Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "SQL*Plus Error Logging - SPERRORLOG Table"] [Next entry: "UKOUG 2023 - Using Database Vault in Real Life"]

UKOUG Conference 2023 - Reading - Two Oracle Security Talks

Today the 15th November 2023 is the first day of the UKOUG annual conference this year held in Reading at Oracles office. The event is two days continuing into tomorrow. The event agenda is here.

I am going to be speaking twice tomorrow; My first talk is Oracle Database Vault in the real world and my second is Protect your database with SQL Firewall in 23c

The Database Vault talk is pitched at how and when DV should be used with some ideas on some elements of this. I first talk about securing Oracle and the main steps needed; then look at what we can do for free and then look at the main features of DV. I then hack my database without DV, with DV "Out of the Box" OOTB, then with a realm around the main components of the application. We look at the effects of DV on these hack attempts and then also look at adding a mandatory realm around my applications main components. We also look at example command rules and compare to a trigger based version. The thrust of the story is that DV is a great product BUT it should be used on a database that already has security enabled and it should not be duct tape on an existing non-secured database. Also DV should itself be secured and its implementation be designed not OOTB or random.

The SQL Firewall in 23c is the subject of my second talk. I cover the set up of sample data, a connect users and a SQL Firewall admin user. Then I walk through the set up and teaching of the SQL Firewall so that it knows what to block. We also then set up the allow list and then go on and demonstrate its use with normal business use and also use of no authorised SQL and PL/SQL. We also hack the application with SQL Injection. We go on to then test further features of the SQL Firewall and finalise. This is a talk with a lot of demos being run. I do the setup, learning and hacking live.

I will post both sets of slides next week.

Hope to see you in Reading in person at my talk

#oracleace #oracle #database #security #sql #firewall #databasevault #dv #23c