Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle 12cR2 Security - Listener Port"] [Next entry: "O7_DICTIONARY_ACCESSIBILITY and UTL_FILE_DIR in Oracle 12c release 2"]

Oracle Security 12cR2 and Oracle Security Training Dates



I am going to be teaching my two day class "How to perform a security audit of an Oracle database" in Athens, Greece on the 30th and 31st May 2017. This is advertised on Oracle University website and you can register there or contact me and I will put you in touch with the Oracle team on the ground.

I have also just agreed two new dates with Oracle University to teach my one day classes. The first is on the 28th June and is my one day class "Secure and lock down Oracle". This is a great class and we spend a whole day starting with an open default database with two applications, we attack that database and then lock down most aspects of it and finally hack it again at the end of the day to show that we in fact secured the data in it. The second class to be taught on Oracles LVC on the 5th July 2017 is my new one day class "An Appreciation of Oracle Security". This class takes some elements from my other 5 days of Oracle security training plus some new material on subjects such as incident response to an attack in an Oracle database and also forensic analysis of an Oracle database.

I am also teaching my two day class "How to perform a security audit of an Oracle database" in person in Paris on the 13th and 14th of June 2017.

Finally I will be teaching my "How to perform a security audit of an Oracle database" online via the webbed platform on EST timezone (i.e. New York) on the 26th to 27th June and again on PST timezone (i.e. Los Angeles) and finally on London timezone on the 10th to 11th July 2017.

The details for each of these classes are on my public training dates page along with links to my class outlines. To register follow the register links or if in doubt email me and if the class is with us I will take your booking or if with EasyTeam or Oracle University i will be able to direct you to the right people to book your places.

I have spent some of my spare time (not a lot available unfortunately) researching Oracle 12c Release 2 security changes. This research has looked at the big changes announced by Oracle. There is nothing really major like with previous releases but still quite a lot of security related changes. I have also looked at the little details that I have spotted so far that have changed; interestingly as I was not in the Beta some information gleaned from those that were seems to have either been incorrect or has changed. For instance I was told that O7_DICTIONARY_ACCESSIBILITY was removed in 12.2.0.1 but its still there and is in fact only deprecated. Some research has followed removed and deprecated items and some followed the major change of application root containers and other changes in Multitenant in 12cR2 such as the ability now to formally add metadata links and object links. Some things are the same of course; OPS$ is still OPS$; some things are expected such as more new default users and roles. Interestingly when we first tried PFCLScan our database security scanner against a 12cR2 database it worked with no errors and no changes needed (to support 12cR2) but many years of Oracle made me suspect that would be the case; Oracle rarely changes historic interfaces and rarely removes anything critical that would affect applications and tools. We are of course adding new checks to PFCLScan for 12cR2.

In the latest version of PFCLScan we have also just added our first E-Business Suite policy to check some of the Security basics of E-Business Suite. We will also add an Oracle APEX security scan policy soon as well; its in development.

Our company has also just become an Oracle Gold Partner - we have yet to update the logo on our site to Gold but that will be done soon.

I blogged about old course manuals for our training courses a few weeks ago and these were snapped up straight away and despatched across the world. I have now one extra 2015 printed manual for my one day class "Designing Practical Audit Trails" that we returned to me a week or so ago. A printer who prints our manuals for classes it seems sent it to someone else in 2015 just before our class in York and the organisation that it was sent to posted it to me - So this manual is now also available; its pristine condition and I will take £30 GBP + Postage + VAT (if applicable). If anyone is interested then please email me and we will arrange it - obviously first come; first served.

We are also considering to sell the current class materials to people who would like to buy them. They will be higher price than the old ones we sold recently and the 2015 manual mention here. You would get the scripts and tools from the class and paper manuals BUT you would not benefit from actually attending the training and listening to the delivery but we realise that some people may want just the manuals. If you are interested contact me as we will decide whether its worth the effort to set this up based on the interest levels.

We have also now just purchased our first real server as we continue to grow as we have relied on various office level machines and a RAID storage for many years but we have just bit the bullit and bought a real server with multi-CPU, multi hot swappable SFF disks, hot swappable PSU's massive RAM and storage etc. This will fortify our development and testing regimes for PFCLScan and PFCLObfuscate as soon as we get it live. It took two people to lift it into place..:-)

OK, that wraps it up for this post