Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Interesting question about Sarbanes-Oxley on Oracle 7.3.3"] [Next entry: "Another good paper by Howard Rogers on read-only tables"]

Howard Rogers new paper on secure application roles

Howard Rogers has just released a new paper discussing the implementation and use of secure application roles in an Oracle database. This is written in the now usual question and answer session that Howard has used recently very successfully.

The paper covers some interesting points, the main one being that secure application roles can be used to protect access to data or rather privileges by not enabling the roles if an incorrect application is used. The point Howard makes is that unlike VPD this can be done on standard edition installations.

This method also gets around the issue of password protected roles being possibly bypassed. I talked about this some time ago in a short paper.

Howard covers a couple of good examples, the first gets a secure application role up and running and then he modifies it to be a bit more workable by using application contexts and logon triggers to set a token. The point being made is that the implementation can be changed without changing the client application code.

Excellent paper!