Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "OS Authentication"] [Next entry: "A new Russian Oracle Security Tool"]

New Oracle Security Book, UKOUG and Finland



I have not posted for a few days as I have been in Helsinki, Finland teaching my class "How to perform a security audit of an Oracle database" and I had not carried my email client and web access in general was not good from either the hotel or the training site. This was a pity as I have a growing list of things to blog about and I could have spent some evening time writing about them.

Finland was great (as usual!), this was my third commercial trip to Finland this year so its been a successful country for me. Next week is the UKOUG conference in Birmingham, UK. I always enjoy the UKOUG yearly conference as its always very well run, lots of great speakers and I always meet a lot of old friends, new people and have some really good chats. I am speaking on Monday 30th at this years UKOUG conference and I am also hosting an Oracle security round table session on December 1st. There are links to both my sessions on my main Oracle Security sites main page.

I received my copy of David Knox's (plus co-authors) new book "Applied Oracle Security" last Saturday, the day before I set off for Finland so i didnt get time to blog about it before I went or time to read it of course. I have had time to flick through it and it looks like an excellent book. Davids earlier 2004 book "Effective Oracle database 10g security by design" was already an excellent book. This new book has been created as a follow on to the first one. Whilst the book has a slightly different focus to what i would write it (the focus is on using product features well) it is well structured and has excellent content. The book is product focused which is fine but my only critisism (some of this is againt the 2004 book and is not against the writing quality in either book) is that not everyone runs EE so not everyone gets features like VPD, not everyone can afford Advanced Security,m Database Vault, Audit Vault or the identity products; for instance.

I have had the discussion about Oracle security features and products a number of times. I often talk to clients and others at conferences for instance and i find that a very small percentage of users of Oracle database software actually use or implement the extra features such as VPD, OLS, TDE, AS, ID, DV or AV to name a few. This is a great shame and the reason is always the same; money and time. Davids books give an excellent overview of how to secure data in the Oracle database using features available from Oracle; this is the way to secure data in an Oracle database; to use the tools available from Oracle. I just wish the tools were part of all versions of the database; well not just "i wish", lots of others say the same to me. Maybe one day some of the cool security features will be part of standard edition as well?