Pete Finnigan's Oracle Security Weblog

I published a blog post back in 2024 where i used PFCLScan Version 2024 to scan various databases from 11g to 23c/ai. The blog is Compare the Database Security of Oracle Database 11g, 12c, 18c, 19c, 21c and 23c/ai and it explores the overall security score created by PFCLScan for all versions of database and also it investigates the individual scores for 8 categories from hardening to patching to user security and data security and more. Please read that blog for a more detailed discussion

All of the databases scanned in the previous article were non-cloud and installed in Oracle Virtual box but they were all standard edition or XE / Free versions so similar. They were also vanilla databases in that they had no applications installed and were also not hardened or changed so although each database is different they were similar enough in terms of how they are created to make a meaningful comparison.
This is the high level single page report for a scan of the 19c ATP database. I wanted to extend this previous study to include cloud so I created two always free Autonomous Transactional Databases (ATP). I could have chosen ADW or the new Data Lake type or APEX but i chose two ATP databases one 19c and one 26.ai - 23.26 - so that they were comparable. Also, the other databases were closer to ATP that Warehouse for instance.

There are obvious differences between ATP and normal on-premise multitenant database. In ATP we cannot log into SYS or the Operating System or use build in roles such as DBA and we have to use ADMIN as the default DBA account. We also cannot access SYS.USER$ to get password hashes to crack passwords in the ATP databases. So password cracking is not done in these ATP databases as we simply cannot do it.
This image shows the results of scanning a 26ai ATP database.

In terms of overall score as you can see both scored 80%. In the previous study the best overall scores were 12c with 80% and 18c with 83%, then it dropped off. Interestingly the overall score for 19c in ATP is better than the older 19c I security scanned in 2024.

If we look at the individual category scores for the 19c and 26ai ATP databases there is little difference between each category except for patches and versions where 23ai scored 78% but 19c scored 86%; the rest of the 8 categories are within 1% or equal. If you look back at the previous article there was little consistency across each database and category.

Overall since 11g the security increased overall until 12c/18c and the went down through 19c, 21c and 23c/ai. The ATP databases have improved the overall score and most strikingly the security of 19c and 26ai in the cloud is consistent and almost identical. Consistency is important.

Ask me for more details of PFCLScan version 2025 and the upcoming version 2026 and ask for me to demonstrate the product live to you on webex or simply ask me if you would like to buy a license or if you would like us to audit your database for you.

#oracleace #sym_42 #ukoug #oracle #database #security #securityscan #vulnerabilities #datasecurity #databreach #datahacking #lockdown