Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Two New Oracle Security Presentations Available

I attended the UKOUG conference last week Monday to Wednesday in Birmingham. This is the first year for three years that it has been back at the ICC in the center of Birmingham. The last two years have seen the conference held in Manchester and last year in Liverpool. The journey from the railway station has changed slightly as New Street Station has been completely modernised from its dark and dingy past and the route through the galleria is blocked off.

I had three slots this year; on the Monday I spoke about application design in the database. I covered the ideas that we must create least privilege and ideally separate the data from the functionality (PL/SQL) and also ideally connected users from the schemas so creating a privilege model and least privilege. We also looked at invoker rights vs definer rights, With Admin and With Grant as well as INHERIT privileges in 12c. We also looked at context based security with some examples. We explored privilege analysis of existing users and also how to design users rights with least privilege in mind and also covered privileges in different modes such as build time, run time, maintenance time and more. This was a good talk as I had some good discussion during and after the talk.

On the Tuesday I chaired an Oracle security round table and Piet De Visser made a valiant contribution as the session proctor. We had some great discussion and questions particularly around least privilege and breakglass for the Oracle database.

On the Wednesday I made my last talk which was also well attended and was about Oracle Database Password Design. We looked at the core issues of weak passwords, what makes them weak and also the cor4e password algorithms available in the database. We also looked at password cracking and the different types of cracking that are possible (default, dictionary, brute force and password=username). We also looked at the types of Cracker (PL/SQL based, C based, GPU and FPGA crackers). We also looked at password design, profiles to enforce password strength and security of password hashes. We looked at password choice and also password safes.

Links to the pdfs of my new papers are on our Oracle Security White Papers Page.