Pete Finnigan's Oracle Security Weblog

It is just slightly over 23 years since I started PeteFinnigan.com Limited to focus just on helping people secure data in Oracle databases. The company was incorporated on the 12th February 2003, so 23 years ago.

I started the company to offer services around securing Oracle and eventually to create software and training in the areas of securing Oracle databases and data. Things have changed over 23 years; when I started Oracle 9.1 was just still around, 9.2 was fully supported and 10.1 was released around the same time. Of course at that time people were still running 8.1.7 as well. In a similar pattern now some small amounts of customers still have 11.2 database and even earlier around as well as the current supported databases.

Oracle security is not done on the bleeding edge of Oracle versions as we tend to be asked to look at older supported databases such as 19c and occasionally older versions. A few years ago (probably less the 10, but cannot remember) I was asked to look at a finance application hosted out of an Oracle 6.0 database. They didn't want to upgrade as the business managed and processed in the database was winding down so it was not viable to spend a huge amount of money BUT they wanted to secure what they had. This was still possible to some extent to do quite a bit of changes to users/permissions/some parameters and more.

Oracle security has changed over the years. Most site never considered securing databases 23 years ago and had no budget for it. The Oracle database and applications and features have become much more complex BUT the core database security features have not changed massively. Yes, they have increased, there are a lot more objects. We have much more options for security now such as Database Vault, Firewall, Real Application Security and many more but the core is roughly similar except there is a huge amount of it.

When i started my company it was named after my website and this helped grow the business and get customers. The biggest changes now are that data theft has become MORE REAL. Everyone knows what it is. 23 years ago the BBC would bring on an expert to talk about some data hack or similar but now no experts, just the normal news reader will report it and the public now gets it. So why do companies treat data security as like a distant cousin? probably because there is a drive to get function, performance and security is an after thought. We can add security to any existing Oracle database but it would be much better to add it at design time.

A lot has changed at the detailed level in 23 years but a lot stays the same at the high level.

When I started the company I wanted to create software to sell to help customers secure their databases. I started PFCLScan in 2003 and the blog referenced gives some background. The first C based engine was working in 2008 and in the five years until then I created around 40k lines of PL/SQL to scan databases for customers for security issues.

Over the years PFCLScan was released as a full Windows product and we also added other products as Apps on top of PFCLScan; including PFCLObfuscate to protect PL/SQL in your database and PFCLCode to analyse the PL/SQL in a database for security issues; we also have PFCLForensics to do live response and forensic analysis of a database that may have been breached. We also have PFCLATK which is a toolkit of PL/SQL that can provide policy based auditing in the database not just limited to the Oracle audit trails. We are working on more products that will be released this year.

Version 2025 of PFCLScan was released in February this year and we are working on version 2026 now.

So, we have three streams in PeteFinnigan.com Limited. The first is the software products to help customers secure Oracle; we have 10 days of expert training classes on all areas of Oracle security that i occasionally offer from our office in York and also live via video conferencing; The third is any and all aspects of consulting around Oracle security. We cover anything from audits, hardening, designing securing solutions, Oracle cost options, encryption and more. Basically anything related to Oracle security.

One other area I occasionally get involved in is search and web promotion. We have been doing this for years on this website and I have gained a lot of knowledge in this area. We get just less than 10,000 visits per day on average to this web site and have around 50k social follows / connections. I developed a tool to do cookie audits when we have a lot of domains. We sell the cookie tool as its now an APP in PFCLScan. I also developed tools to search for broken links and to check technical aspects of websites and also tools to compare a site page with any number of other pages for all key SEO aspects and text to assess why it ranks at a certain position for a certain key phrase. It does not connect to or scan data from Google. I developed these tools for our own internal use and added them into PFCLScan.

In the last year I have helped 2 or 3 local customers with their own websites and the contents and ranking. I have invested years in web promotion for my own business and it is real world that works for me. I am not a web developer or SEO consultant BUT I have gained a lot of knowledge in this space so I am happy to help a small number of companies locally that i know personally and pass on that knowledge. I cannot say who they are as that would not be right but for two customers in this space I got then from position 7 and 6 to position 1 and they have remained there after more than 6 months as I use common sense and not tricks.

That said, my main focus is of course Oracle security and our software products focused on Oracle security.

Thanks to everyone for being part of my 23 year journey so far

#oracleace #sym_42 #oracle #security #lockdown #databreach