I also agree with David that this is definitely a move in the right direction for Oracle. At last they seem to be tackling problems at the root. This is good. I don't know the extent of the use of this package yet but I would hope that eventually every PL/SQL package function and procedure parameters are protected or sanitized by DBMS_ASSERT if that input ends up in an SQL statement either directly or not. In fact I would use it for all parameters at source. I would hope Oracle is working towards this. My next step would also to be to use bind variables in every case possible to again eliminate SQL Injection and get rid of all concatenated SQL statements. i.e. SQL that is built by concatenation should be removed - binds should be used instead in all cases as any concatenation potentially can be injected.
This is a good paper but contains one small error that does not detract from reading it. The example for QUALIFIED_SQL_NAME should use that function and not SIMPLE_SQL_NAME. no matter though the intent is obvious.