Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Happy 19th Birthday PeteFinnigan.com Limited"] [Next entry: "Strong Passwords with Oracle Wallets"]

How I Write an Oracle Security Training Course



Writing an Oracle Security Class
I mentioned a couple of weeks ago on Social media and also briefly in a blog post here that I am writing a new two day class "Oracle Database Vault Deep Dive". That is the working name at the moment but I may change it slightly before it is ready to teach in few weeks time. I also have not put any details or outline of the class on the website yet as I would like to make sure that it doesn't change flow at all before that is published.

We have 8 days of expert training on areas of Oracle Security from how to do an Oracle security audit, secure coding in PL/SQL, GDPR, Appreciation of Oracle security, Oracle forensics and hardening an Oracle database. With this new Database Vault class we will have ten days of training. These classes can be combined as one days, two days, three days and even we have done five days sessions here in our offices in York as well as on site at customers.

I am currently writing the new two day Database Vault class and I thought it would be nice to talk about how I write a new class as I have never done that before here in the blog and I have written a lot of training material and indeed presentations over the last 19 years of my company.

Writing a new class is a massive undertaking and takes a lot of efforts, planning and writing of the class materials and also demos and demo system. At each class the students get expert tuition, a copy of the slides as a set of pdfs; a copy of the scripts to build the test data used, a copy of all the tools I use (written in PL/SQL and SQL) and also a copy of all of the demo scripts.

Each class uses a demo system (Oracle database) and a couple of sample web based applications. I use three virtual machines to teach as well as SQL*Plus access from the host computer. I have built a new 21c database to use as the host of this class as well as two VMs that run Apache, PHP and OCI. I use a back office application with sample data that represents at a high level a typical business system with customers, shipping, suppliers, card details etc. This system was described in my post BOF: A Sample Application For Testing Oracle Security and the php is generated with a PL/SQL script that reads the data definitions from the database. This php can then be deployed to the web server. The other application represents a company website and is used to demonstrate the abuse and hacking of back office data from the public facing website.

Each class is built around me teaching using the slides as a pointer but with me discussing in details what's going on. So if you attend the class you get way more than just the slides as I don't read them out I talk around them in much more details. I also build the classes around a lot of demos; in the case of this new DV class there will be 80 - 90 demos and each is in a self contained re-runnable script. The students get the scripts to create sample data and also the demo scripts so that they can easily re-run them again and see how things work on detail and at their own pace.

Writing a class like this new two day Database Vault class is a massive undertaking and needs a lot of planning and writing to make sure it flows and tells a story. To create this class I take the following steps:

  • First create an outline of the class at a high level; chapters and very high level bullet points that cover the flow

  • Create a timing Excel to map out each lesson; the amount of slides, the boiler plate, the hidden slides and the number of demos. I use this Excel to make sure everything will fit properly in the end. I work on 1.5 minutes a slide and estimate (test) demos to see also how many slides they take up. I allow time for breaks and lunch and also questions. The class is run from 9-5 or whatever time zone I am teaching an equivalent and I plan for 6 hours of slide/demos a day. This works.

  • Create a test database and applications and virtual web servers and SQL and PL/SQL scripts to populate the same data needed for the demos

  • Then create outline slide decks for each lesson. I usually do 8 or 9 lessons whether the class is one day or two days. They are not equal size. I add the boiler plate, sections, open close of each class and blank slides for the first split of the layout - this always changes as its fleshed out.

  • Plan a flow of the high level demos that underpin the class on a separate plan and decide where they then fit in the whole layout - don't write them yet

  • Take a first stab at the slides and flesh out some slides where they can be written immediately in MS PPT and add text notes to some slides to start to create the flow. Start to identify some demos that are needed

  • Once I have about 40% of the slides started in this way; I then print out all slide decks and revert to pen and ink. I now go through the whole class and mark up every slide that stays with detailed pointers of what is going to be in each slide and also identify every demo and list these in a separate plan with notes on what each of the demos will do. Each demo also has a time estimate of how long to allow for each demo. This fleshes out the whole class

  • Now go through and count all the slides, boiler plate and total time per lesson for each demo and update the Excel timing and make sure all the slides and demos fit

  • Review the flow of the slides and demos and make sure it works

  • At this point the slides can be filled in quite quickly from the notes and mark up

  • Finally complete all the demo scripts

  • Test and go through everything


Thanks for listening. I hope my workflow and method of writing a complex and detailed training class helps someone else.

If you would like to book your place on my new Oracle Database Vault class or or indeed any of my classes then please email me on pete at petefinnigan dot com or send me a DM on any of our social media channels. We will have a public class in early March and we can do private classes for anyone. Just ask.