Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

SQL Injection Exploitation techniques

March 23rd, 2009 by Pete

Sumit Siddharth has posted a link to the slides for his recent presentation at OWASP AU 2009. The presentation is called "Recent advancements in SQL Injection exploitation techniques". His blog NotSoSecure is also interesting and worth a read as he often talks about database security and SQL Injection. Sumit is also the author of the tool Blind Sql Injection Brute Forcer version 2 - bsqlbf-v2 which has recently been updated, there is a link to the download in the blog or you can get it from code.google.com

Presentation on using VPD in the real world available

March 20th, 2009 by Pete

I was down at the UKOUG DBMS SIG in Slough on Tuesday to speak at the event on the subject of using VPD in the real world. The presentation slides are available, as usual as a pdf of one slide per page and also as a pdf of 6 slides per page to help anyone with slow download speeds. The files are identified with sizes. You can find these on my Oracle Security White Papers page.

The day was eventful as I caught two trains booked well in advance to get cheaper tickects and just my luck the morning train was cancelled as was the evening one. In both cases it turned out OK, in the morning I actually was allowed on the much faster (read expensive tickets) train before and in the evening i had to catch a train ten minutes later so not too bad. It was a nice day for meeting people, Paul spoke to me on the phone as I drove to the station for the train to ask a question about my presentation, which lead him, Jonathan Lewis and myself to discuss privileges around VPD on the walk back to Slough train station. I have made some notes around this and its a good enough subject for a detailed post here so watch out for that in the next day or so.

The talk went well, i had some good discussions with some of the people attending afterwards. The focus of the talk is not on the nitty gritty of using or coding with VPD (Virtual Private Database) but the focus is around the issues of using an additional security feature such as VPD with an application and Oracle. There is a tendancy for people to look at products like VPD and implement and go without any thought around the fact that you must also secure VPD, you must design your VPD implementation to ensure that it cannot be compromised or bypassed. The focus of the talk was around these issues. I also had a simple demo that is contained in one script called vpd2.sql which is also available from my scripts page.

IOUG Critical Patch Update Survey Results Are Out

March 2nd, 2009 by Pete

I got an email last week from the IOUG to indicate that the long awaited results from the survey last year on CPU's are out. I promoted the survey a couple of times last year when it still had some time to run.

I am not going to go into detail on the results as they are contained in a 10 page pdf that you can download yourselves. Simply go to this link on the IOUG site and download the pdf from the link there.

It is interesting that the survey matches the discussions I have quite often with clients, people at conferences, SIG's and almost where-ever I go. People are always wanting views on CPU applications - or not! - the application that is. I always say two things. 1) CPU's are only part of the problem of securing an Oracle database - that is to be secure you cannot just apply a CPU, you must do all of the other work to secure the database, configuration, privileges, access, audit.... much, much more and 2) at the end of the day; taking out all of the issues, you can either apply a CPU or not, its simple. Well its simple to say but in practice, psycologically, reallity, its often hard to do for lots of reasons, mostly availability, performance, downtime, stability... This is one of the key conclusions found by the survey BUT I already new this. I also like the first conclusion and agree with it. If there was a way to make it more formal to apply patches then it would be better for security, but as discussed above it wouldnt secure the database (because security is not just patches) and also it would not fix the perception/reality of stability, availability etc. This is a very complex problem to fix; in part due to the complexity of the Oracle software, the large number of platforms, applications, configuration options....

The survey also showed that 30% of respondents patch within the quarter BUT 70% don't! We have seen a lot of improvement since the first security alerts 8 years ago but we still clearly have a long way to go to get people to patch in the quarter.

Good survey, good comments and conclusion and I think it reflects the reallity that I get to see and also that I am talked to about regularly.

Lets have another annually and lets see if we can get improvements.