Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Oracle Security And Merry Xmas And A Happy New Year

I want to wish all readers of my site and this blog a very happy Christmas and a very prosperous New Year!!

It has been some time since my last blog post; that's because we have been incredibly busy on various Oracle Security consulting projects and delivering a lot of Oracle Security training classes both with Oracle University and also with private clients. We have also been busy with PFCLScan ( our Security scanner for the Oracle database and PFCLObfuscate ( our tool to protect your PL/SQL both in terms of updates and new features to both software and also supporting existing customers. This year has been our best yet in almost 14 years of trading so thanks to all our existing customers and new ones for making it so.

I tend to be on Social Media a little more than blogging nowadays so please feel free to either follow or link to me on Linked in or Facebook or Twitter. I am always happy to connect.

We will be adding Youtube to the mix in the new year as I have added a new channel and plan to add some small videos about Oracle security. Again please follow and we will add content.

In the last year I have conducted 3 days of Oracle Security Training here in York very successfully for the third time so we plan to hold a new 3 day Oracle Security training event here in York (Most likely at the Holiday Inn, Tadcaster Road or the Park Inn in the city Center) early in the new year. This will be a combination of our two day class "How to perform a security audit of an Oracle database" and the one day class "Secure and Lock down Oracle". The date is likely to be late February or early March but I will let you know when it agreed. If anyone is interested to come to York for the three days Oracle Security training then please email me via our contact page.

I mentioned not having much time to blog recently BUT that does not stop me making a list of blog topics to talk about here (all related to Oracle Security of course). I have a list of over 100 topics to discuss and in the next year I hope to cover some of them. As Oracle 12.2 is now available via the Oracle Cloud then I also plan to cover some new security topics for Oracle 12cR2.

IN the next year I also plan to increase my training offerings with two new classes; the first a one day class on Oracle forensics and incident response and the second a one day class - Oracle Security in the cloud.

I have three one day LVC (on-line) Oracle Security classes arranged with Oracle University for early next year; I will add links for those classes when I have the details from Oracle.

I have also just agreed / signed a reseller contract for a company to be a reseller in North America and Canada; More details after the New Year!

I was also recently at the UKOUG conference in Birmingham and this was a great event. I chaired an Oracle Security round table session that was well attended and had some great discussions and on the last day I gave a presentation about Database Vault and what to do if you do not have it or cannot install it as maybe you use SE/SE1 or SE2. I will upload the slides to my site in the new year.

Speaking of my website; this website; it has been up and running in mostly the same guise since 2001 when I first created as my personal website. It then grew with pages and articles about Oracle Security and then in 2003 became my company website. My site did exist as a home page on for more than one year before 2001 but I don't know now exactly when that was now or exactly what I had on it. I created my site with hand coded HTML and used Greymatter as the blog platform in late 2004 after hand coding my first blog pages in early 2004 and before that publishing articles since 2001 - all on the subject of Oracle security of course. The trademark element of my site (besides the content) is the picture of me sat in front of a stack of my computers. This picture was taken in probably late 2002 (possibly early 2003). This has been on the front page of the site since then. Earlier this year after a lot of advice from people that the site should really look like a company site as that is what it is really instead of a hobby, I decided to get it re-designed. I did a first draft myself but decided to get it done professionally and also to include a responsive style / functionality to take it into the modern era. So I had the home page, blog page and content pages styled in HTML 5 and also CSS. I then took that and split it myself into header, footer, navigation, masthead, log etc. A first draft of the home page now exists but I am not going to link to it here as it will eventually cause a duplicate content issue with Google when the true home page goes live. The new style incorporates my photo on the old home page as a caricature in the new logo. Soon after xmas I will make the home page live and then the main content pages and then the blog. It will be harder to retrofit the new style and indeed I may even ditch Greymatter and use my own hand coded blog - I am not certain about that yet. Anyway a new site is coming in 2017, watch out!!

Another major area of development in the last half of 2016 has been to take an earlier version of my audit trail toolkit that I give away for free in my Audit trail Oracle Security class and indeed this class is based around this toolkit. The toolkits aim is to provide a simple way for people to enable database auditing in the database at a policy and event level with everything enabled automatically simply by choosing policies. This also includes centralised audit and checksums of the audit trails. The idea is to audit use of the database engine; access, privileges,. error, attack and more. Most people not doing this now. It includes alerts and also reports and soon will also include a dashboard and admin screen. I plan to do a detailed blog about this toolkit very soon. At that time I will ask if anyone is interested to test the toolkit but if you want to let me know now that you are interested that's fine. The toolkit is called PFCLATK - see the pattern!

PFCLScan ( has also been updated recently to add a lot more new checks and there will be another new release soon with another new set of checks - watch out - and if you are interested in checking your database for database then talk to us about buying a PFCLScan license. The engagement license is for just £110 + VAT and runs for 30 days and within that time you can scan as many of your databases as necessary - There is literally no risk in trying it for 30 days and learning about your database security.

PFCLObfuscate ( our tool to protect your PL/SQL will also be updated to version 3.0 in 2017. This new release will include tools to make the obfuscation process easier in terms of helping you define the public interfaces to your code; it will add a project manager to help obfuscate multiple source code in different ways; hard ware locking and more. Watch out for version 3.0 in 2017 but if you are interested in protecting your PL/SQL talk to us now for a demo. The license for PFCLObfuscate includes support and all major and minor updates.