Auditing an Oracle database for security issues is very important. provides all of the information and tools that you will need Click here for details of Limited's detailed Oracle database security audit service Click here for details of Limited's Oracle Security Training Courses
There are 76 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog

Integrating PFCLScan and Creating SQL Reports

June 25th, 2014 by Pete

We were asked by a customer whether PFCLScan can generate SQL reports instead of the normal HTML, PDF, MS Word reports so that they could potentially scan all of the databases in their estate and then insert either high level results of the scans (pass / fail, number of issues) into a database and also potentially insert all of the actual detailed results of each policy/test failure.

We can do this and the ability was designed into the product from day 1. This is because we can create reports that are any text based template file. The reporting language of PFCLScan is simple and template based. So you can create a text file that is a template of how you want the report to look - so a nice HTML report, an XML report or even an MS Word document or a SQL*Plus script and then you use the PFCLScan reporting language template variables to insert report data where you need it. That "data" can be from the product, policies, project or scan results of course. So its easy instead to create an SQL file to run instead of a fancy report.

I have written a new blog post on the product website running through an example of how to create SQL reports from PFCLScan.

This makes PFCLScan powerful as its easy to use the output and also to use automation. PFCLScan uses projects to manage each peice of work (a scan of all your databases, or a scan of a single system, or a scan of prod or of dev....) and in each project you manage targets, policy sets and of course the checks defined in the policy sets and also report templates. All of the policies are easily added to a new project so defining a project with what targets you need and what checks you want is quick and simple.

The really cool thing though is that you can also run PFCLScan itself as a check in a policy. You can also run the reporting tool as a check in a policy. This is how we make automation very easy in PFCLScan to achieve powerful results and also to simplify the tasks that you need to do. So, for example one project can be created that reads an Excel sheet with a list of databases that need to be scanned. It tests if each can be reached first and for those that can be it generates a PFCLScan project for each to run. Then it runs each project to perform a detailed scan of each database and then runs a report for each. This means that once set up (and each part is just projects and policies and checks configured in the normal way) you can run one project and supply one Excel sheet and scan any number of databases on demand each day from the GUI or from the command line and also bring in inserting data to a vulnerability database if needed.

We will post a new blog next week on the PFCLScan Website showing a simple example of this automation in PFCLScan to complement the SQL report demo in this new blog post.

Remember also that our pricing model is simple and very competitive; we charge per installation of our software not the number of databases that you scan so its very cost effective to use PFCLScan.

[No Comments]

Automatically Add License Protection and Obfuscation to PL/SQL

April 17th, 2014 by Pete

Yesterday we released the new version 2.0 of our product PFCLObfuscate. This is a tool that allows you to automatically protect the intellectual property in your PL/SQL code (your design secrets) using obfuscation and now in version 2.0 we have added "dynamic obfuscation". This is a new engine added to our parser that allows dynamic obfuscation to be run at various "hook" points in your PL/SQL source code files. These hooks are reached at the start of a declaration block, end of a declaration block, start of a PL/SQL block or end of a PL/SQL block. Also hooks occur when a defined PL/SQL package or procedure is located. The dynamic obfuscation is completely configurable by the customer and adds very powerful features to PFCLObfuscate.

Dynamic obfuscation allows us to add deeper obfuscations and also to automatically add license protections to your PL/SQL code or even tamperproof protections. This means that you can deploy your PL/SQL code with license type features controlling how and when your customers can use your code.

Please contact me for more details if you are interested in this new version of our product. We have kept the license fees at version 1.0 levels for the initial release. I have just written a detailed blog post on our product website and included an example of automatically adding license features to a set of PL/SQL code. The blog is PFCLObfuscate - Protect your PL/SQL


Twitter Oracle Security Open Chat Thursday 6th March

March 5th, 2014 by Pete

I will be co-chairing/hosting a twitter chat on Thursday 6th March at 7pm UK time with Confio. The details are here. The chat is done over twitter so it is a little like the Oracle security round table sessions I do at the UKOUG Oracle conference here in the UK live each year. This chat is done via twitter and sounds like fun. You can ask questions or join in the chat. Simply use the tag #DataChat in your responses or posts from 7pm (UK time) on Thursday. You can also use a tool like tweetdeck and set up a new column for the tag #DataChat and you can see all of the threads.

If you fancy joining in, please do so. If you have a subject or question to raise before hand then please email me (pete at petefinnigan dot com) or send me a tweet to @petefinnigan

[No Comments]

PFCLScan Reseller Program

October 29th, 2013 by Pete

We are going to start a reseller program for PFCLScan and we have started the plannng and recruitment process for this program. I have just posted a short blog on the PFCLScan website titled "PFCLScan Reseller Program". If you are running a consultancy specialising in Oracle or security and you feel you would like to be involved in reselling PFCLScan then please speak to us.

[No Comments]

PFCLScan Version 1.3 Released

October 18th, 2013 by Pete

We released version 1.3 of PFCLScan our enterprise database security scanner for Oracle a week ago. I have just posted a blog entry on the PFCLScan product site blog that describes some of the highlights of the over 220 new changes/features/fixes/content added in 1.3. Please have a look and if you would like any details please contact me.

[No Comments]

PFCLScan Updated and Powerful features

September 4th, 2013 by Pete

We have just updated PFCLScan our companies database security scanner for Oracle databases to version 1.2 and added some new features and some new contents and more. We are working to release another service update also in the next couple of weeks that will add some updates to the reporting tool and language and also a new feature to allow the customer through point and click and change data values that are not known until they come to use them BUT we have already tests and checks in our standard audit policies that use these values. This will allow customers to enable additonal checks based on their own values and data. An example is that a customer may have a custom DBA role that they have designed for their own use. We don't know what that is in advance so cannot add a check to test its exists and is used only by the DBA team. The new PFCL.config screens and functionallity allows a user to add the values in a configuration screen and have custom checks work for them and so allows us to answer questions that we could not answer before.

I have also just written a blog post titled "Powerful features of PFCLScan" and published it on our PFCLScan product website. Please have a look.

[No Comments]

Oracle Security Training, 12c, PFCLScan, Magazines, UKOUG, Oracle Security Books and Much More

August 28th, 2013 by Pete

It has been a few weeks since my last blog post but don't worry I am still interested to blog about Oracle 12c database security and indeed have nearly 700 pages of notes in MS Word related to 12c security research I have gathered already.

I have not blogged because I have been very busy and also been on vacation for two weeks in Calabria Italy which was very nice and hot and relaxing on the beach. I have quite a lot of news items to cover here, some have been mentioned on Twitter previously but its worth re-iterating them here:

1) I am teaching my class "How to perform a security audit of an Oracle database" in Rome, Italy with Oracle University on November 19th and 20th. If you would like to attend a public class in Rome then please have a look at Oracles registration,p_preview:N - Sorry its not a live link, there is something about Oracles links that make them break IE so please cut and paste it into your browser.

2) I am teaching my class "How to perform a security audit of an Oracle database" in Kiev, Ukraine wth ISSA on October the 16th and 17th with ISSP, based in Kiev. If you would like to attend this class then please vist their registration link.

3) I am teaching my class "How to perform a security audit of an Oracle database" online on October the 7th to 10th inclusive. The class is two days normally but for on-line we are going to do it over 4 days. The timing each day will be 2pm to 6pm UK time to allow students to join from the USA and also CET. We advertised this class a few weeks ago once on Twitter and had a lot of interest and a few registrations but there are still places available. The class costs £750 + VAT (if applicable) per student and if you book and pay for more than one place we will give you a discount on all places you book. Each student gets a free download of pdfs from the course (approx 570 pages) and also over 70 free tools/scripts.

If you are interested and want to book a place then please email me at pete at petefinnigan dot com

4) We have just updated our Oracle database security scanner PFCLScan to version 1.2 and released to clients. This is a reasonable size update with Oracle security specific changes and additions and also some core product changes to make it better for customers to customise and automate. We have made changes to add the first tranche of changes to support Oracle 12c and we have updated the password cracker to make its logic faster, we have re-implemented the encryption used to protect credentials and we have added the ability to create "plug-ins" for PFCLScan using PFCLScan projects and policies themselves. There are around 40 individual changes, new features, bug fixes and changes and additions to the standard policies. Please talk to us if you are interested in licensing PFCLScan

5) The other major change we have made with PFCLScan is to introduce a new license. We have a great license model for PFCLScan where the license is an annual model and based on the number of installations of the software and not the number of databases or targets that you scan. We believe that this is a fairer model and our customers seem happy with this. We had two PFCLScan licenses "Pro" and "Enterprise" that allows a single installation or as many installations as you wish on your site for the "Enterprise" license. We also offer great renewal deals, if you renew your license after one year then the renewal is 54% of the original fee.

We have a very simple license model but we have had a number of discussions with people who say there is a licence missing or a gap in our model. We have decided to rectify this. We have specifically added an engagement license so that customer can licesen PFCLScan for a 30 day period to enable a single audit engagement either internally or for a consultants customers to take place. This is again competitively priced at £85 + VAT for a single installation with a renewal for 30 more days at £70 + VAT is renewed concurrently.

6) Our second product PFCLObfuscate is also selling licenses well and is aimed at protecting Intellectual Property in PL/SQL or SQL. We have been promising to release version 2.0 for some time now. We created an alpha test version earlier this year and have tested and experimented with this. Finally we have started work to implement the production version of version 2.0. Version 2.0 is a major release and will add some great new functionallity. The core of the product is a built ibn scripting language and "hook" points that allows each piece of PL/SQL code that is parsed to be interpreted at various points (Start, Begin, End and also when any defined package call is found or when a string is found). PFCLObfuscate still obfuscates code but when a hook point is found it can decleratively execute a script to generate PL/SQL code to insert which is added and recursively obfuscated. What does all this mean?

Well it means that you can obfuscate standard package calls within your PL/SQL where you add dynamically covering APIs and also obfuscate them without adding external procedures to do this; it means that you can use any dynamic method to obfuscate strings; it means that you can insert code to execute when a string is found or a package found or when a block starts or ends. This all allows us to much more strongly protect and add license type features to PL/SQL. When combined with Wrap and WrapProtect it means that your PL/SQL code is much safer.

If anyone wants more details or would like to purchase a license then please email me.

7) I have also had two slots accepted for the UKOUG conference coming up at the start of December and this year for the first time held in Manchester. I will be chairing an open session on the 3rd of December about Oracle security so please come along and join in. My second session also on the 3rd December is going to be an hour long demo session with no slides!!, that should be really fun and exciting (spelt terror!). This talk is going to revolve around Oracle database audit trails and protections. I am going to focus on the core database and not the new 12c Unified audit and look at what works and what doesn't in terms of designing simple audit trails that are practical and can be taken away and used in your own databases. This means I am not going to focus on data auditing but on privilege audit and escalation of privilege. I am going to discuss adaptive controls, breakgalss and the aftermath of issuing a privileged password, I am going to also talk about allowing third parties into your database and capturing what they do whilst in there, I will talk about security of audit, audit of security and audit of audit. I am also going to demonstrate some simple packages that you can deploy to detect issues in the database.

I aim to cover quite a bit of ground but the goal is really to show how you can create a comprehensive audit of privilege, security and audit and cover breakglass and adaptive controls, IDS and IPS but show how its all acheivable as a good start point in your own database. Clearly there are two issues with audit, performance and storage of audit data so again I am focusing on privilege as that should not cause performance as anyone abusing privilege should not be using privilege hence if there is a performance issue the action should be stopped not the performance sorted to allow the abuse to continue. The second issue is around storage of audit trails; my solution (which can be combined with stored audit) is to act upon the trail and report on summaries and issues rather than store enourmous amounts of data.

The demo is made up of a package in PL/SQL I am calling PFCLFirewall that will implement the audit and the protections and also reports and dashboard. This is at a simple level to start with. I am going to walk through the code and explain it and then install it and abuse my database and demonstrate what it all does and how the whole thing sits together. If you come to the talk I will let you have a copy of the PL/SQL PFCLFirewall or if you ask me for it i will give it to you but after the talk of course in December. The PL/SQL package PFCLFirewall was started and the core written around a year ago but its been worked on again in between times.

8) I have also been asked to speak about Oracle security and PFCLObfuscate on Paul Dot Com on September 13th this year, so if you are interested to see this then please head over to their site and watch and listen to me speak.

9) I have also just written a new 1500 word article on Oracle 12 New Security features for the Oracle Scene magazine which will be published in time for the UKOUG conference in December in Manchester. So watch out for that.

10) I have just agreed to write some reviews of some Oracle Security products for some famous companies and I will write a nice review based on flow and practical use of a product. There will be a paper and a webcast for that later in the year. As I get more details I will let you know, so watch out for that to get a free paper and also hear me speak on a webcast.

11) Finally.... as I have now quite a lot of research on Oracle Security around Audit trails, database IDS (built in PL/SQL) discussed above, identity in the database, adaptive controls, protection of audit, security of security, breakglass and of course on 12c security i have been thinking to write to all into a nice e-book and publish on Kindle. This would be a nice book, around 150 - 190 pages and not expensive so that people can afford to buy it. It is an idea now but if i get some encouragement I will write it and publish it. A book like this may also be a good basis for a single day training class. Lets see.

OK, thats some news on Oracle security, more on 12c security next time.

[No Comments]

June 2014

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives

Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

Atom 0.3 FEED
Powered by gm-rss 2.0.0

Valid XHTML 1.0!