Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
The day was eventful as I caught two trains booked well in advance to get cheaper tickects and just my luck the morning train was cancelled as was the evening one. In both cases it turned out OK, in the morning I actually was allowed on the much faster (read expensive tickets) train before and in the evening i had to catch a train ten minutes later so not too bad. It was a nice day for meeting people, Paul spoke to me on the phone as I drove to the station for the train to ask a question about my presentation, which lead him, Jonathan Lewis and myself to discuss privileges around VPD on the walk back to Slough train station. I have made some notes around this and its a good enough subject for a detailed post here so watch out for that in the next day or so.
The talk went well, i had some good discussions with some of the people attending afterwards. The focus of the talk is not on the nitty gritty of using or coding with VPD (Virtual Private Database) but the focus is around the issues of using an additional security feature such as VPD with an application and Oracle. There is a tendancy for people to look at products like VPD and implement and go without any thought around the fact that you must also secure VPD, you must design your VPD implementation to ensure that it cannot be compromised or bypassed. The focus of the talk was around these issues. I also had a simple demo that is contained in one script called vpd2.sql which is also available from my scripts page.
I am not going to go into detail on the results as they are contained in a 10 page pdf that you can download yourselves. Simply go to this link on the IOUG site and download the pdf from the link there.
It is interesting that the survey matches the discussions I have quite often with clients, people at conferences, SIG's and almost where-ever I go. People are always wanting views on CPU applications - or not! - the application that is. I always say two things. 1) CPU's are only part of the problem of securing an Oracle database - that is to be secure you cannot just apply a CPU, you must do all of the other work to secure the database, configuration, privileges, access, audit.... much, much more and 2) at the end of the day; taking out all of the issues, you can either apply a CPU or not, its simple. Well its simple to say but in practice, psycologically, reallity, its often hard to do for lots of reasons, mostly availability, performance, downtime, stability... This is one of the key conclusions found by the survey BUT I already new this. I also like the first conclusion and agree with it. If there was a way to make it more formal to apply patches then it would be better for security, but as discussed above it wouldnt secure the database (because security is not just patches) and also it would not fix the perception/reality of stability, availability etc. This is a very complex problem to fix; in part due to the complexity of the Oracle software, the large number of platforms, applications, configuration options....
The survey also showed that 30% of respondents patch within the quarter BUT 70% don't! We have seen a lot of improvement since the first security alerts 8 years ago but we still clearly have a long way to go to get people to patch in the quarter.
Good survey, good comments and conclusion and I think it reflects the reallity that I get to see and also that I am talked to about regularly.
Lets have another annually and lets see if we can get improvements.