Oracle Security papers
The following list of links aims to bring together a collection of some of the white papers, articles and presentations
out there on the internet about database security and Oracle security in particular. The lists below include papers written
by Pete Finnigan for other websites and for this website and also many papers and presentations written by many other people.
If anyone has any good links or papers about Oracle security in particular that I have not found myself yet, please let me know the
URL and I will add them to the list below. Please email pete@petefinnigan.com.
Oracle Security papers written by Pete Finnigan
The following are papers written by Pete Finnigan for various web sites.
| Paper Title | Description |
| Many ways to become DBA | NEW This is a pdf of the presentation that I made at the recent OUG Scotland conference in Glasgow on October 4th 2005. The paper talks about the problems encountered with the security of an Oracle database. I cover where to find information, what the main problems are, some example exploits and problems. I talk about how to audit the database for issues and also then some ideas on how to secure them. Bear in mind that this is a 45 minute presentation and I have tried to give a feeling for the whole area of Oracle security in the database. |
| Oracle Row Level Security: Part 2 | NEW This is the second part of a two part paper that has been written by Pete Finnigan for www.securityfocus.com as part of the infocus series of articles. This second part follows on closely after the first part and now explores how to review what row level security settings have been implemented and also discovers how to find out if row level security has been used and whether the real SQL with new predicate can be found. This is done using trace files and the use of dictionary views. Various issues with implementing row level security are discussed along with suggestions on how to protect the implementation. |
| Oracle Row Level Security: Part 1 | NEW This is the first part of a two part paper that has been written by Pete Finnigan for www.securityfocus.com as part of the infocus series of articles. This paper gives a thorough overview of implementing row level security in an Oracle database. An example implementation is shown along with test cases to show how the functionality works. The paper then goes on to discuss some of the issues with row level security and also shows what information relating to a row level security implementation can be extracted from the database with various different methods. various examples are given. |
| Detecting SQL Injection in Oracle | This paper has been written by Pete Finnigan for www.securityfocus.com as part of the infocus series of articles. This paper shows some of the places within Oracle where information in the form of trace files, audit logs or by looking into the data dictionary can be used to detect SQL injection. It keeps its feet on the ground and explores a good set of ideas to simply show what is logged and stored by the system when an abuse occurs. It gives advice on which are viable methods and which are not. Read this paper to get a good idea of the wealth of information Oracle keeps about what users do. |
| An introduction to simple Oracle auditing | This paper has been written by Pete Finnigan for www.securityfocus.com as part of the infocus series of articles. This paper describes a basic overview of Oracles built in audit features and then goes straight into some simple examples based around auditing user account access to the database. Pete shows how to use some simple SQL queries to find a number of types of abuse such as attempts to guess usernames and passwords, sharing database accounts and access at strange times of the day. This paper should be invaluable to any organisation who wants to see real benefits from using Oracle's audit by showing how basic abuse types can be easily translated into an audit trail and how to check that trail for those abuses. |
| SQL Injection and Oracle - 1 | This paper has been written by Pete Finnigan for www.securityfocus.com as part of the infocus series of articles. The paper describes the issues of SQL injection against Oracle databases and uses a simple PL/SQL procedure to demonstrate which parts of the technique are possible. The first part of this paper explores the subject and presents examples. |
| SQL Injection and Oracle - 2 | This is the second part of the SQL injection and Oracle paper written by Pete for security focus and follows on from the first part by showing some techniques to find out what privileges the user being injected from has. The paper goes on to discuss detecting SQL injection and some simple ideas to protect against this type of attack. |
| A simple Oracle security scanner | This paper describes some of the common security issues associated with an Oracle database installation and was written for security focus. The paper is based around a simple SQL script that checks for a small number of common security issues with Oracle databases. |
| Exploiting and protecting Oracle | This was the major paper i wrote for a previous employer about Oracle security written with an attackers viewpoint in mind. I wanted, with this paper to explore some of the main areas of Oracle and question where there could be security issues. The paper proved very popular. |
| Revealing clear text passwords from the SGA | This is a posting I made to securityfocus to the pen-test mailing list to describe a situation whereby it is possible with some default privileges to dump the library cache and then read it using the standard package UTL_FILE and if any Oracle database users passwords have changed then read those passwords in clear text. |
| Exploiting and protecting Oracle - The Internet Security Conference Insight Newsletter | This is a newsletter article I wrote for TISC to introduce the paper I wrote for a previous employer. This insight paper details some of the issues in securing an Oracle database. To access the paper go to the link above and search for Pete Finnigan and clink on the link. |
| Default password list for Oracle |
This is the password list I created for a previous employer. I don't maintain that list anymore. Any list of Oracle default users and passwords
is relatively easy to create by searching through the installation directories of Oracle softare, the HTML documentation and also
from various web sites on the Internet. I have additional usernames and passwords that I will make available soon from here.
NOTE :- This link is unfortunately now dead, a new link to a good list of Oracle default passwords has been added at the end of this page. Search with CTRL-F with "Oracle default password list" in this page. |
| Investigation of default Oracle Accounts | This is the first paper i did for a previous employer listing Oracle default accounts and their known passwords. I included this list in the large Oracle security paper "exploiting and protecting Oracle" that I wrote. A free login is required for this site. |
Oracle Security checklists
New Section This section brings some major Oracle security checklists recently published on the Internet. Both lists are based on the SANS book "Oracle security step-by-step - A survival guide for Oracle security" written by Pete Finnigan and published in January 2003 by the SANS Institute.
The following are major Oracle security checklists
| Paper Title | Description |
| Oracle database security benchmark |
NEW This document is produced by the center for Internet security
and is one document in a series of benchmark documents. Each document aims to provide a minimun standard
with which to secure a particular piece of software to. In this case it is the Oracle database. The document
is based in part on the SANS step-by-step guide on the same subject by Pete Finnigan. A scoring tool is also in development
to accompany the benchmark.
This document has been updated to version 1.1. If you download just the benchmark you do not get the change history for the document but if you download the scoring tool the benchmark and change history are included. Quite a few changes have been made to the paper. Also as indicated the scoring tool is also now available from the same URL. |
| Oracle database checklist |
UPDATED 23-Sep-2004 This document has just been updated to version 2.0 to reflect the changes made in the new version 2.0
printing of the SANS Oracle security step-step-guide. Check out the changes.
NEW This document was produced for the S.C.O.R.E initiative on the SANS website. This document written by Pete Finnigan and is based on the SANS book "Oracle security step-by-step". This document is meant as a checklist to be used when auditing an Oracle database installation. It is not a how to document and doesn't inclued detailed SQL or operating system commands but provides a comprehensive security check list for Oracle. The paper is available as a MS Word document or pdf file. Word version and PDF version |
| Oracle Database Management System Security Standard |
ADDED 3-Sep-2005
I found this checklist by chance whilst searching for something else. This is a checklist dated 12 March 2003 so is a couple of years out of date. The contents are not the best I have seen for an Oracle Security checklist but are not a bad starting point for someone needing a checklist. The SCORE and CIS lists are much better and much more complete but don't dismiss a smaller list such as this. It has some mistakes in it and is clearly out of date but the structure is quite good. |
| Oracle database hardening |
ADDED 19-Nov-2005
I found this Oracle security checklist recently whilst searching google. This is an Oracle written paper and is quite good as a starting point to secure Oracle. The list is quite good in its scope and coverage. The security items covered are included in other lists and some are known for some years but this is a good list and a very good starting point for anyone wanting to secure an Oracle installation. |
Oracle Security papers written by Other authors
The following papers and articles on Oracle database security were written by other authors for various web sites. I am including URL's to the papers here to try and bring together the best Oracle security papers available on the Internet into one place.
| Paper Title | Written for | Written by | Description |
| Protecting Oracle databases | www.appsecinc.com | Aaron Newman | This is a good paper giving an overview of some of the issues and vulnerabilities surrounding Oracle database security. It covers many of the key areas and discusses some ideas for protecting Oracle. |
| Protecting Oracle databases presentation | www.appsecinc.com | Aaron Newman | This is a presentation Aaron has given a few times dicussing Oracle security and protecting against vulnerabilities. The presentation is based around the above paper. |
| Hackproofing Oracle Application Server | www.ngssoftware.com | David Litchfield | This is Davids excellent paper covering some of the important database server security issues and also including great coverage of Oracle Application Server issues. The paper also includes a very comprehensive default user password list. |
| Hackproofing Oracle | www.oracle.com | Howard Smith | Howards paper is an excellent start to securing the RDBMS against attacks. The paper describes Oracle's Own internal efforts with ethical hacking. |
| Securing Oracle Network Traffic | www.dbspecialists.com | Roger Schrag | Excellent paper covering many aspects of securing Oracle Net8. The paper covers securing the listener to refuse or accept requests from specific IP addresses. Also covered is using ssh (Secure Shell Protocol) to make Net8 more secure and also Roger talks about optionally tunnelling through firewalls. |
| Oracle's Latest Security Patches May Attract Hackers | www3.gartner.com | John Pescatore | News report about the latest slew of Oracle security alerts. |
| Hackproofing Oracle 9iAS | www.appsecinc.com | Aaron Newman | This paper is a presentation given by Aaron. The paper coversa good overview of 9iAS security issues. |
| Best Practices for Securing Oracle | www.idefense.com | This is a good overview paper on how to secure Oracle databases. This paper can be downloaded by filling in the form on the above URL and then the paper will be emailed to you. | |
| Developing a database security plan | www.oreilly.com | Marlene Theriault, William Heney | This is the sample chapter from the excellent book "Oracle security". This was the first major book on the subject and has only fairly recently been joined by another work by Marlene and Aaron and more recently the SANS step-by-step guide. |
| Database Security 101 | Richard D Newallis, SPRINT | Good Oracle security strategy introduction document describing various threats and levels of protection. Detailed Oracle security is not covered to any depth as the bulk of the paper could be applied to any database implementation. But, this is a very good paper overall. | |
| Oracle database Security: Tips and Tricks | DBCORP Information Systems Inc | Simon Pane | These are the presentation notes for an Oracle security talk made for DBCORP. The paper covers a good overview of the basic Oracle security issues and gives a top 10 best practice tips for Oracle security. The paper also covers a multitude of other good Oracle security settings and tips. This presentation can be used as an excellent Oracle security check list. |
| Hacker Proofing Your database | www.osborne.com | Marlene Theriault, Aaron C Newman | Sample chapter from the Book Oracle Security Handbook. |
| An overview of Oracle database security features | www.sans.org | Lorraina Hazel, CNE | Good overview paper of the Oracle security features in the Oracle RDBMS. |
| Oracle Idiosyncrasies | Yong Huang | Good small artilces page including a security issue with the listener. The rest are worth reading as well. | |
| Oracle Executables | Yong Huang | Not really security but it is useful to have a list in one place of what some of those files are in the bin directory. This list can be useful in deciding what can be secured and / or deleted. | |
| Speculation of X$ Table Names | Yong Huang | Again not really security but it is useful to have a list in one place of what some of the x$ tables are and what they are used for. | |
| Conducting a Security Audit of an Oracle Database | www.sans.org | Egil Andresen | Quite a good overview paper written to describe how to audit an Oracle database. Quite wordy in the beginning describing the technicalities of auditing before getting into some Oracle specifics. Overall covers quite a bit of ground and very well worth the time to read it. |
| Implementing Data Encryption | www.interealm.com | Roby Sherman | Excellent paper covering data encryption within the Oracle database. Covers some of the poular myths surrounding encryption. Also includes some performance tests using encrypted examples. |
| Introduction Oracle database Security | http://cellworks.washington.edu | Scottie Swenson | Reasonable presentation paper on Oracle security. |
| Internet Security With Oracle Row-Level Security | www.interealm.com | Roby Sherman | Excellent paper covering Oracles Row Level Security including simple examples. |
| A security checklist for Oracle 9i | www.oracle.com | Rajiv Sinha | Good starter paper on how to secure Oracle 9ifrom the Oracle security team themselves. You will need a free logon to read this paper, simply go and register on the site. |
| Oracle Security FAQ | www.orafaq.com | Frank Naude | Good range of "how to" facts and snippits. |
| A security checklist for Oracle 9iR2 | www.oracle.com | Unknown | Good starter paper on how to secure Oracle 9iR2 from the Oracle security team themselves. This is an updated version of the paper above. You will need a free logon to read this paper, simply go and register on the site. |
| Implementing Data-Level Monitoring With Oracle Fine-Grained Auditing | www.interealm.com | Roby Sherman | Paper showing good simple examples of fine grained auditing. This paper shows in simple terms how to use this new audit feature. |
| Dissassembling the oracle redo log | www.orafaq.com | Graham Thornton | Excellent paper detaing how to read Oracle redo logs from the trace files. This is a useful paper when contemplating forensics after an intrusion. If audit was not used then this could be one method to find out what has happended. later versions of Oracle bring LogMiner to help in this area. |
| General Security Controls within Oracle | Diane Wynne | Very basic review document used as a general checklist for Oracle security issues. More comprehensive lists are available but this could be used as a basic starting point. | |
| Oracle Database Audit Program | www.auditnet.org | Plusnina, Svetlana | Oracle security review checklist. Quite basic in tersm of background information but quite useful otherwise. |
| Pal's Linux RDBMS Library | www.palslib.com | This website contains a list of Oracle security papers and links amongst other things. I think most of the Oracle security links are covered here also but this good site is worth keeping an eye on for new links. | |
| Oracle Security Alert Page | otn.oracle.com | This is the main page where new security alerts are released by Oracle. It is possible to subscribe to receive news of new alerts as they happen. A free login is required to access this page. | |
| Implementing the Database Resource Manager | www.interealm.com | Roby Sherman | This is a detailed paper giving an overview of the resource manager functionality. Whilst not specifically security related this article could be useful in a security context as controlling resources could be used to prevent denial of service attacks. |
| Encryption of data at rest | www.appsecinc.com | Aaron Newman | This is an excellent paper detailing issues with encrypting data held within a database. It also covers quite well issues with hiding the encryption keys. |
| Ensuring 100% security in e-commerce applications | www.dba-village.com | Geert De Paep | This is a presentation given by Geert at the EOUG conference in Copenhagen in 1999. This paper describes how to implement row level security, aka fine grained access control in Oracle 8i. A free login is required for this site. |
| The integration of internets LDAP with Oracle 8i | www.dba-village.com | Danny Gielen | This fine paper discusses the integration of LDAP into Oracle 8iR2. The paper discusses the advantages of using LDAP with Oracle. A free login is required for this site. |
| Changing the apps database password in Applications Release 10.7 | www.dba-village.com | Henk Van't Net | This short paper discusses how to change the apps database password in 10.7. A free login is required for this site. |
| A Major Oracle 9.0.x Security Hole (unbreakable my foot...) | www.interealm.com | Roby Sherman | Short paper describing how the ansi join syntax bug works in Oracle 9i. |
| Calling Java from PL/SQL | www.unix.org.ua | Extract from the O'Reilly book "Guide to Oracle 8i Features". This extract shows how to call Java from PL/SQL. This is important to know if you wish to protect your Java enabled database from misuse!. | |
| Utilities for Oracle9iAS | otn.oracle.com | Link to a set of seven utilities provided free of charge from Oracle. The main two of interest from a security perspective are: "Interactive Log File Viewer for Oracle9iAS" and "Infrastructure DB Randomized Password Retriever". The former is a menu driven tool to look at all of the log files generated by 9iAS. This can be useful from a security perspective and the latter is a tool to retrieve the underlying infrastructure database randomized passwords. I will leave it to you to figure out what that can be used for!!. | |
| Fine-Grained Auditing | otn.oracle.com | Very short introduction paper on Oracle fines grained audit in the Oracle 9i database daily feature section. A free login is required to access this site. | |
| Symbolic Link Inconsistency and Behavioral Change in 9i | www.interealm.com | Roby Sherman | Short paper describing how the symbolic link behaviour has changed in Oracle9i. |
| Securing Oracle 9iAS 1.0.2.x | otn.oracle.com | Stephen Comstock | Superb paper on securing the application server from Oracle themselves. Quite a long and thourough paper. A free login is required to access this paper. |
| Fine Grained Access Control | asktom.oracle.com | Tom Kyte | Excellent paper discussing fine grained access control and giving examples of the row level security PL/SQL package. This paper was part of a series of articles by Tom on the new 8i features. |
| Controlling Database Access | technet.oracle.com | Online documentation from Oracle explaining how to control access to an Oracle database. | |
| Oracle Advanced Security | technet.oracle.com | Online documentation from Oracle explaining the feature set of Oracle advance security. | |
| Database Security in Oracle 8i | technet.oracle.com | Overview paper describing the major security features in Oracle 8i and how they work. Good paper to read to get an idea of what does what in Oracle security wise. | |
| Autonomous Transactions | asktom.oracle.com | Tom Kyte | Another paper in the new 8i feature series explaining autonomous transactions. This feature can be particularly useful in auditing based on database triggers. |
| How to become another user in SQL*Plus | asktom.oracle.com | Tom Kyte | Short paper from AskTom that shows the very well un-documented feature of the values command in the alter user syntax to become another database user without knowing that users password. |
| Creating Virtual Private Databases with Oracle8i - Part 1 | www.oracle.com | Mary Ann Davidson | Good paper from Mary Ann Davidson who works in Oracles security division. This is a good overview paper on the new (in 8i) Row Level Security features. Very well written. |
| Creating Virtual Private Databases with Oracle8i: Part 2 | www.oracle.com | Mary Ann Davidson | Second part of the above paper. |
| How to generate random numbers in PL/SQL | asktom.oracle.com | Tom Kyte | Short paper from AskTom that shows how to generate random numbers from PL/SQL. It should be noted that there are security concerns with using DBMS_RANDOM as part of any cryptography - See the SANS guide for details. |
| Database - The Final Firewall | www.sans.org | S. Brian Suddeth | Good paper describing the many layers that can be used in "defense in depth" when applied to an Oracle database. The paper goes on to describe many areas of Oracle secuity and recomend many configurations and settings. |
| Protecting Your Database | www.oracle.com | Kevin Loney | Short paper written for Oracle publishing and detaing 6 tips for securing an Oracle database. Good basic starting point for Oracle security. |
| Virtual Private Databases | chinaunix.net | Example code showing how to implement VPD within Oracle.Ignore that fact that it tries to load in chinese, the text of the example is in fact in English. | |
| How to store a password | asktom.oracle.com | Tom Kyte | Short paper from AskTom that shows how to encrypt a password in the database or rather hash the username and password. This is for version 8.1.5 and also solutions are suggested for 8.1.6 and after with DBMS_OBFUSCATION_TOOLKIT. |
| DAIS: A Real time data attack isolation system for commercial applications | Department of Information systems, UMBC , baltimore | Peng Liu | Excellent paper describing how to detect changes and reads in an Oracle database with view to dececting hacker access. This is a very technical paper. |
| Securing Databases | www.sans.org | Paul Carmichael | Good overview paper discussing database security. Quite well structured, although trying to be general it is mostly about Oracle. The paper covers a good range of issues. |
| Database Security in High Risk Environments | www.sans.org | Joaquin A. Trinanes | High level paper not restricted to just Oracle discussing how and why to secure databases. |
| Database Driven Oracle Security | www.oracledbaexpert.com | Basic paper to show how to build security between users and Oracle. | |
| Write a simple security audit script for Oracle | www.praetoriate.com | Donald K Burleson | NEW Basic page that gives some small pieces of SQL to check the data dictionary for excessive privileges and privileges granted with the admin option. There are just 4 tips but useful all the same. |
| Oracle database listener security guide: March 2003 | www.integrigy.com | Integrigy | NEW This is a superb paper going through the issues with listener security and good tips and steps on how to protect and tighten up a listener installation. Excellent paper, one of the better Oracle security papers around. Read it!. |
| Expert offers tips on securing Oracle databases | www.searchoracle.com | Robert Westervelt, SearchOracle.com News Writer | NEW This is a news item on searchoracle that covers an interview with Donald Burleson where he discusses Oracle security issues and solutions. It is not a bad news item and discusses some of the basic issues. Published 15 july 2003 |
| Oracle Label Security, Part 1: Overview | www.dbasupport.com | Jim Czuprynski, jczuprynski@zerodefectcomputing.com | NEW This is the first part of an excellent series of papers covering Oracles new label security implementation. The new Oracle Label Security (OLS) functionality is built on top of Oracles Virtual Private Database technology. Jims set of papers cover the basics, an excellent example and flows through a sample implementation sucessfully. Well worth reading. |
| Oracle Label Security, Part 2: Implementation, page 1 | www.dbasupport.com | Jim Czuprynski, jczuprynski@zerodefectcomputing.com | NEW This is the second part of an excellent series of papers covering Oracles new label security implementation. The new Oracle Label Security (OLS) functionality is built on top of Oracles Virtual Private Database technology. This is part 2 page 1. |
| Oracle Label Security, Part 2: Implementation, page 2 | www.dbasupport.com | Jim Czuprynski, jczuprynski@zerodefectcomputing.com | NEW This is the second part of an excellent series of papers covering Oracles new label security implementation. The new Oracle Label Security (OLS) functionality is built on top of Oracles Virtual Private Database technology. This is part 2 page 2. |
| Oracle Label Security, Part 3: Administration, page 1 | www.dbasupport.com | Jim Czuprynski, jczuprynski@zerodefectcomputing.com | NEW This is the third part of an excellent series of papers covering Oracles new label security implementation. The new Oracle Label Security (OLS) functionality is built on top of Oracles Virtual Private Database technology. This is part 3 page 1. |
| Oracle Label Security, Part 3: Administration, page 2 | www.dbasupport.com | Jim Czuprynski, jczuprynski@zerodefectcomputing.com | NEW This is the third part of an excellent series of papers covering Oracles new label security implementation. The new Oracle Label Security (OLS) functionality is built on top of Oracles Virtual Private Database technology. This is part 3 page 2. |
| How to write an Oracle security plan | www.dbasupport.com | Marlene Theriault and William Heney | NEW This paper is based on chapter seven of the O'Reilly Oracle security book. This paper is a very good discussion of how to write an Oracle security plan. |
| Automated Data Encryption Management | www.dbazine.com | Mike Hordila | NEW Excellent recent paper that discusses encryption within the Oracle database and provides a PL/SQL library for encrypting data using an automated solution. Well worth the read! |
| Even pros struggle with Oracle security | www.searchoracle.com | By Ellen O'Brien, SearchOracle.com News Editor | NEW Recent news item published on 11 September 2003 covering. This news article talks about the issues of public privileges in Oracle. Mary Ann Davidson, Oracles security chief is interviewed in discussion with Aaron Newman. |
| How to connect 2 ... n SSH Tunnels | www.akadia.com | NEW An excellent short paper showing how to use ssh tunnels to connect SQL*Plus to an Oracle database. Thanks to Jared Still for bringing this one to my attention. | |
| Unraveling the sweater - Oracle security part 1 | www.evdbt.com | Tim Gorman | NEW First part of an excellent two part paper examining Oracle and hackers. This was printed in the winter 2003 RMOUG newsletter. This part talks about loopholes and user authentication. A shell script tool is provided to illustrate the issues. A link to this tool is available on our tools page. |
| Unraveling the sweater - Oracle security part 2 | www.evdbt.com | Tim Gorman | NEW Second part of an excellent two part paper examining Oracle and hackers. This was printed in the spring 2003 RMOUG newsletter. This part talks about the network and the TNS listener. A shell script tool is provided to illustrate the issues. A link to this tool is available on our tools page. |
| Oracle8i Virtual Private Databases | www.evdbt.com | Tim Gorman | NEW This is a presentation given at the DBA SIG of the UTOUG on 14 February 2001 by Tim. This presentation gives an overview of row level security and comes with a brief example using the scott user. |
| Using Oracle8i and Oracle9i Log Miner | www.evdbt.com | Tim Gorman | NEW This is Tims paper providing a road map of the development and use of the Log Miner tool. Whilst this is not a true security paper, it is still useful to the security practitioner as Log Miner can find a use in the forensics area particularly when auditing is not enabled. |
| Using Oracle8i and Oracle9i Log Miner | www.evdbt.com | Tim Gorman | NEW This is Tims powerpoint presentation on the same subject as the paper above. |
| Using Oracle8i and Oracle9i Log Miner | www.evdbt.com | Tim Gorman | NEW This is the presentation and word doc together as a zip file. |
| Oracle 9i Rel 2 - XDB Port Nightmares | www.interealm.com | Roby Sherman | NEW Nice paper showing various methods of changing and removing xdb ports. |
| Oracle password decrypt - Toplink Mapping workbench | www.planet-source-code.com | super_jecht | NEW Short paper posted 26 Jan 2004 to Planet source code showing how to encrypt the password that is normally encrypted by the Oracle toplink mapping workbench tool. Even though decryption is not shown this is easy to implement from this algorithm. See http://otn.oracle.com/products/ias/toplink/datasheet.html for details of the use of this tool. |
| Leveraging Oracle database security with J2EE container managed persistence | http://otn.oracle.com |
Matt Piermarini and David C Knox |
NEW This recent paper by Oracle - written by David Knox and matt Piermarini explores the issues of security when using J2EE application development and Container Managed persistence (CMP). This model is great for storing and managing data effectively and for creating rapid application development opportunities but it can also render the databases security features ineffective. This paper explores this issue and in particular shows how to use the CMP model for J2EE whilst still ensuring effective database security. |
| Oracle default password list | www.cirt.net | NEW This is a very good list of default Oracle users and known passwords. Use this list to audit your database. There is also a list available with the code from the SANS step by step book, see here | |
| Oracle Label Security, Part 4: Conclusion | www.dbasupport.com | Jim Czuprynski, jczuprynski@zerodefectcomputing.com | NEW This is the fourth and final part of this excellent article series covering the subject of Oracle label security (OLS). This set of papers compliments and extends the Oracle documentation on the subject of Oracle label security. This final paper talks about using OLS and also about extending the audit trail to cover changes made to the OLS security policies. Jim also covers modifying and removing OLS from your database. |