Oracle Security Consulting Services
PeteFinnigan.com Limited offer a variety of Oracle Security based consulting services. These Oracle Security services are highlighted in this page. Separate detail pages for each service are also available. Each service is detailed and can be customised or tailored to your own needs
- Detailed Oracle Security Audit Service
PeteFinnigan.com Limited's Oracle database IT security health check service has been designed by Pete Finnigan, an expert with years of real world experience in auditing and securing, designing and hardening customers Oracle databases. Pete is also well known for writing and presenting extensively in the area of Oracle security.
Our audit service is very detailed and in-depth and is "conducted by hand". This audit is one of the most detailed security audits of an Oracle database available anywhere.
- Quick Oracle Security Audit Service
We offer a number of types of "quick" Oracle security audits that can be tailored to fit most requirements. A quick audit can be performed when more detail is known of the target systems and a security policy already exists. Our audit can be created to match your Oracle database security policy so is much more subjective to you and your view of what a secure Oracle database looks like for you. Alternately we can also do a quick top issues audit for you on one or any number of databases to give you an initial view of the state of your Oracle security so that more detailed audits or actions can be taken.
These audits can be performed on-site or remotely. We can provide you with tools that you will run yourself and then provide us with the output to analyse for you OR we can come to your site and run the tools ourselves.
- Correction Strategy and Checking Service
If you have had an Oracle database security audit performed against one or more of your databases either by PeteFinnigan.com Limited or another organisation or you have simply run or had run commercial tools internally or checked a few issues by hand coded queries perhaps based on a checklist such as the CIS benchmark then the next steps are:
- Decide on severity / risk / timescale / budget.
- Review the Oracle database security audit or health check report and decide what to fix.
- Optionally create a policy / baseline standard or check list for Oracle database security for your organisation.
- Implement the fixes.
- Test for compliance
- Oracle Database Health Check Service
- Oracle Security Design / Prototype / Setup
Over the years we have helped many companies implement and design and prototype various Oracle Security designs and solutions to help their applications, databases and business implement custom Oracle security or granular or context based security of user access, data, privileges and more. We have helped customers design and use implementations of Oracle Virtual Private Database (VPD), Oracle Label Security (OLS), Oracle Database Vault, Oracle Encryption, Oracle Transparent Database Encryption, Advanced Security and many more. We have also implemented custom solutions using custom settings and PL/SQL based software.
We can help you evaluate any of the Oracle Security options available from Oracle or from Third Parties or even help you design in-house custom Oracle Security solutions.
- Audit Trail Design Service
One of the first things that you should do to your Oracle databases in terms of Oracle Security controls is to implement an Oracle database audit trail. Without a robust audit trail we cannot know who accesses your database, when, how and more. The database engine is complex and there are many ways to achieve the same actions so having a comprehensive audit trail is a must. Oracle offer Oracle Audit Vault and Database Firewall and we can help specify and configure these tools. We can also help specify and configure any of the third party audit and monitoring solutions available at this time
Most importantly we have created a toolkit called PFCLATK that can be used to implement centralised audit trails. PFCLATK is declarative and policy driven and includes many pre-created policies and events. This toolkit takes the complexity out of using the core database audit settings and allows us to help customers focus on policy and events.
- Database Security Policy Review and Design
If you have a specific Oracle database security policy or you include Oracle database specific controls in a more generic security policy then we can help you review that policy and controls to make it more robust for the modern world where data theft and loss is rising. Alternately if you do not currently have any Oracle security specific controls or policy we can help you design your own policy.
This policy should form the basis of "what" a secure Oracle database looks like for you and it should "feed into" all efforts to secure and lock down all of your Oracle databases. We have extensive experience helping customers create Oracle security policies for more than a decade.
- PL/SQL Secure Code Review
Most databases contain some or often a lot of PL/SQL code that is either part of the business logic or applications or is part of database support and monitoring or even could be part of database security solutions. Most often this code will include security vulnerabilities. These are not intentionally added but unless a robust secure coding regime exists then these will be inevitable. This is born out by locating these types of secure code issues for many clients over many years either as part of secure code reviews or more generally as part of a database security audit.
We have extensive experience not just of secure code syntax (i.e. how to not make your code vulnerable to attacks such as SQL Injection) but also of how that code is used and deployed into the database in terms of design decisions, permissions, exposure and more. Pete Finnigan wrote some of the very first papers on SQL Injection in Oracle PL/SQL and SQL code in the very early 2000's.
Our secure code review will help you locate vulnerable PL/SQL as well as review the context of the code (schema used / methods used / permissions etc) and also security of the code itself.
- Oracle Forensics and Incident Response
What if the worst happens? - What if your databases are hacked or your data is stolen and paraded on web sites such as Paste bin? This happens more and more often as criminals understand that for them there is much less risk to enter a computer than to walk into a bank with a sawn off shotgun. Data theft and breach is no longer a "bragging rights" issue for kids in their teens but is pure crime and big business for some.
If your Oracle database is breached we can help. We can help you understand how the perpetrators got in, what did they access and see or steal and worse what could they have done if they had much more extensive Oracle skills.
We can also advise you in advance of a breach; help you audit databases, secure those databases and implement audit trails. More importantly we can help you define and put in place an incident response process and team to quickly deal with any real or potential breach as soon as it happens; lessening any potential impact.
We have experience helping customers who came to us after a breach in terms of performing forensic analysis and also helping set up incident response teams. Further Pete Finnigan was the first person in the world to publish anything related to Oracle Forensics when he created module 17 of the Original SANS Oracle Security 509 class in 2003 many years before any books or papers appeared about Oracle forensics.
- Data Masking
Data masking has an important part to play in allowing customers to safely use production quality data in non-production environments such as test or development. Data Masking is possible with Oracle provided products, third party products such as Delphix or PC based tools such as DataMasker from Net 2000 Ltd or even home grown scripted solutions. We have extensive experience helping our customers choose the right products and approach and also helping configure and develop suitable solutions
We are ideally placed to help you specify and implement data masking of your own.
Other Oracle Security Services
PeteFinnigan.com Limited is ideally placed to help with some or all of these elements. We offer tailored services in these areas.
Don't worry, if you do not see here the service you require but if it is related to the security of your data then we can help. Please contact us at firstname.lastname@example.org in the first instance.
Partner With Us?
Any company who feels that they could offer complimentary services to PeteFinnigan.com Limited's own services and would like to become a partner for PeteFinnigan.com Limited to offer their services in the UK should contact email@example.com in the first instance. Also any company who would like to offer some of PeteFinnigan.com Limited's services in another country should also contact firstname.lastname@example.org to discuss partnering with us.