Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "ACCESSIBLE BY Clause in PL/SQL"] [Next entry: "Investigate an Oracle Database Breach"]

Happy New Year for 2024

It has been a while since my last blog on the 29th December on the ACCESSIBLEBY Clause in PL/SQL .

We had a well earned break after the New Year and myself, my wife and my youngest son visited New York City for 5 nights for my wifes 50th birthday and managed to walk over 40 miles whilst we were there. We saw all of the main sites including the Statue of Liberty, the Chrysler Building, Went up The Empire State, walked the Brooklyn Bridge, Central Park, the modern art gallery, the National gallery, Staten Island, Times Square, The Dakota Building, The flat Iron Building, the 911 memorial and site of the twin Towers, the new World Trade center, The Intrepid Museum and many more. It was a great break from Oracle Security and nice to take a proper holiday even though it was hard on my feet to walk such a distance!!

For quite some time I have managed to blog about Oracle Security once or sometimes twice a week. The good news is that the posting schedule up to the New Year will continue into 2024. So expect more technical blog posts every week and some more higher level posts throughout the next year.

We are working in many areas all related to Oracle security and these influence what I want to write about here. We have a custom application that we have created to manage future blog posts for the future. This just allows me to write and start many posts and add to them as time allows. We have over 170 posts currently part written, complete or just titles and some research n this small custom application. It's not supporting direct posts to the blog but it could and has some of that functionality built in already so we could post from it in the future.

We have a lot of things Oracle Security wise going on in the last months and also coming up in the New Year. I cannot talk about specific client details but these pieces of work can certainly inspire some blog posts that discuss the generics of things I have done and seen that could be useful to others. Here are some examples that I will discuss very soon:

  • Oracle Database Breach: I was asked to investigate a breach of an Oracle database via a web site that turned into a very large loss of data for the client. They wanted to know how the attacker got in and what they stole and what needed to be done to prevent another attack. I cannot discuss any specifics but I will discuss in a new blog post the overall process of investigating a data breach of an Oracle database. Watch out for that soon

  • Protect the PL/SQL in an Apex Application : I helped a customer protect their PL/SQL code in an Apex application. I will not of course go into any details of the customer system and code but I will highlight here in a new blog post the process we went through and what to do and what to look out for

  • Review an organisations Oracle databases and security policy: Before Christmas we reviewed the data security currently in place on a customers site for their Oracle databases and their policies. Again I cannot discuss specifics but I will create a blog post soon that will discuss the overall process to review the Oracle data security across an organisations Oracle database estate

  • Adding customisation to PL/SQL: I spoke here some time ago about writing assemblers, compliers, interpreters and more in PL/SQL in a post titled "Adding Scripting Languages to PL/SQL Applications - Part 1" and I do plan to return to that blog series very soon as I have done quite a bit of work on it. Someone contacted me because of that post about the idea of adding customisation to PL/SQL but not in PL/SQL. This is exactly what I intended to do with this series of blogs on compilers etc. The reason to not customise in PL/SQL such as you would in essence in an Apex application is to provide a much simpler interface for an end user where their are perhaps some library functions and a vert simple language where the customiser is not necessarily a programmer. Think of games where an end user can extend the game in a language such as Lua. Why not extend in PL/SQL? - its obvious, if you allow the end user to add PL/SQL to your code its an open SQL or PL/SQL Injection interface

Well that's a flavour of what's coming soon plus a lot more.

Happy New Year for 2024!!!!

#oracleace #sym_42 #oracle #database #security #securecode #plsql #forensics