Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Re-Enable Traditional Audit in 23c"] [Next entry: "Oracle 23c And Removing Traditional Audit - Part 3"]

Coding, Languages and Oracle

Borland C and C++ Application Framework

I run a company that specialises in securing data for customers in their Oracle databases but I still love to code in many languages. This can either be for customers projects or to create tools to use myself in helping customers secure their databases and data or to give away free tools on this site or in assignments or trainings. I still find myself coding almost every day and love to code still.

All of my coding in different languages seems to get more varied over the years but the core focus now is always Oracle and interfacing with Oracle. I program in the following languages now or have done recently or I the distant past:

  • Basic: I started with Basic in the 1980s on various small computers; I didn't particularly like BASIC but it was simple and easy to get on with

  • C: C was my first proper language and I wrote PC based software and also on Unix boxes I used Pro*C and also wrote User Exits in C for Forms 2 or 3. I also wrote code to connect to Oracle using OCI. I have written an enormous amount of C over the years. I have written parsers, data processing, compilers and many many things

  • ASM: I have written in a few assembler languages over the years, starting with some simple things on 6502 and of course Intel x86. I did quite a bit in the early 90s with Intel assembler linking to C where I needed to do things like switch tasks, interrupts, direct graphics access...

  • PL/SQL: My favourite language after C. I have written huge amounts of PL/SQL and indeed normally write PL/SQL everyday. Its a great language to play with in Oracle

  • SQL: As with PL/SQL I tend to use SQL on a daily basis to interact with Oracle and do useful things. Of course I also use SQL*Plus formatting a lot

  • Lua: I use Lua quite a lot as a data processing language and as an integrated script language. This is a fantastic language to use to play with data from Oracle; in may case Security data

  • VB.NET: I write in regularly and its a fantastic language to create GUI apps and also console programs. Its fast to learn and really easy to get sophisticated programs written. We use third party libraries to access Oracle and also I have used Oracles VB/Oracle interface in the past

  • JavaScript / HTML / CSS: I write a lot of web content and use JavaScript, HTML of course and CSS for styling. I also use these in an Oracle context to create great HTML based reports and of course in 23c Oracle has integrated JavaScript into the database via MLE

  • Others: I have also used Perl, java, shell, MFC, Emacs Lisp, DOS/Win batch scripts and other languages over the years

In this post I wanted to briefly highlight some of the languages I use now and have used in the past and also highlight how many can be used with Oracle databases either directly or indirectly to process data. We are lucky with Oracle as we can use lots of different tools, toolkits, languages to connect to and process data in Oracle.

What has all of this got to do with Oracle security? well for me its all valid and relevant as I am working in the field of securing data in Oracle databases and I use these languages in my day job all of the time.

I am also interested in the security of programs that are used to connect to and process data in an Oracle databases such as PL/SQL programs. We need to secure these in the database to prevent loss of IPR or someone running them when they are not supposed to or to make sure that deployed PL/SQL does not become the security problem that would allow someone to exploit the database. We do these things by obfuscating and protecting the PL/SQL and also by code review and secure coding techniques to help prevent the PL/SQL from being a vulnerability.

Of course I have also been interested in parsing PL/SQL and have written PL/SQL lexers and parsers in C and also in PL/SQL. I have also written unwrappers in C and PL/SQL for unwrapping PL/SQL

There is more to code than just solving a business problem; we must protect our IPR , secure our code against theft and also secure our database and code so that it cannot be exploited so that the code doesn't become the attack vector.

The picture at the top of this post is the first proper C compiler I bought for Dos and Windows back in around 1992 just after it came out. It included a TUI framework for DOS and OWL for Windows but I had already written my own at that point

#oracleace #23c #oracle #security #securecode #securecoding #plsql #lua #c #databreach #obfuscate