Tag Archives: infosec
Oracle Audit Vault Database Firewall 20.7 Adds TLS support
Here we’re just discussing Database Firewall! Oracle AVDF 20.7 now supports TLS. Here I’m using TLS Conn 1 and TLS Conn 2 to represent two distint TLS connections. For database firewall to use this, the traffic must be decrypted at … Continue reading
Data spillage #quicktip
Statistics data is stored in the sysaux tablespace, if you’re not using full database encryption, then you have unencrypted data. In OCI, this is encrypted by default.
Oracle database security quick tip.
We’re going to be discussing database parameters that if not set correctly, it will allow hackers full access to the database.
Interview with #Oracle ACE Director, OCM, and member of the Oak Table Network Kamil Stawiarski
Kamil is passionate about IT, Oracle Databases, and information security. Kamil will be talking about how he got into IT, what challenges he’s facing, and what it takes to succeed. Tune in Friday March 27th at 1430 (GMT-5)
#Oracle Database Application #Security book is finally out. #infosec #encryption #audit #SecureCoding #PrivilegeAnalysis #OID #OAM #OIM
https://www.amazon.com/Oracle-Database-Application-Security-Directory/dp/1484253663/ref=sr_1_1?keywords=oracle+database+lockard&qid=1573050833&sr=8-1 It’s been a year long process now the book is finally been released. There are a few things I would have written different and a few other subjects I would have liked to cover. Perhaps that will come in … Continue reading
Schema Only Accounts. #infosec #DatabaseSecurity
Schema only accounts. There is no good reason for anyone to connect to an application schema as the owner. In Oracle 18c, we now have schema only accounts. Okay, I had to double check if this was available on 12c … Continue reading
Secure your insecure information
Make sure your private information is not exposed. Your disk still has all your information even if you delete the data. When you delete information from your disk, what happens is the index pointing to your data is deleted, your … Continue reading
A common #infosec error in @Oracle applications #DBA granted to application account
I’ve been doing this a long time, and there two infosec errors that I keep seeing. Granting DBA to an application and people using the application account. The problem of granting DBA to an application account is compounded when people … Continue reading
Blockchain A Primer
Us technical nerds have a way of talking to each other, mostly we understand each other, sometimes we don’t and frequently we throw out buzzwords, thinking everyone must know what we’re talking about. This paper is going to address the … Continue reading
POUG: 7-8.09.2018 (booked) PL/SQL Secure Coding Practices ECOUG: 18-19.09.2018 (booked) Holistic Database Security BGOUG: 16-18.11.2018 (planned) Blockchain a primer. There is a lot of confusion about the blockchain. Blockchain is not crypto currency, block chain is the one part of the … Continue reading
Oracle Privilege analysis #Quicktip
Here is a quick tip on Oracle privilege analysis. Frequently I want to find out all of the ways a user can get to an object for any privilege. DBA_TAB_PRIVS and DBA_ROLE_PRIVS are the two views I go to. I … Continue reading
Common mistake when loading data into an #encrypted database.
There is a mistake that I’m seeing frequently. Loading a raw data file into an encrypted database then leaving the data file on an unencrypted device. After loading the data into the database; if you don’t need the data file … Continue reading
Putting #CodeBasedAccessControl to work. #CBAC #Database #infosec #Oracle #TrustedPath
Grab a cup of coffee or a cup of tea. This is not a short post; There is a lot to explain, and many point are repeated. You need to understand all the in’s and out’s of CBAC. However; once … Continue reading
That’s a really bad idea #audit #infosec #fraud #financialfraud
I’m not even sure how to approach talking about this. One customer with a complex application that is both financial and regulatory was given a backdoor into the system to manually make changes to data without audit or validation. To … Continue reading
My upcoming Spring events @OracleACE #InfoSec
March 5 – 8: I will be speaking at the Hotsos Symposium in Dallas Texas. https://www.hotsos.com/apex/f?p=200:61801:6152298924404 I will be showing how to secure your high performance code. We will be looking at some coding standards, what common errors we are … Continue reading
The Impossible Password and default accounts. Oracle #LockDown #QuickTip #Infosec
Let’s revisit a customer who was about to go through an IG Audit. There is one finding that always seems to come up. Default accounts with default passwords. I don’t care if the accounts are expired and locked, if the … Continue reading
Yet another breach through #SQLInjection
The following quote bothered me a lot. “No amount of best practices or prohibitive steps is going to stop a determined hacker.” While this is a true statement, what it leaves out is if you make it difficult by securing the … Continue reading
@Oracle 18.104.22.168 Cool new features to improve security. Part 1 Enhanced Whitelists PL/SQL
In Oracle 12.1 the ACCESSIBLE BY clause was introduced to the PL/SQL language. This gives the developer the ability mark a package, procedure, function, or type with what was allowed to call it. 12.2 gives us fine grained control over … Continue reading
PL/SQL Security Coding Practices. Introduction to a better architecture part 1.
I have been seeing this database architecture for over thirty years and it’s high time we stopped using it. Before I go too far, let me tell you I get it, you have pressure to get the application out the … Continue reading
#ORACLE PL/SQL Secure Coding Practices #INFOSEC – Please tell me how your database system is designed @bgoug will get this presentation first
The more you tell me, the more ways I can find I can find to attack your system. All I need is one little sql injection bug and trust me, it is most likely there, you just don’t know it … Continue reading
Four things a developer can do now to improve their applications #infosec posture.
Lets face it, we have deadlines to meet and millions of lines of code in production. I get it, I’ve been a working PL/SQL developer off and on for over 20 years. If we get into the habit of using … Continue reading
Four things a DBA can do now to improve their #infosec posture?
August 13, 2018: NOTE UPDATE TO POST THIS IS SPECIFIC TO Oracle 12.1 and bellow. Oracle 12.2 and above, you can change an unencrypted tablespace to an encrypted tablespace. 1) When we start talking about securing information, the first thing that … Continue reading
#Oracle #Infosec Common Mistakes: Granting DBA to application schema
I’m keep seeing this common mistake; The application schema was granted DBA privileges. Here is the problem, when a sql injection bug is found, then all DBA commands are available to the attacker. The truth is, granting DBA to an … Continue reading
Questions you may want to start with when moving to the #cloud
Last week one of my customers called me into a meeting to discuss moving a critical application to the cloud. This application is very sensitive to the customer and the data it holds is very sensitive to my customers customer. … Continue reading
As promised: here is the link to the slides for my chat with Steve.
Steve Feuerstein and I chat about Securing PL/SQL from SQL Injection. https://docs.google.com/presentation/d/1xAC-BKik-h08I_dTV2cHHba-xAdFkHRftjO1uAoj-wM/edit?usp=sharing Here is a link to the youtube video of our chat.