I had three slots this year; on the Monday I spoke about application design in the database. I covered the ideas that we must create least privilege and ideally separate the data from the functionality (PL/SQL) and also ideally connected users from the schemas so creating a privilege model and least privilege. We also looked at invoker rights vs definer rights, With Admin and With Grant as well as INHERIT privileges in 12c. We also looked at context based security with some examples. We explored privilege analysis of existing users and also how to design users rights with least privilege in mind and also covered privileges in different modes such as build time, run time, maintenance time and more. This was a good talk as I had some good discussion during and after the talk.
On the Tuesday I chaired an Oracle security round table and Piet De Visser made a valiant contribution as the session proctor. We had some great discussion and questions particularly around least privilege and breakglass for the Oracle database.
On the Wednesday I made my last talk which was also well attended and was about Oracle Database Password Design. We looked at the core issues of weak passwords, what makes them weak and also the cor4e password algorithms available in the database. We also looked at password cracking and the different types of cracking that are possible (default, dictionary, brute force and password=username). We also looked at the types of Cracker (PL/SQL based, C based, GPU and FPGA crackers). We also looked at password design, profiles to enforce password strength and security of password hashes. We looked at password choice and also password safes.
Links to the pdfs of my new papers are on our Oracle Security White Papers Page.