The Center for Internet Security produced a benchmark document for Oracle some time back that covered 8i and 9i. This was based closely on the SANS Oracle Security Step-by-step guide. The benchmark also inlcuded a scoring tool for Windows, Linux and Solaris.
The CIS Oracle benchmark has just been updated quite a lot. The 8i stuff has been relegated to the original document and this has now been updated to version 1.2. The benchmark scoring tool has also been updated to the same level. CIS has also produced a new document for 9i and 10g - this is versioned at 2.0. The introduction of the 9i/10g document states that it is based on research conducted as part of the 10g program, OTN and various books - it would have been nice to see a list of references - Quite a lot of items are still clearly still derived from the earlier document for instance. The 8i document can confuse though as some stuff in there is still also in the 9i/10g document, that is do not assume that just because an issue is in the 8i paper to ignore it, it can still be relevant in 9i/10g. The 10g scoring tool is due in June 2005 according to the website. The Oracle security benchmarks can be downloaded from the CIS site.
These are both good documents though. I have not had time to read them yet to see what changes have been made since version 1.1. I will read through them both and make further comments here.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "InternetNews.com has a news item about CPU 2"] [Next entry: "CPU 12 April researchers advisories"]
April 2005
- New presentation on advanced SQL Injection - 04/01/2005 by 04/01/2005
- identity theft and database security - 04/02/2005 by 04/02/2005
- Alex Kornbrusts repscan tested and added to oracle security tools page - 04/03/2005 by 04/03/2005
- Pete's audit scripts updated - 04/04/2005 by 04/04/2005
- Amis Blog talks about writable external tables - 04/05/2005 by 04/05/2005
- SearchOracle has an excellent Oracle security links page - 04/06/2005 by 04/06/2005
- Alex Kornbrust has a new paper on google hacking and Oracle - 04/08/2005 by 04/08/2005
- An interesting post by Mark - 04/09/2005 by 04/09/2005
- O'Reilly CodeZoo - 04/11/2005 by 04/11/2005
- CPU April 12 - 2005 is released - 04/12/2005 by 04/12/2005
- InternetNews.com has a news item about CPU 2 - 04/13/2005 by 04/13/2005
- CPU 12 April researchers advisories - 04/14/2005 by 04/14/2005
- Another interesting Oracle-l thread on Oracle security auditing - 04/15/2005 by 04/15/2005
- Another news item about CPU 12 April - 04/16/2005 by 04/16/2005
- Interesting analysis of CPU 12 April - "To patch or not to patch" - 04/17/2005 by 04/17/2005
- Esteban Martínez Fayó releases his security advisories for CPU 12 April - 04/18/2005 by 04/18/2005
- Frank has a good review of a secure coding book - 04/19/2005 by 04/19/2005
- Tom Kyte has started a blog - 04/20/2005 by 04/20/2005
- Frank has a nice document recommendations - 04/22/2005 by 04/22/2005
- Some updated links on my Oracle security papers page - 04/23/2005 by 04/23/2005
- View privileges - 04/25/2005 by 04/25/2005
- A new paper on Oracle database passwords - 04/26/2005 by 04/26/2005
- Mark Coleman talks about Oracle and SOX compliance - 04/27/2005 by 04/27/2005
- Ed also talked about Tom and direct dictionary editing - 04/28/2005 by 04/28/2005
- Mark has a post about Oracle's talks to buy Siebel - 04/29/2005 by 04/29/2005
- Alex has added an Oracle exploits page to his site - 04/30/2005 by 04/30/2005
Archives
Syndication
Powered by gm-rss 2.0.0
