Pete Finnigan's Oracle Security Weblog

I was just made aware by a friend that my Oracle security blog was 20 years old just recently.

As its a big anniversary I think its worth a blog post to celebrate.

The blog started on the 20th of September 2004; so just slightly over 20 years ago. It was at the time as you can see from the first comment the only blog specifically dedicated to Oracle security and whilst a very small number of other blogs on Oracle Security have come and gone over the years mine is still going and still regularly updated and new posts added and almost ... 100% on the subject of Oracle security.

I have created 1580 posts including this one. I used some old blog software Greymatter written by Noah Gray that was written in Perl and for a time I was involved in the updates and added a few enhancements that I fed back to the community and some that remained private as the community left. The blog software is now not used 100% and i create posts by hand and none of the dynamic elements like comments and votes etc work as I have not just turned them off but removed the code to prevent any type of attack. So the site is not dynamic.

I do plan to move the blog to a new engine that I will create myself BUT it will be on the PC. I created a piece of software I called PFCLSocial some time ago to manage new blog posts as a sort of writing area and storage for half written posts. I will probably build the blog generation into PFCLSocial at some point where it will generate and update pages and all that's needed is to sftp the pages to the site.

When i started the blog I was talking about the Oracle 9i database and we saw 10g start to be more of a security target and subsequently 11g and the new password algorithm for the time which was based on SHA1. Then more than 10 years ago 12c and multitenant came out and 12.1.0.2 came with the new SHA2 password algorithm and a whole host of changes for CDB/PDB databases. In more recent times we have welcomed 23 in the blog and probably the biggest number of security changes in the database for many years.

At the time of the creation of my blog there were no quarterly security patches for Oracle databases and we still had alerts culminating in Alert 68 which was the massive one. The password algorithm (the DES one) was not known, the wrap mechanism was not known, Database Vault, Unified Audit and database firewalls were not known and much more. My Oracle security blog has been there through most of the story of Oracle database security.

I had posts about oradebug, BBED, I was talking about forensics in the database 18 years ago and was around for the start of SQL Injection when I wrote a 3 part paper on SQL Injection for a site called Security Focus. There was the Oracle worms, there were fuzzers. There was the rise and fall of many products from third parties in the space particularly around activity monitoring, intrusion detection, intrusion prevention and even virtual patching.

The security of the Oracle database and the data held in them has changed over the years but the core remains pretty stable.

I just looked back at some of the other birthdays I recorded in this blog. For the first birthday in 2005 i noted that I was getting around 10,000 visits a month, 64,000 visits a month on the 10th birthday of the blog in 2025 and now we get between 200,000 and 220,000 visits a month so its improving. More on the website stuff soon!!

Have a look at the blog archives linked on the right of every page and also some choice posts are promoted in our social channels from time to time.

#oracleace #sym_42 #oracle #security #20 #birthday #blog