Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "IOUG Critical Patch Update Survey Results Are Out"] [Next entry: "SQL Injection Exploitation techniques"]

Presentation on using VPD in the real world available

I was down at the UKOUG DBMS SIG in Slough on Tuesday to speak at the event on the subject of using VPD in the real world. The presentation slides are available, as usual as a pdf of one slide per page and also as a pdf of 6 slides per page to help anyone with slow download speeds. The files are identified with sizes. You can find these on my Oracle Security White Papers page.

The day was eventful as I caught two trains booked well in advance to get cheaper tickects and just my luck the morning train was cancelled as was the evening one. In both cases it turned out OK, in the morning I actually was allowed on the much faster (read expensive tickets) train before and in the evening i had to catch a train ten minutes later so not too bad. It was a nice day for meeting people, Paul spoke to me on the phone as I drove to the station for the train to ask a question about my presentation, which lead him, Jonathan Lewis and myself to discuss privileges around VPD on the walk back to Slough train station. I have made some notes around this and its a good enough subject for a detailed post here so watch out for that in the next day or so.

The talk went well, i had some good discussions with some of the people attending afterwards. The focus of the talk is not on the nitty gritty of using or coding with VPD (Virtual Private Database) but the focus is around the issues of using an additional security feature such as VPD with an application and Oracle. There is a tendancy for people to look at products like VPD and implement and go without any thought around the fact that you must also secure VPD, you must design your VPD implementation to ensure that it cannot be compromised or bypassed. The focus of the talk was around these issues. I also had a simple demo that is contained in one script called vpd2.sql which is also available from my scripts page.