Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Happy first birthday to my Oracle security blog!"] [Next entry: "A new paper on a security hole in Application Server Control"]

Meet the experts (Oracle Security) at Oracle Open World - an open standard for securing Oracle

I saw Justin's post titled "Database, Security & Linux : Meet the Experts" and read it with interest, or rather the third paragraph where Justin talks about Mary Ann's panel discussion. In it someone had raised a point to Mary Ann that various auditors of Oracle have defined different standards for securing Oracle and that this issue caused this person trouble with external auditors. He (the question raiser) said it would be good for a standard to exist for securing Oracle. Mary Ann said she was working with NIST (National Institute of Standards and Technology) to see if they can come up with something. I could not find anything on the NIST site site to suggest that they had got anywhere near to publishing anything or any evidence of progress.

Why is there a need to do this when previously the Center For Internet Security have done this with the Oracle Security Benchmark. This benchmark, or the first version at least was closely based on my book "Oracle Security Step-by-Step (Version 2.0)". I was not involved with the CIS Oracle benchmark but I understood from people who were that Oracle people were on the team.

I think I would agree with Mary Ann that there needs to be a standard for securing Oracle that everyone can work to. I also feel Oracle should be involved but not control its contents. As with anything like this it would be fluid and moving due to the nature of security risks and issues being found day to day. But for core issues i agree it could be fixed. I have some great ideas of what should be included.

If NIST want to involve me then please feel free to contact me. If others think we should have an open standard or community effort not organised by NIST then I would be happy to be involved in such a team / effort or even organise the effort here. I have started a thread on my Oracle security forum to discuss creating an open standard for securing Oracle. I have also installed MediaWiki in anticipation that others might like to join in and create a community standard for securing Oracle. If anyone has any thoughts / interest about this then please voice them initially on the thread above.