Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle's Ellison to take stage at next RSA confab"] [Next entry: "Nice post on an undocumented function - Reverse"]

How not to create user authentication

I saw a post on the LogicaCMG blog - Blogging about Oracle a few days ago and made a note to talk about it here. This post is titled - (broken link) How to create a nice big security leakā€¦ and is interesting to me for two reasons. The first is that the guys decided to try and break their own applications to test their own security. This is great, everyone should start to think about doing these sorts of tests (with permission of course). This shows that people are realising that application and database security is as inmportant as the old bastions of security such as firewalls, virus protection...

The second reason I was interested was because of the problem which these guys found. The code was written to be functional, i..e to perform a function without thinking about how it could be abused. Anyone who writes applications nowadays especially applications connected to the Intranet or Internet and even more especially if they use databases needs to think security first. Why if they use databases? - well because there is now a trend to steal data from databases, whereas the old security issues seemed to center around the fact that some spotty kid in their bedroom would dial up and hack your servers, the world has moved on, data is big business now.