I got an email from http://newbiedba.blogspot.com/ - (broken link) Lisa Dobson about a week ago but what with the new baby and all I have not had alot of time for surfing or writing blog entries. Lisa emailed me about a page on Oracle's website called Getting Started: Security
to ask my opinion on its content. I had a look and its not a bad place to start but its not complete or well structured. Its also quite clearly based around Oracle's available products rather than getting a newbie started on securing their database. The first two links start off well by pointing the reader at quite a nice paper titled "Database Security (Common-sense Principles)
" by Blake Wiedman. Then the page points the reader at the Oracle database security checklist
. Then it gets a bit silly. Encryption is good but TDE is not for beginners, its also an extra cost option with ASO, then we get a link to Oracle Label Security, this is again an extra cost option on top of the enterprise edition and is also mainly only seen in highly secure environments and governments. Then we get VPD, role based security via application roles and FGA. Whilst these last three are more commonly seen I would not say that they common. Its not really a place to start for someone new to Oracle or database security. Whilst the material is useful its probably not that useful to a beginner who actually wants to secure an existing database or data. A better place to start would be to visit some of the common checklists found on my Oracle security white papers page
and the best starter paper I have seen is Arup Nanda's Project Lockdown
which I am amazed is not included in the Oracle security for beginners page. I guess its more about what a beginner wants to acheive; to secure their data or to learn the Oracleproduct stack. Don't dismiss the page but remember for Oracle security there are also external options to Oracles page even if that is links back into Oracles site such as project lockdown.