What do you do in a situation where you are developing with a low-code or no-code framework like Oracle Application Express where there effectively is no source code to scan? The answer is, "it depends."
AntiVirus for my Database Server? – Part 2
Two years ago I had seen a couple of Oracle Community and AskTom posts about installing anti-virus software on Oracle database servers that prompted me to write my original article. Recently I have seen more people asking the same question, and have come across at least one additional deployment scenario in my work that I had not previously considered so I thought I would revise my article to include it...
Shared Application Accounts Revisited
There have been enhancements added that make setting up proxy access even simpler, and the subject is still timely
What’s in a Supported Configuration?
In the last year or so I have noticed more than a few posts in various forums that run along the lines of "how do I install Oracle on [insert random operating system here]".
What Problem Are You Trying to Solve?
I've been spending a fair amount of time in forums like Stack Overflow, DBA Stack Exchange, and the Oracle Community forums, and I've seen a number of similar questions pop up in the last several months. They all go along the lines of, "Our security auditor said we need to do this thing, but we … Continue reading What Problem Are You Trying to Solve?
Who Do You Trust?
I've been spending a lot more time recently on various user and developer forums. I find that I'm learning (or remembering) a lot, just by reviewing other people's questions and doing a bit of research to find the answer if I don't know it off the top of my head. Trying to answer other people's … Continue reading Who Do You Trust?
Community Involvement
I believe it is important to be involved in the greater technical community. This is a summary of my recent community forum activity on dba.stackexchange.com. I am also active in stackoverflow.com, serverfault.com, security.stackexchange.com, and community.oracle.com. I encourage anyone reading this to participate in these communities as well: share your knowledge and experience with those who … Continue reading Community Involvement
Five Thoughts on Oracle Security
Five different security related posts to which I have contributed on dba.stackexchange.com. I did not necessarily provide the accepted answer for these, but felt that the questions posed were interesting enough to warrant a mention.
Every Which Way But Loose
Rather than a one-size fits all solution - trying to handle everything through a Virtual Private Database policy - a proper security plan involves the use of a variety of techniques, each with their own place in the model. #oracle #vpd #security #roles #plsql #privileges #constraints
DBA Appreciation Day
I just found out that someone (clearly a genius) has decided that the first Friday in July should be DBA Appreciation Day.
How To Do It In Parallel
I just came across an interesting question on the Stack Exchange forum, where a user was asking how to execute a set of PL/SQL procedures in parallel with each other. There really isn't a construct in PL/SQL to accomplish this. That is not to say that it can't be done, however...
Password Strength Revisited
This is an update to one of my very first posts, bringing it up to date to reflect current password verification techniques for Oracle 19c.
Top STIG – Part 6 (OS Accounts)
The final installment in my series on CAT I STIG controls is all about the use (or not) of the server operating system accounts that support the Oracle database. Two controls address the use of and access to the Oracle software installation account, and one addresses the privileges associated with individual user accounts for DBAs. … Continue reading Top STIG – Part 6 (OS Accounts)
Top STIG – Part 5 (Default Passwords)
One of the most common attack vectors for any hacker is checking to see if you have reset default passwords on service and administrator accounts. Almost every piece of hardware or software comes with some default way to login the first time, and a lot of people are really bad at changing those credentials to be more secure. Oracle databases and DBAs are no exception...
Top STIG – Part 4 (Encrypted Transmission and PKI)
Part 4 of this series on top STIG controls takes a look at the encryption of data in motion and the use of Public Key Infrastructure (PKI).
Top STIG – Part 3 (Software Support)
The next CAT I STIG control in this series is less technical and more about policy. Like all of the others, however, it requires the DBA to be aware of things beyond their immediate day to day workload, and involved in the planning, design, and development of the system technology stack...
Top STIG – Part 2 (Obscuring Credentials)
Applications must obscure feedback of authentication information; when using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password.
Top STIG – Part 1 (Local Authentication)
In this post I'm going to start going over the Database STIG CAT I vulnerabilities in a little more detail. The first two relate to database initialization parameters and authentication.
Well That’s Random…
Increasingly we are asked to provide more secure passwords for accounts of all kinds. As I have written previously, because coming up with new ones that meet all complexity requirements can be a real pain, I try to avoid passwords whenever possible in favor of PKE authentication. Sometimes, however, they are unavoidable.
Oracle 12c Database STIG Breakdown
This post contains a listing of all 199 Oracle 12c Database STIG controls from Release 16 (24 January 2020), organized by the five major categories of database security...
What the Cloud Can’t Do
A lot of things are possible in the cloud, but not everything. A couple of technologies in particular that might seem common in on premise systems are nearly impossible to deploy in the cloud. The first is the idea of multiple networks. Many systems are deployed around the idea that there is a common, “public” … Continue reading What the Cloud Can’t Do
Auditing by the Numbers
There are over 60 controls in the DISA Oracle 12c Database Secure Technical Implementation Guide (STIG) that contain the word "audit" or "auditing"...
How To Complete a STIG Review
The simplest way to complete a DISA Secure Technical Implementation Guide (STIG) review is to start at the beginning of the checklist and work through it, one control item at a time. As you read each control, the information will be broken down into several distinct areas: metadata, content, and findings. Each control has metadata … Continue reading How To Complete a STIG Review
FIPS is a Four Letter Word
FIPS is a four letter word. It is also a source of some confusion when it comes to the Oracle database and DISA STIG compliance, which I will attempt to sort out to the best of my ability in this post.
code-obfuscation-toolkit
The code-obfuscation-toolkit allows you to obfuscate the source code of a variety of stored programs, including procedures, functions, package bodies, and type bodies. When wrapping an object, to further obfuscate the original code in the event that it is ever unwrapped, all comments and line breaks can also be removed.