Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Nov 17th, 2017, 9:21pm
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   Open Oracle security standard
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Open Oracle security standard  (Read 3290 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Open Oracle security standard
« on: Sep 24th, 2005, 11:11pm »
Quote | Modify

Hi everyone,
 
I have just been talking about Mary Ann's comment from Oracle open world that she is working with NIST to see if an acceptable Oracle security standard can be designed / defined.  
 
1 - Is this a good idea? - I think so.  
2 - Has it already been done? - yes the CIS benchmark attempted to do this.  
3 - Should it be done again and defined by the community? - yes i believe so.  
 
I throw it to the floor for comments. Is it a good idea, should it be defined by NIST? - what about the CIS? - I am willing to be involved where ever it is defined. I am also willing to host some effort here if anyone else is interested in joining in.  
 
This site would be a good place to discuss and build an Open Standard for securing Oracle.  
 
I have installed mediawiki here (the link is not open yet) as it would be a good tool to use to develop a standard such as this.
 
what does everyone think?
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
isaez
PeteFinnigan.com Junior Member
**



Ivan

   
View Profile |

Gender: male
Posts: 76
Re: Open Oracle security standard
« Reply #1 on: Sep 26th, 2005, 1:42pm »
Quote | Modify

Pete,
 
I think it's a good idea to have an Oracle security standard defined. I would find it extremely useful if you have the option to choose a security standard when installing Oracle. Something like this:
 
Would you like to install Oracle with:
1)very secure definitions  
2)secure definitions
3)normal secure definitions
4)limited secure definitions
 
1 being for (e.g.) Bank's and for everyone who thinks he needs the highest secure definitions. 4 being for play databases.
Now you try to implement security after installing Oracle. An ad-hoc process prone to errors and lacking a 'formal' basis.  
With a standard that you could refer to some document (the Oracle Security standard) to show customers, auditor, boss which threats  you are addressing with your choice.  It would make life so much easier for dba's.
I don't know NIST so I can't comment on their capacity to define such a standard. I've played with the CIS benchmark but found it lacking of argumentation: why do they choose/recommend some actions? no argumentation. If you tell people to do a thing without explaining them why then in my opinion it can't work. It's advices are here and there security-by-obscurity and  the general opinion in security land is that s-b-o doesn't work. Nonetheless there are very good things in the CIS benchmark.
Involvement of the Oracle community is very important. Acceptance of and standard is greater if everyone has the opportunity to be involved in the making of it. Or at least be able  to follow the process , discussions, arguments leading to the standard. If the standard is left to Oracle and the NIST only then I suppose that in short time we will have an American standard, a British standard, a French one, etc.
 
I've no experience with designing standards but would like to collaborate  as much as possible.
 
regards,
 
Ivan
IP Logged

regards,

Ivan
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Open Oracle security standard
« Reply #2 on: Sep 26th, 2005, 6:30pm »
Quote | Modify

Hi Ivan,
 
Thanks for your great comments. I had a long discussion also last night with Alex about this. I hope he has time to enumerate some of his ideas here as well.
 
I beleive that an open (open source/creative commons) Oracle security standard is needed by everyone and that for it to be useful and valuable to the community then the community needs to help develop it.
 
The CIS benchmark was mostly created by a small committee so does not have the benefit of community review. Also I am not certain but i think you need to be a member to use it on other peoples databases,
 
I think there are number of levels to an Oracle security standard as you have described. Some users need eminantly more secure databases than others. Also there are a couple of classes of issues, bugs (and patch fixes) and configuration issues (e.g. installation of features and configuration, access controls and privileges etc.
 
What would be useful is a standard based on securing known configuration issues and access control and privikege issues. What I think would not be useful is the constant chasing of new bugs and vulnerabilities (not in the case of a standard) as these inevitably get fixed by a patch.
 
The danger for the rest of us with a NIST/Oracle created standard is that it is closed (in creation) and is designed to suit the wishes of Oracle and NIST not the wishes of the community or maybe NIST would ensure that would be the case.
 
I think an open standard is a great idea though!
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board