Tag Archives: oracle
Oracle Audit Vault Database Firewall 20.7 Adds TLS support
Here we’re just discussing Database Firewall! Oracle AVDF 20.7 now supports TLS. Here I’m using TLS Conn 1 and TLS Conn 2 to represent two distint TLS connections. For database firewall to use this, the traffic must be decrypted at … Continue reading
Data spillage #quicktip
Statistics data is stored in the sysaux tablespace, if you’re not using full database encryption, then you have unencrypted data. In OCI, this is encrypted by default.
Oracle database security quick tip.
We’re going to be discussing database parameters that if not set correctly, it will allow hackers full access to the database.
There has been some changes. #Accenture #DatabaseSecurity #InfoSec
Life is busy and good; new Some of y’all may already know, after almost thirty years of working for myself, I accepted a position with Accenture Enkitec Group as Technology Innovation Principal Director and the Global Lead for Database Security. … Continue reading
Oracle #JSON check constraint #quicktip
I came across an interesting problem, we are using JSON in one of our applications and have no control over the people sending us the JSON data. This has caused some issues with data quality. One thing we needed to … Continue reading
#Oracle Database Application #Security book is finally out. #infosec #encryption #audit #SecureCoding #PrivilegeAnalysis #OID #OAM #OIM
https://www.amazon.com/Oracle-Database-Application-Security-Directory/dp/1484253663/ref=sr_1_1?keywords=oracle+database+lockard&qid=1573050833&sr=8-1 It’s been a year long process now the book is finally been released. There are a few things I would have written different and a few other subjects I would have liked to cover. Perhaps that will come in … Continue reading
A common #infosec error in @Oracle applications #DBA granted to application account
I’ve been doing this a long time, and there two infosec errors that I keep seeing. Granting DBA to an application and people using the application account. The problem of granting DBA to an application account is compounded when people … Continue reading
Critical #Oracle Database flaw needs to be patched today. #infosec #exploit #java
Critical Oracle Database flaw needs to be patched. The patch is in the July 2018 CPU patch. The exploit is in the Oracle Java VM. Read: https://nvd.nist.gov/vuln/detail/CVE-2018-3110 This is an easily exploited flaw, that allows a user with low level … Continue reading
Oracle Privilege analysis #Quicktip
Here is a quick tip on Oracle privilege analysis. Frequently I want to find out all of the ways a user can get to an object for any privilege. DBA_TAB_PRIVS and DBA_ROLE_PRIVS are the two views I go to. I … Continue reading
Putting #CodeBasedAccessControl to work. #CBAC #Database #infosec #Oracle #TrustedPath
Grab a cup of coffee or a cup of tea. This is not a short post; There is a lot to explain, and many point are repeated. You need to understand all the in’s and out’s of CBAC. However; once … Continue reading
PGA Memory Operation Events
I’ve been working on putting together some performance test for my secure coding talk coming up at Hotsos and encountered something I can not quite explain. This test case does a bulk select into a type and returns the type … Continue reading
Update to my earlier #quicktip on setting #plsql scope and warnings.
I noticed a error in my code for setting PLSCOPE_SETTINGS and PLSQL_WARNINGS. QuicTip Logon.sql What I did was get the instance name out of v$instance to figure out if I was connecting to a production environment or one of the lower environments. The … Continue reading
My upcoming Spring events @OracleACE #InfoSec
March 5 – 8: I will be speaking at the Hotsos Symposium in Dallas Texas. https://www.hotsos.com/apex/f?p=200:61801:6152298924404 I will be showing how to secure your high performance code. We will be looking at some coding standards, what common errors we are … Continue reading
The Impossible Password and default accounts. Oracle #LockDown #QuickTip #Infosec
Let’s revisit a customer who was about to go through an IG Audit. There is one finding that always seems to come up. Default accounts with default passwords. I don’t care if the accounts are expired and locked, if the … Continue reading
What is it like on the Oracle User Group Speaking circuit?
This is how most of my trips start, a ride to the airport with my headset on. Listen to some easy listening music such as AC/DC or Iron Maiden to get me in the mood for travel. Once at the … Continue reading
@Oracle 12.2.0.1 Cool new features to improve security. Part 1 Enhanced Whitelists PL/SQL
In Oracle 12.1 the ACCESSIBLE BY clause was introduced to the PL/SQL language. This gives the developer the ability mark a package, procedure, function, or type with what was allowed to call it. 12.2 gives us fine grained control over … Continue reading
#ORACLE PL/SQL Secure Coding Practices #INFOSEC – Please tell me how your database system is designed @bgoug will get this presentation first
The more you tell me, the more ways I can find I can find to attack your system. All I need is one little sql injection bug and trust me, it is most likely there, you just don’t know it … Continue reading
Four things a developer can do now to improve their applications #infosec posture.
Lets face it, we have deadlines to meet and millions of lines of code in production. I get it, I’ve been a working PL/SQL developer off and on for over 20 years. If we get into the habit of using … Continue reading
Four things a DBA can do now to improve their #infosec posture?
August 13, 2018: NOTE UPDATE TO POST THIS IS SPECIFIC TO Oracle 12.1 and bellow. Oracle 12.2 and above, you can change an unencrypted tablespace to an encrypted tablespace. 1) When we start talking about securing information, the first thing that … Continue reading
#Oracle #Infosec Common Mistakes: Granting DBA to application schema
I’m keep seeing this common mistake; The application schema was granted DBA privileges. Here is the problem, when a sql injection bug is found, then all DBA commands are available to the attacker. The truth is, granting DBA to an … Continue reading
Questions you may want to start with when moving to the #cloud
Last week one of my customers called me into a meeting to discuss moving a critical application to the cloud. This application is very sensitive to the customer and the data it holds is very sensitive to my customers customer. … Continue reading
As promised: here is the link to the slides for my chat with Steve.
Steve Feuerstein and I chat about Securing PL/SQL from SQL Injection. https://docs.google.com/presentation/d/1xAC-BKik-h08I_dTV2cHHba-xAdFkHRftjO1uAoj-wM/edit?usp=sharing Here is a link to the youtube video of our chat.
Demo code for Ghost Data in Indexes
NOTE: all demo data is fake. This is the demo code for encrypting data where there is an existing index. We are starting with a table customers_tst that is in the unencrypted tablespace dat. start with dropping the old test … Continue reading
Oracle DBA Interview tips: It’s not Rocket Science!
I have spent the past several weeks interviewing potential Senior Oracle DBAs. Two made the cut. Why did they make the cut? Most people did not make the cut. Why did they not make the cut? Who got hired? Why … Continue reading
#infosec issues on moving to the #cloud #DBaaS
Last week I was at Oracle Cloud World working at the ODTUG booth. This gave me the opportunity to talk to a lot of people who are seriously looking at moving their environment to the cloud. While chatting with these … Continue reading