Tag Archives: infosec

Interview with #Oracle ACE Director, OCM, and member of the Oak Table Network Kamil Stawiarski

Kamil is passionate about IT, Oracle Databases, and information security. Kamil will be talking about how he got into IT, what challenges he’s facing, and what it takes to succeed. Tune in Friday March 27th at 1430 (GMT-5)

Posted in infosec | Tagged , , , , , , , | Leave a comment

#Oracle Database Application #Security book is finally out. #infosec #encryption #audit #SecureCoding #PrivilegeAnalysis #OID #OAM #OIM

https://www.amazon.com/Oracle-Database-Application-Security-Directory/dp/1484253663/ref=sr_1_1?keywords=oracle+database+lockard&qid=1573050833&sr=8-1 It’s been a year long process now the book is finally been released. There are a few things I would have written different and a few other subjects I would have liked to cover. Perhaps that will come in … Continue reading

Posted in Audit, encryption, infosec, PL/SQL, Security, Trusted Path | Tagged , , , , , , , | Leave a comment

Secure your insecure information

Make sure your private information is not exposed. Your disk still has all your information even if you delete the data. When you delete information from your disk, what happens is the index pointing to your data is deleted, your … Continue reading

Posted in infosec | Tagged | Leave a comment

A common #infosec error in @Oracle applications #DBA granted to application account

I’ve been doing this a long time, and there two infosec errors that I keep seeing. Granting DBA to an application and people using the application account. The problem of granting DBA to an application account is compounded when people … Continue reading

Posted in infosec | Tagged , , | Leave a comment

Blockchain A Primer

Us technical nerds have a way of talking to each other, mostly we understand each other, sometimes we don’t and frequently we throw out buzzwords, thinking everyone must know what we’re talking about. This paper is going to address the … Continue reading

Posted in infosec | Tagged , , , , , , , | Leave a comment

Upcoming Talks

POUG: 7-8.09.2018 (booked) PL/SQL Secure Coding Practices ECOUG: 18-19.09.2018 (booked) Holistic Database Security BGOUG: 16-18.11.2018 (planned) Blockchain a primer. There is a lot of confusion about the blockchain. Blockchain is not crypto currency, block chain is the one part of the … Continue reading

Posted in infosec | Tagged , , , , | Leave a comment

Oracle Privilege analysis #Quicktip

Here is a quick tip on Oracle privilege analysis. Frequently I want to find out all of the ways a user can get to an object for any privilege. DBA_TAB_PRIVS and DBA_ROLE_PRIVS are the two views I go to. I … Continue reading

Posted in infosec | Tagged , , , | Leave a comment

Common mistake when loading data into an #encrypted database.

There is a mistake that I’m seeing frequently. Loading a raw data file into an encrypted database then leaving the data file on an unencrypted device. After loading the data into the database; if you don’t need the data file … Continue reading

Posted in infosec | Tagged , , | Leave a comment

Putting #CodeBasedAccessControl to work. #CBAC #Database #infosec #Oracle #TrustedPath

Grab a cup of coffee or a cup of tea. This is not a short post; There is a lot to explain, and many point are repeated. You need to understand all the in’s and out’s of CBAC. However; once … Continue reading

Posted in Code Based Access Control, Database Stuff, infosec, PL/SQL, Security, Trusted Path | Tagged , , , , , , | Leave a comment

That’s a really bad idea #audit #infosec #fraud #financialfraud

I’m not even sure how to approach talking about this. One customer with a complex application that is both financial and regulatory was given a backdoor into the system to manually make changes to data without audit or validation. To … Continue reading

Posted in Database Stuff | Tagged , , , | Leave a comment

My upcoming Spring events @OracleACE #InfoSec

March 5 – 8: I will be speaking at the Hotsos Symposium in Dallas Texas. https://www.hotsos.com/apex/f?p=200:61801:6152298924404 I will be showing how to secure your high performance code. We will be looking at some coding standards, what common errors we are … Continue reading

Posted in Database Stuff | Tagged , , , , , , , , , , | Leave a comment

The Impossible Password and default accounts. Oracle #LockDown #QuickTip #Infosec

Let’s revisit a customer who was about to go through an IG Audit. There is one finding that always seems to come up. Default accounts with default passwords. I don’t care if the accounts are expired and locked, if the … Continue reading

Posted in infosec, PL/SQL, Security | Tagged , , , , , , | Leave a comment

Yet another breach through #SQLInjection

The following quote bothered me a lot. “No amount of best practices or prohibitive steps is going to stop a determined hacker.” While this is a true statement, what it leaves out is if you make it difficult by securing the … Continue reading

Posted in Database Stuff | Tagged , , | Leave a comment

@Oracle 12.2.0.1 Cool new features to improve security. Part 1 Enhanced Whitelists PL/SQL

In Oracle 12.1 the ACCESSIBLE BY clause was introduced to the PL/SQL language. This gives the developer the ability mark a package, procedure, function, or type with what was allowed to call it. 12.2 gives us fine grained control over … Continue reading

Posted in Database Stuff, infosec, PL/SQL, Security, Trusted Path | Tagged , , , | Comments Off on @Oracle 12.2.0.1 Cool new features to improve security. Part 1 Enhanced Whitelists PL/SQL

PL/SQL Security Coding Practices. Introduction to a better architecture part 1.

I have been seeing this database architecture for over thirty years and it’s high time we stopped using it. Before I go too far, let me tell you I get it, you have pressure to get the application out the … Continue reading

Posted in infosec, Security, Trusted Path | Tagged , , , | Leave a comment

#ORACLE PL/SQL Secure Coding Practices #INFOSEC – Please tell me how your database system is designed @bgoug will get this presentation first

The more you tell me, the more ways I can find I can find to attack your system. All I need is one little sql injection bug and trust me, it is most likely there, you just don’t know it … Continue reading

Posted in infosec, PL/SQL, Security, Trusted Path | Tagged , , | Leave a comment

Four things a developer can do now to improve their applications #infosec posture.

Lets face it, we have deadlines to meet and millions of lines of code in production. I get it, I’ve been a working PL/SQL developer off and on for over 20 years. If we get into the habit of using … Continue reading

Posted in infosec, PL/SQL, Security, Trusted Path | Tagged , , | Leave a comment

Four things a DBA can do now to improve their #infosec posture?

August 13, 2018: NOTE UPDATE TO POST THIS IS SPECIFIC TO Oracle 12.1 and bellow. Oracle 12.2 and above, you can change an unencrypted tablespace to an encrypted tablespace. 1) When we start talking about securing information, the first thing that … Continue reading

Posted in Audit, encryption, infosec, Security, Trusted Path, VPD | Tagged , , , | Leave a comment

#Oracle #Infosec Common Mistakes: Granting DBA to application schema

I’m keep seeing this common mistake; The application schema was granted DBA privileges. Here is the problem, when a sql injection bug is found, then all DBA commands are available to the attacker. The truth is, granting DBA to an … Continue reading

Posted in infosec, Security | Tagged , | Leave a comment

Questions you may want to start with when moving to the #cloud

Last week one of my customers called me into a meeting to discuss moving a critical application to the cloud. This application is very sensitive to the customer and the data it holds is very sensitive to my customers customer. … Continue reading

Posted in Database Stuff, infosec, Security | Tagged , , , | Leave a comment

As promised: here is the link to the slides for my chat with Steve.

Steve Feuerstein and I chat about Securing PL/SQL from SQL Injection. https://docs.google.com/presentation/d/1xAC-BKik-h08I_dTV2cHHba-xAdFkHRftjO1uAoj-wM/edit?usp=sharing Here is a link to the youtube video of our chat.  

Posted in Database Stuff | Tagged , , | Leave a comment

Demo code for Ghost Data in Indexes

NOTE: all demo data is fake. This is the demo code for encrypting data where there is an existing index. We are starting with a table customers_tst that is in the unencrypted tablespace dat. start with dropping the old test … Continue reading

Posted in encryption, infosec, Security | Tagged , , , | Leave a comment

#infosec issues on moving to the #cloud #DBaaS

Last week I was at Oracle Cloud World working at the ODTUG booth. This gave me the opportunity to talk to a lot of people who are seriously looking at moving their environment to the cloud. While chatting with these … Continue reading

Posted in Database Stuff | Tagged , , , | Leave a comment

#Oracle #Infosec #Datapump

If you are running a data pump export of your encrypted database and you do not specify encryption or encryption_password then the data will be stored in plain text.  This will give you the ORA-39173 warning.

Posted in Database Stuff, Security | Tagged , , | Leave a comment