Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 36 visitors online    

Pete Finnigan's Oracle security weblog


Home » Archives » October 2004 » Tales of the Oak Table - Dave Ensors comments on Oracle security

[Previous entry: "more info on DBMS_SYSTEM.KSDWRT"] [Next entry: "interesting thread on how to secure a third party application"]

Tales of the Oak Table - Dave Ensors comments on Oracle security

October 28th, 2004 by Pete

Post to del.icio.us   Post to Furl   Digg!

I mentioned that I got the new book "Oracle insights - Tales of the Oak Table" published by Apress / Oak Table press (many Oak Table members are authors) recently in this web log. I had read the chapter by Kyle Hailey first as I was interested in the information about direct SGA access that Kyle described. I have since started to read the book from the beginning and have read the introduction and Dave Ensors first chapter on a selective history of Oracle which is excellent. The main focus of the book, it has to be said is performance. There was one more mention about Oracle security (so far) after Dave discussed the 12 rules designed by Codd in the 1980's and related them to Oracle. He then made a comment about what is missing. He said that the 12 rules say nothing about privilege management and enforcement and that this is an area which Oracle has been arguably less successful.

Dave then talks about privileges and security in a one and a bit page section (page 26-27). He talks about the unbreakable campaign and also tells us how version 4 authentication used to work. The passwords were stored in clear text in a table in the SYSTEM tablespace and a weak encryption was used in version 5. Dave gives some good comments and he suggests that VPD doesn't support shared sessions. This is not quite true as secure contexts and proxy accounts and connection pooling can be used effectively with VPD and shared accounts. I suspect Dave meant that it won't work with existing traditional shared account applications. David Knox discussed this is his new Oracle security book published by Oracle press. I will talk about this book soon as well.

Daves made a good point that I have thought about for a long time and never talked about. This is why there is no distinction between users and schemas. Its not intuative. It works as it is but could it be better?

This is an excellent book, so far.

October 2004
SMTWTFS
     12
3456789
10111213141516
17181920212223
24252627282930
31      

About

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Search weblog

Home and Archives

Weblog Home
Weblog Archives

Recommended reading

Oracle Security Step-by-Step (Version 2.0)

Useful links

Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Other useful blogs

Web Development
SQL Server Security

Syndication - Feeds

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0

Other Links




View Pete Finnigan's profile on LinkedIn

Pete Finnigan

Create Your Badge



Valid XHTML 1.0!