Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "more info on DBMS_SYSTEM.KSDWRT"] [Next entry: "interesting thread on how to secure a third party application"]

Tales of the Oak Table - Dave Ensors comments on Oracle security

I mentioned that I got the new book "Oracle insights - Tales of the Oak Table" published by Apress / Oak Table press (many Oak Table members are authors) recently in this web log. I had read the chapter by Kyle Hailey first as I was interested in the information about direct SGA access that Kyle described. I have since started to read the book from the beginning and have read the introduction and Dave Ensors first chapter on a selective history of Oracle which is excellent. The main focus of the book, it has to be said is performance. There was one more mention about Oracle security (so far) after Dave discussed the 12 rules designed by Codd in the 1980's and related them to Oracle. He then made a comment about what is missing. He said that the 12 rules say nothing about privilege management and enforcement and that this is an area which Oracle has been arguably less successful.

Dave then talks about privileges and security in a one and a bit page section (page 26-27). He talks about the unbreakable campaign and also tells us how version 4 authentication used to work. The passwords were stored in clear text in a table in the SYSTEM tablespace and a weak encryption was used in version 5. Dave gives some good comments and he suggests that VPD doesn't support shared sessions. This is not quite true as secure contexts and proxy accounts and connection pooling can be used effectively with VPD and shared accounts. I suspect Dave meant that it won't work with existing traditional shared account applications. David Knox discussed this is his new Oracle security book published by Oracle press. I will talk about this book soon as well.

Daves made a good point that I have thought about for a long time and never talked about. This is why there is no distinction between users and schemas. Its not intuative. It works as it is but could it be better?

This is an excellent book, so far.