Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle Forensics presentation and a new paper"] [Next entry: "Oracle Forensics Paper part 6"]

Pete Finnigan is now an independant and available for Oracle security work



This is an overtly commercial post, which I don't normally do here, so please forgive the intrusion at this exciting time for me and my family. Last Friday was my last day in salaried employment and from tomorrow I will again be an independent working for my own Limited company PeteFinnigan.com Limited. I will be offering a variety of Oracle and database security related services and will of course be available for hire. I will be updating my site to include details of the services I offer but i also want to maintain the usefulness of the site to the many thousands of readers I get every day and I will continue to maintain the site and add content, hopefully more that I have been doing now that i will be in more control of my own workload. I am also keen to maintain the vendor neutral stance that I try and take in my writings. I don't see that this should change as I will be working independently and not tied to any vendor.

I am in the first stages of writing some service leaflets of my offerings and also in the first stages of updating my website to include a brief description of what I offer and also adding a menu to access the services. There has been a lot of interest in my work over the last few weeks and I have already a number of customers signed up so I am not going to get a rest after leaving my salaried job as I need to start chargeable work from Monday. This is great though.

My services are described briefly as follows:


  • Consulting


    • Oracle Security Audits: This is a very detailed audit of a single Oracle database (The number of databases can be increased but the service is designed around a single database for simplicity) and the server and networking involved in the implementation of the database. I have a detailed methodology and use my own tools to perform the audit. The output is a detailed report of all issues located and why they are issues and include a management summary of the most critical elements. A detailed service leaflet will be added very soon to my site to describe this. I am in a unique position in terms of experience of performing a lot of database audits and also in terms of having extensive knowledge in this area.
    • Oracle Database Hardening: I am available to assist any customer to harden a database that has been audited by myself or by anyone else or not hardened at all. This service is risk based and is designed to allow the client to decide structure the task of hardening a database. This service can also be performed completely by PeteFinnigan.com Ltd or we can advise the clients own staff what to do or we can be available on a call off to assist at critical parts of the project. Again a detailed service leaflet will be added soon to this site to describe this service in more details.
    • Audit Trail Design and implementation: I also offer a service to help companies create suitable audit trails in their databases. The one thing I almost always find when I conduct a security audit of an Oracle database is that no auditing exists or has been enabled in the database. This means that not only are a lot of companies insecure they also will not know if they are hacked. This is a major worry. I have extensive experience of designing and building audit trails using standard database features such as core audit, FGA, triggers, RLA (E-Business Suite) and more. I also am aware of most commercial products in the same arena. I can help any client design and implement a suitable audit trail, including management and reporting from a simple core design that uses the database features through to complex designs using database features or commercial tools and products. I have extensive experience with the performance issues often cast as a major reason not to implement audit and can solve and show that effective audit can be added to any database that does not kill performance. As with the hardening service my involvement is flexible from a complete design and implementation through to simple ad-hoc consultancy to help a client with an existing implementation.
    • RLS, OLS and FGA: These specialist technologies can provide help with enhanced RBAC and protection of data and auditing of that data. They are often complex and tricky to get right in terms of functionality required and also again with respect to performance. I have extensive experience with these technologies and can help any client who needs to implement them. Again our involvement can be at any level and also a more detailed service description will be added.
    • Encryption: In the recent times encryption of key data has become more important then ever. A lot of credit card details and personally identifiable data has become the subject of theft and news articles in the last year or so. Understanding the key technologies, tools and products available is something that should not be done lightly. If the data you need to protect is to stay protected help is needed to understand the risks and options. This is where we can help.
    • Code Audit: PeteFinnigan.com Limited are available to perform security related code audits of C code and PL/SQL code related to database applications. One of the main ways applications can be exploited has been demonstrated hundreds of times over the last few years by many researchers through bugs and papers. This is SQL Injection. There are many other issues also evident, such as use of dangerous functions or packages, buffer overflows, format string vulns and much much more. PeteFinnigan.com Ltd is able to offer detailed code audits of any Oracle database based application. A detailed service leaflet will be added soon.
    • More to be added...

  • Training


    • Oracle database security audit [2 / 3 days]: This training looks into the issues that cause an Oracle database to become insecurely deployed, then goes into details on the different aspects of how to carry out and perform an Oracle database security audit including lots of details and demonstrations. Again a detailed course description will be available shortly.
    • Oracle hardening [2 days]: This training course looks at the reasons an Oracle database can be insecure and then dives into how to harden an Oracle database in a methodical and structured manner taking into account the use patterns of the database, the data flows and also the application structure and design. Again a detailed course description will be available shortly.
    • Oracle Audit Trail Design [2 days]: This training looks in detail at how to design and implement an audit trail for the Oracle database. This draws on Pete Finnigan's real world experience in designing and building audit trails. Considerations such as functions, features, products and tools to use are covered. Also a detailed discussion is included on how to design the audit trail, how to manage the audit trail and how to implement and use the audit trail. The course is centred around core database features and shows how existing functionality can be used to create a rich trail of actions. Again a detailed course description will be available shortly.
    • More...




As I say I will get more detailed descriptions of each service on my site over the coming week and these will include details of what’s involved, durations and costs. I will also most likely extend the list of services that i am able to offer at the same time. I will announce here when it’s done. I will also detail the training that will be available. All training will be available on client sites and prices will be available very soon. It is also intended that some public training may be organised and I am also interested to discuss partnering/reseller arrangements also.

The blog will continue and also watch out for some additional content on my site over the coming weeks. I have quite a back log of things I would like to add. I am also signed up to speak at a number of events over the next few months. I am speaking at the UKOUG Windows SIG on September 25th about Oracle security on Windows at Blythe Valley Park, then I will speak three times at the UKOUG conference in Birmingham, December 3rd to 6th on Oracle Forensics, Oracle security tools and I will also do a completely new two hours Oracle security master class. I will also host the Oracle security round table at the same event.

For any further details on the services and training that we offer please see the contact details page.

There has been 7 Comments posted on this article


August 19th, 2007 at 05:34 pm

Eddie Awad says:

Congratulations and good luck in your new endeavor.



August 19th, 2007 at 09:37 pm

Mark Rittman says:

Hi Pete,

Good luck with going independent (again). I'm sure it'll work out for you, I'll certainly keep an eye out for any security work and pass it your way.

all the best, Mark



August 20th, 2007 at 10:52 am

bunker says:

Great!
Good luck with your projects!

wink



August 20th, 2007 at 11:56 am

Slavik Markovich says:

Congratulations, Pete. Good luck. Keep up the great posts.

Slavik



August 20th, 2007 at 11:57 am

Kevin Else says:

Hi Pete.

Welcome back to the right side of the fence!
hehe

All the best

Kev.



August 22nd, 2007 at 12:36 am

LewisC says:

Sounds like a good move, Pete. Best wishes.

LewisC



August 22nd, 2007 at 10:52 am

Pete says:

Thanks guys for all the comments here about my latest career move. Its all very exciting at the moment!

cheers

pete