Call: +44 (0)7759 277220 Call
Forum

Welcome, Guest. Please Login.
Nov 23rd, 2024, 12:13pm
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   Open Oracle security standard
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Open Oracle security standard  (Read 5795 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Open Oracle security standard
« on: Sep 24th, 2005, 11:11pm »
Quote | Modify

Hi everyone,
 
I have just been talking about Mary Ann's comment from Oracle open world that she is working with NIST to see if an acceptable Oracle security standard can be designed / defined.  
 
1 - Is this a good idea? - I think so.  
2 - Has it already been done? - yes the CIS benchmark attempted to do this.  
3 - Should it be done again and defined by the community? - yes i believe so.  
 
I throw it to the floor for comments. Is it a good idea, should it be defined by NIST? - what about the CIS? - I am willing to be involved where ever it is defined. I am also willing to host some effort here if anyone else is interested in joining in.  
 
This site would be a good place to discuss and build an Open Standard for securing Oracle.  
 
I have installed mediawiki here (the link is not open yet) as it would be a good tool to use to develop a standard such as this.
 
what does everyone think?
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Open Oracle security standard
« Reply #1 on: Sep 26th, 2005, 1:42pm »
Quote | Modify

Pete,
 
I think it's a good idea to have an Oracle security standard defined. I would find it extremely useful if you have the option to choose a security standard when installing Oracle. Something like this:
 
Would you like to install Oracle with:
1)very secure definitions  
2)secure definitions
3)normal secure definitions
4)limited secure definitions
 
1 being for (e.g.) Bank's and for everyone who thinks he needs the highest secure definitions. 4 being for play databases.
Now you try to implement security after installing Oracle. An ad-hoc process prone to errors and lacking a 'formal' basis.  
With a standard that you could refer to some document (the Oracle Security standard) to show customers, auditor, boss which threats  you are addressing with your choice.  It would make life so much easier for dba's.
I don't know NIST so I can't comment on their capacity to define such a standard. I've played with the CIS benchmark but found it lacking of argumentation: why do they choose/recommend some actions? no argumentation. If you tell people to do a thing without explaining them why then in my opinion it can't work. It's advices are here and there security-by-obscurity and  the general opinion in security land is that s-b-o doesn't work. Nonetheless there are very good things in the CIS benchmark.
Involvement of the Oracle community is very important. Acceptance of and standard is greater if everyone has the opportunity to be involved in the making of it. Or at least be able  to follow the process , discussions, arguments leading to the standard. If the standard is left to Oracle and the NIST only then I suppose that in short time we will have an American standard, a British standard, a French one, etc.
 
I've no experience with designing standards but would like to collaborate  as much as possible.
 
regards,
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Open Oracle security standard
« Reply #2 on: Sep 26th, 2005, 6:30pm »
Quote | Modify

Hi Ivan,
 
Thanks for your great comments. I had a long discussion also last night with Alex about this. I hope he has time to enumerate some of his ideas here as well.
 
I beleive that an open (open source/creative commons) Oracle security standard is needed by everyone and that for it to be useful and valuable to the community then the community needs to help develop it.
 
The CIS benchmark was mostly created by a small committee so does not have the benefit of community review. Also I am not certain but i think you need to be a member to use it on other peoples databases,
 
I think there are number of levels to an Oracle security standard as you have described. Some users need eminantly more secure databases than others. Also there are a couple of classes of issues, bugs (and patch fixes) and configuration issues (e.g. installation of features and configuration, access controls and privileges etc.
 
What would be useful is a standard based on securing known configuration issues and access control and privikege issues. What I think would not be useful is the constant chasing of new bugs and vulnerabilities (not in the case of a standard) as these inevitably get fixed by a patch.
 
The danger for the rest of us with a NIST/Oracle created standard is that it is closed (in creation) and is designed to suit the wishes of Oracle and NIST not the wishes of the community or maybe NIST would ensure that would be the case.
 
I think an open standard is a great idea though!
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board
  • PFCLScan PFCLScan

    Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

  • PFCL Obfuscate PFCLObfuscate

    PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

  • PFCLCode PFCLCode

    PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

  • PFCLForensics PFCLForensics

    PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

  • Products We resell PFCLReselling

    PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

  • PFCLATK PFCLATK

    PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

  • PFCLCookie PFCLCookie

    PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

  • PFCL Training PFCLTraining

    PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

  • PFCL Services PFCLServices

    Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

  • PFCLConsulting PFCLConsulting

    Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

  • PFCLCustom PFCLCustom

    All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

  • PFCLCloud PFCLCloud

    Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

  • PFCLUserRights PFCLUserRights

    PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

  • PFCLSTK PFCLSTK

    PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

  • PFCLSFTK PFCLSFTK

    PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

  • PFCLSEO PFCLSEO

    PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues