Tag Archives: oracle

Oracle Audit Vault Database Firewall 20.7 Adds TLS support

Here we’re just discussing Database Firewall! Oracle AVDF 20.7 now supports TLS. Here I’m using TLS Conn 1 and TLS Conn 2 to represent two distint TLS connections. For database firewall to use this, the traffic must be decrypted at … Continue reading

Posted in infosec | Tagged , , , , , , | Leave a comment

Data spillage #quicktip

Statistics data is stored in the sysaux tablespace, if you’re not using full database encryption, then you have unencrypted data. In OCI, this is encrypted by default.

Posted in infosec | Tagged , , , , | Leave a comment

Oracle database security quick tip.

We’re going to be discussing database parameters that if not set correctly, it will allow hackers full access to the database.

Posted in infosec | Tagged , , , , , | Leave a comment

There has been some changes. #Accenture #DatabaseSecurity #InfoSec

Life is busy and good; new Some of y’all may already know, after almost thirty years of working for myself, I accepted a position with Accenture Enkitec Group as Technology Innovation Principal Director and the Global Lead for Database Security. … Continue reading

Posted in infosec | Tagged , , | Leave a comment

Oracle #JSON check constraint #quicktip

I came across an interesting problem, we are using JSON in one of our applications and have no control over the people sending us the JSON data. This has caused some issues with data quality. One thing we needed to … Continue reading

Posted in Database Stuff | Tagged , , , | Leave a comment

#Oracle Database Application #Security book is finally out. #infosec #encryption #audit #SecureCoding #PrivilegeAnalysis #OID #OAM #OIM

https://www.amazon.com/Oracle-Database-Application-Security-Directory/dp/1484253663/ref=sr_1_1?keywords=oracle+database+lockard&qid=1573050833&sr=8-1 It’s been a year long process now the book is finally been released. There are a few things I would have written different and a few other subjects I would have liked to cover. Perhaps that will come in … Continue reading

Posted in Audit, encryption, infosec, PL/SQL, Security, Trusted Path | Tagged , , , , , , , | Leave a comment

A common #infosec error in @Oracle applications #DBA granted to application account

I’ve been doing this a long time, and there two infosec errors that I keep seeing. Granting DBA to an application and people using the application account. The problem of granting DBA to an application account is compounded when people … Continue reading

Posted in infosec | Tagged , , | Leave a comment

Critical #Oracle Database flaw needs to be patched today. #infosec #exploit #java

Critical Oracle Database flaw needs to be patched. The patch is in the July 2018 CPU patch. The exploit is in the Oracle Java VM. Read:  https://nvd.nist.gov/vuln/detail/CVE-2018-3110 This is an easily exploited flaw, that allows a user with low level … Continue reading

Posted in infosec, Security | Tagged , , , , | Leave a comment

Oracle Privilege analysis #Quicktip

Here is a quick tip on Oracle privilege analysis. Frequently I want to find out all of the ways a user can get to an object for any privilege. DBA_TAB_PRIVS and DBA_ROLE_PRIVS are the two views I go to. I … Continue reading

Posted in infosec | Tagged , , , | Leave a comment

Putting #CodeBasedAccessControl to work. #CBAC #Database #infosec #Oracle #TrustedPath

Grab a cup of coffee or a cup of tea. This is not a short post; There is a lot to explain, and many point are repeated. You need to understand all the in’s and out’s of CBAC. However; once … Continue reading

Posted in Code Based Access Control, Database Stuff, infosec, PL/SQL, Security, Trusted Path | Tagged , , , , , , | Leave a comment

PGA Memory Operation Events

I’ve been working on putting together some performance test for my secure coding talk coming up at Hotsos and encountered something I can not quite explain. This test case does a bulk select into a type and returns the type … Continue reading

Posted in Database Stuff | Tagged , , | Leave a comment

Update to my earlier #quicktip on setting #plsql scope and warnings.

I noticed a error in my code for setting PLSCOPE_SETTINGS and PLSQL_WARNINGS. QuicTip Logon.sql What I did was get the instance name out of v$instance to figure out if I was connecting to a production environment or one of the lower environments. The … Continue reading

Posted in Database Stuff, Life of a Oracle DBA, PL/SQL | Tagged , , , , , , , , | Leave a comment

My upcoming Spring events @OracleACE #InfoSec

March 5 – 8: I will be speaking at the Hotsos Symposium in Dallas Texas. https://www.hotsos.com/apex/f?p=200:61801:6152298924404 I will be showing how to secure your high performance code. We will be looking at some coding standards, what common errors we are … Continue reading

Posted in Database Stuff | Tagged , , , , , , , , , , | Leave a comment

The Impossible Password and default accounts. Oracle #LockDown #QuickTip #Infosec

Let’s revisit a customer who was about to go through an IG Audit. There is one finding that always seems to come up. Default accounts with default passwords. I don’t care if the accounts are expired and locked, if the … Continue reading

Posted in infosec, PL/SQL, Security | Tagged , , , , , , | Leave a comment

What is it like on the Oracle User Group Speaking circuit?

This is how most of my trips start, a ride to the airport with my headset on. Listen to some easy listening music such as AC/DC or Iron Maiden to get me in the mood for travel. Once at the … Continue reading

Posted in Database Stuff | Tagged , , , , , | Leave a comment

@Oracle 12.2.0.1 Cool new features to improve security. Part 1 Enhanced Whitelists PL/SQL

In Oracle 12.1 the ACCESSIBLE BY clause was introduced to the PL/SQL language. This gives the developer the ability mark a package, procedure, function, or type with what was allowed to call it. 12.2 gives us fine grained control over … Continue reading

Posted in Database Stuff, infosec, PL/SQL, Security, Trusted Path | Tagged , , , | Comments Off on @Oracle 12.2.0.1 Cool new features to improve security. Part 1 Enhanced Whitelists PL/SQL

#ORACLE PL/SQL Secure Coding Practices #INFOSEC – Please tell me how your database system is designed @bgoug will get this presentation first

The more you tell me, the more ways I can find I can find to attack your system. All I need is one little sql injection bug and trust me, it is most likely there, you just don’t know it … Continue reading

Posted in infosec, PL/SQL, Security, Trusted Path | Tagged , , | Leave a comment

Four things a developer can do now to improve their applications #infosec posture.

Lets face it, we have deadlines to meet and millions of lines of code in production. I get it, I’ve been a working PL/SQL developer off and on for over 20 years. If we get into the habit of using … Continue reading

Posted in infosec, PL/SQL, Security, Trusted Path | Tagged , , | Leave a comment

Four things a DBA can do now to improve their #infosec posture?

August 13, 2018: NOTE UPDATE TO POST THIS IS SPECIFIC TO Oracle 12.1 and bellow. Oracle 12.2 and above, you can change an unencrypted tablespace to an encrypted tablespace. 1) When we start talking about securing information, the first thing that … Continue reading

Posted in Audit, encryption, infosec, Security, Trusted Path, VPD | Tagged , , , | Leave a comment

#Oracle #Infosec Common Mistakes: Granting DBA to application schema

I’m keep seeing this common mistake; The application schema was granted DBA privileges. Here is the problem, when a sql injection bug is found, then all DBA commands are available to the attacker. The truth is, granting DBA to an … Continue reading

Posted in infosec, Security | Tagged , | Leave a comment

Questions you may want to start with when moving to the #cloud

Last week one of my customers called me into a meeting to discuss moving a critical application to the cloud. This application is very sensitive to the customer and the data it holds is very sensitive to my customers customer. … Continue reading

Posted in Database Stuff, infosec, Security | Tagged , , , | Leave a comment

As promised: here is the link to the slides for my chat with Steve.

Steve Feuerstein and I chat about Securing PL/SQL from SQL Injection. https://docs.google.com/presentation/d/1xAC-BKik-h08I_dTV2cHHba-xAdFkHRftjO1uAoj-wM/edit?usp=sharing Here is a link to the youtube video of our chat.  

Posted in Database Stuff | Tagged , , | Leave a comment

Demo code for Ghost Data in Indexes

NOTE: all demo data is fake. This is the demo code for encrypting data where there is an existing index. We are starting with a table customers_tst that is in the unencrypted tablespace dat. start with dropping the old test … Continue reading

Posted in encryption, infosec, Security | Tagged , , , | Leave a comment

Oracle DBA Interview tips: It’s not Rocket Science!

I have spent the past several weeks interviewing potential Senior Oracle DBAs. Two made the cut. Why did they make the cut? Most people did not make the cut. Why did they not make the cut? Who got hired? Why … Continue reading

Posted in Database Stuff, Life of a Oracle DBA | Tagged , | Leave a comment

#infosec issues on moving to the #cloud #DBaaS

Last week I was at Oracle Cloud World working at the ODTUG booth. This gave me the opportunity to talk to a lot of people who are seriously looking at moving their environment to the cloud. While chatting with these … Continue reading

Posted in Database Stuff | Tagged , , , | Leave a comment