I wrote a 60 or so page paper called Exploiting and protecting Oracle around 5 years ago when I worked for Pentest Ltd. I have had a link to this paper on my Oracle Security white papers page
for a long time, someone told me via email today that the link was broken. I have fixed the link to point at the original paper. This paper is dated a little but it still contains some good stuff related to Oracle security and some ideas of where to investigate if you want to research the subject. I was chatting to Alex when we got together in the states a couple of months ago and I had a chnace to go and find something in this paper to show the source of an idea. have a read!