Auditing an Oracle database for security issues is very important. provides all of the information and tools that you will need Click here for details of Limited's detailed Oracle database security audit service Click here for details of Limited's Oracle Security Training Courses
There are 51 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog

Home » Archives » July 2006 » Mary Ann speaks - on security testing rules

[Previous entry: "Security vulnerability disclosure - part 1"] [Next entry: "oh the irony..."]

Mary Ann speaks - on security testing rules

July 10th, 2006 by Pete

I just found a new post by Mary Ann Davidson. The post is titled "Let Us Now Praise (Not So) Famous Men and Women" - this is mostly a post rambling on about military stuff that you can mostly skip over. I was interested and singled it out for one reason. There is a passage in the middle of it about a request from a colleague of Mary Ann's to use the ethical hacking team to test a certain product but to conduct the test purely within the boundaries of the described functionallity and policies of the product. I like Mary Ann's quote from her sister "Rules? There are no rules! This is war!" - This is true for any hacker. It is simply crazy to conduct a security test bounded by rules of what the application is supposed to do, hackers will try anything to break the application to try and get it to do something its not supposed to. This is how bugs are found that can be exploited. Hackers will not simply press buttons they use software to try every aspect of an application to break it, and then more.

Good post, I have come across similar cases where some developers tend to think that hackers will only use software in the ways that they have designed it. Its a very blinkered approach and why security is easy to break. Developers need to think like hackers when they are designing and creating new applications. This will help to make more secure applications. You need a devious mind, if you have one then its posisble to think of all of the possible attack scenarios and to code against them.

Nice snippit Mary Ann.

July 2006

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives

Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

Atom 0.3 FEED
Powered by gm-rss 2.0.0

Valid XHTML 1.0!