Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Joel Kallman Day"] [Next entry: "How do we Train Staff to do Oracle Security?"]

Looking Forwards To 2022!!

NOTE: I wrote this post back in January and then just after posting it the web server crashed. So, I guess a small number of people may have seen it before. It is essentially the same post now except for slight edits and this note.

So a bit about the web server crash. I noticed that opening pages was OK but running connection via ssh took minutes and then when connected "ls" and other Unix commands also took minutes. I then could not run anything so decided to reboot it. The server went down and never came back. I had to then wait for the ISP to physically enter the server room and take a look; He could get it to start but one of the physical discs was gone, not recoverable. This meant we had to start again and reinstall apache, perl, php and more. These are later versions - the original site was patched up to date but it was an opportunity to update everything to later versions. Because we went to a later versions things had changed!!. I had to reconfigure apache in a lot of ways and also port the perl and php in the blog and forum and site generally. This took some effort but i quickly had the site displaying all the main pages again but getting the blog interface to work again took thousands of code changes to the Perl.

It was a not needed task at this time as I am very busy but the website now has a great footing again.

Here is the post that was posted in January and was there for a few minutes!!

Let's all have a successful 2022 and hopefully get over the current crisis in health and pandemics and move back towards a normal life for everyone. It has been a trying time for the last almost 2 years for the whole world and for me personally. Just over a year ago my dad died from covid; then I caught covid almost a year ago and was very ill for weeks and then took months to fully recover; I managed then to get issues with my kidneys and had surgery in the autumn last year and recovered and then got a very bad chest infection and cough in December that took weeks to get rid of; I was tested many times and it wasn't covid; we have to realise that not every illness is covid!!. I am very well now and worked through most of the above anyway but it seems like we all need a much better 2022.

I managed to visit and speak at the UKOUG (UK Oracle User Group) end of year conference at the Oval in London at the end of last year; this was great to get to a real live in person event again after such a long time. Whilst the numbers at the event were not as big as they have been in the past there was a good turn out and it was great to meet and chat with people in real life again. I did a talk on how to respond to a data breach of an Oracle database and live response and forensics.

Good turn out to my talk also!!

Despite all the health issues I had nothing really slowed down or stopped for me or my company in our pursuit of helping people secure their data and with Oracle security based projects. I even still managed to work even when I had covid except for the short time I was laid up in bed. We have made a lot of progress on our tools and software and other bits in 2021 and its worth a brief update here now and I will create more detailed blog posts of each of these soon to show more:

  • PFCLScan: We are working on a major update on our database security scanner for Oracle databases to be released early this year in 2022 and it will include many new checks and features and reports

  • PFCLObfuscate: We released a number of major changes to PFCLObfuscate that allows a customer to now do much better locking to a database of their PL/SQL code; much better string encryptions and a new method to allow obfuscation to be laser targeted.

  • PFCLUserRights: We have been developing a new product that will be released later this year called PFCLUserRights. This allows a detailed analysis of all users in the database for their rights and access. This is at the user level, individual settings level, privileges granted level and globally across all users. The main interface allows a simple color coded view of all users and their access and rights and shows green for good - keep, Red for remove and Yellow for attention. This will allow a rapid view of rights used and granted in the database

  • PFCLATK: PFCLATK has been around a while as a service based toolkit. We have an extensive PL/SQL based toolkit that we can use to easily map detailed audit trail designs to actual policy and settings in the database. At the moment this is sold as a service where we help a customer design pragmatic and useful audit trails - We guide the customer via meetings and build an events table of actual events that need to be captured in the database - i.e. "did an attack occur", "did someone share an account", "did some critical action occur that was not authorised"... we held the customer design this events table with input from us, their security and business. We then map this to our toolkit PFCLATK and then this can be deployed an dup and running quickly and simply. This is 10s of thousands of lines of PL/SQL. We will be adding a GUI interface to this later this year so that we can sell it just as a product and not a service. There is an admin interface to configure and deploy all of the events and also a dashboard to monitor every database target. We are currently working on changes to the toolkit for a customer assignment so its actively developed

  • PFCLCode: We made some changes to the rules and analyser in PFCLCode later in 2021 and these were released to existing customers and new customers. We will be adding more changes to PFCLCode soon as new checks and rules have been planned and will be developed and added and released soon

Also at the end of 2021 and being finished off now we (I mostly) are developing a new 2 day class "Deep Dive into Oracle Database Vault". I will be teaching this at the end of February online, live via webex and we have customers with places paid for already and we can welcome a few more if anyone is interested to the first event. I like Database Vault and we work on it for customers from time to time. I do get people asking for design and detailed consultancy in this area so we decided to create a new class. Contact me via social media or email if you would like to book your place. There are no details on our website but they are coming soon but if you contact me I can send the class outline to you. I will announce the dates for the first teaching here as well.

I have also been in detailed discussions to resell a product developed by another UK based company that allows PC's, servers etc to be searched for any type of data. This is a great product and will compliment our software offerings nicely. We focus on the database and now we can help with the servers. I will go into much more details about this product very soon as we announce it and release the pages on our site. At a simple level you can just choose a target to search and tell the software to look for personal details on the server/PC. You can of course go much deeper and the searches are highly parameterised, configurable, saveable and more. There is also an option to program actions based on what the search finds. As I said, more soon but this will fit nicely with the database side

We have also decided that there will be a much bigger presence with blogging and social media. This is a static blog in that it is not WordPress or similar and the changes to the blog are created at the time of the edits and the contents are not in a database; this is what drew me to this at the time. The blogging software in the website does not support draft posts BUT we have created a sophisticated Windows desktop application to allow a project based management of blog posts, tags, snippets of text to use with social media posts. It also has a queue system and calendar to allow you to easily split and process each blog post to then be posted across all of our social channels. I will discuss this more in a future blog post here but as we have put quite a bit of development time into this the intention is to also sell licenses for this blog management tool that will allow off line management no matter the blog or social channels.

I am also looking at packaging pre-recorded trainings from our 8 days of classes so that customers can download and watch on demand. These will be at a lower cost than the live trainings. We have been asked for this for years but I have held off because of the time needed to create and manage this but we have not created a structure plan for this. This will also allow easier updating and management but also allow us to create short versions of some classes to be packaged with our software as a complete solution. Again, more soon!!

OK, that's a long post. I will stop now, but expect more on each subject soon separately.

Also worth stating that everything we do works in the cloud as well. A database on premise or in the cloud can be secured using all of the same techniques at the database level