading
Posted in infosec, Security, Trusted Path
Tagged infosec, pl/sql, Security, trustedpath
Leave a comment
2017 European Security Tour, #Moscow, #London, #Paris, #Helisnki
My 2017 speaking schedule is starting out with a bang. My first stop will be in Moscow Russia where I am trying to arrange a short speaking engagement in conjunction with the Russia Oracle Users Group. Hopefully we can arrange … Continue reading
Posted in Database Stuff, infosec, PL/SQL, Security
Leave a comment
#ORACLE PL/SQL Secure Coding Practices #INFOSEC – Please tell me how your database system is designed @bgoug will get this presentation first
The more you tell me, the more ways I can find I can find to attack your system. All I need is one little sql injection bug and trust me, it is most likely there, you just don’t know it … Continue reading
Posted in infosec, PL/SQL, Security, Trusted Path
Tagged infosec, oracle, SQLINJECTION
Leave a comment
Turn off the #http #listener in #Oracle #STIG
Locking down a database (applying STIGs) you need to check to see if the listener is running http. If you don’t need the http service, turn it off. Turning off http will reduce the attack surface. Step 1) Is http … Continue reading
Posted in infosec, Life of a Oracle DBA, Security, Trusted Path
Leave a comment
Four things a developer can do now to improve their applications #infosec posture.
Lets face it, we have deadlines to meet and millions of lines of code in production. I get it, I’ve been a working PL/SQL developer off and on for over 20 years. If we get into the habit of using … Continue reading
Posted in infosec, PL/SQL, Security, Trusted Path
Tagged #DEVELOPMENT, infosec, oracle
Leave a comment
Four things a DBA can do now to improve their #infosec posture?
August 13, 2018: NOTE UPDATE TO POST THIS IS SPECIFIC TO Oracle 12.1 and bellow. Oracle 12.2 and above, you can change an unencrypted tablespace to an encrypted tablespace. 1) When we start talking about securing information, the first thing that … Continue reading
Posted in Audit, encryption, infosec, Security, Trusted Path, VPD
Tagged action, dba, infosec, oracle
Leave a comment
#Oracle #Infosec Common Mistakes: Granting DBA to application schema
I’m keep seeing this common mistake; The application schema was granted DBA privileges. Here is the problem, when a sql injection bug is found, then all DBA commands are available to the attacker. The truth is, granting DBA to an … Continue reading
Questions you may want to start with when moving to the #cloud
Last week one of my customers called me into a meeting to discuss moving a critical application to the cloud. This application is very sensitive to the customer and the data it holds is very sensitive to my customers customer. … Continue reading
Demo code for Ghost Data in Indexes
NOTE: all demo data is fake. This is the demo code for encrypting data where there is an existing index. We are starting with a table customers_tst that is in the unencrypted tablespace dat. start with dropping the old test … Continue reading
#Oracle #Infosec #Datapump
If you are running a data pump export of your encrypted database and you do not specify encryption or encryption_password then the data will be stored in plain text. This will give you the ORA-39173 warning.
#Oracle #TDE Ghost Data Teaser
Here is a teaser for the Oracle Transparent Data Encryption presentation We look at having an existing table with existing indexes. A policy comes out that says we need to encrypt SSN and Credit Card Numbers. Once we encrypt the … Continue reading
Posted in Database Stuff, encryption, infosec, Security
Tagged Encryption, GHOST, infosec, oracle
Leave a comment
Oracle #OTN #OPSEC #TMTT
Oracle Technology Network Two Minute Tech Tip. Oracle Transparent Data Encryption.
Posted in Database Stuff, encryption, infosec, Security
Tagged Encryption, GHOST, infosec, oracle
Leave a comment
Oracle Transparent Data Encryption Baseline Practices webinar
I will be giving a webinar on Oracle Transparant Data Encryption Baseline Practices August 27, 2015 at 3PM. Sponsored by @odtug Why “Baseline Practices?” well best practices does not seem to be working so we are going to start improving … Continue reading
#Oracle #TDE #dataleak #Histograms
While at #KSCOPE15, I was asked about encrypted data showing up in histograms. So, I ran a few experiments and learned that encrypted data does indeed leak. I contacted Oracle through an old friend to get their input. Here is … Continue reading