Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle audit vault is available for trial download"] [Next entry: "Oracle BI Suite and Row Level Security"]

Getting started with Oracle security



I got an email from Lisa Dobson about a week ago but what with the new baby and all I have not had alot of time for surfing or writing blog entries. Lisa emailed me about a page on Oracle's website called Getting Started: Security to ask my opinion on its content. I had a look and its not a bad place to start but its not complete or well structured. Its also quite clearly based around Oracle's available products rather than getting a newbie started on securing their database. The first two links start off well by pointing the reader at quite a nice paper titled "Database Security (Common-sense Principles)" by Blake Wiedman. Then the page points the reader at the Oracle database security checklist. Then it gets a bit silly. Encryption is good but TDE is not for beginners, its also an extra cost option with ASO, then we get a link to Oracle Label Security, this is again an extra cost option on top of the enterprise edition and is also mainly only seen in highly secure environments and governments. Then we get VPD, role based security via application roles and FGA. Whilst these last three are more commonly seen I would not say that they common. Its not really a place to start for someone new to Oracle or database security. Whilst the material is useful its probably not that useful to a beginner who actually wants to secure an existing database or data. A better place to start would be to visit some of the common checklists found on my Oracle security white papers page and the best starter paper I have seen is Arup Nanda's Project Lockdown which I am amazed is not included in the Oracle security for beginners page. I guess its more about what a beginner wants to acheive; to secure their data or to learn the Oracleproduct stack. Don't dismiss the page but remember for Oracle security there are also external options to Oracles page even if that is links back into Oracles site such as project lockdown.