I got an email from http://newbiedba.blogspot.com/ - (broken link) Lisa Dobson about a week ago but what with the new baby and all I have not had alot of time for surfing or writing blog entries. Lisa emailed me about a page on Oracle's website called http://www.oracle.com/technology/getting-started/security.html - (broken link) Getting Started: Security to ask my opinion on its content. I had a look and its not a bad place to start but its not complete or well structured. Its also quite clearly based around Oracle's available products rather than getting a newbie started on securing their database. The first two links start off well by pointing the reader at quite a nice paper titled "Database Security (Common-sense Principles)" by Blake Wiedman. Then the page points the reader at the Oracle database security checklist. Then it gets a bit silly. Encryption is good but TDE is not for beginners, its also an extra cost option with ASO, then we get a link to Oracle Label Security, this is again an extra cost option on top of the enterprise edition and is also mainly only seen in highly secure environments and governments. Then we get VPD, role based security via application roles and FGA. Whilst these last three are more commonly seen I would not say that they common. Its not really a place to start for someone new to Oracle or database security. Whilst the material is useful its probably not that useful to a beginner who actually wants to secure an existing database or data. A better place to start would be to visit some of the common checklists found on my Oracle security white papers page and the best starter paper I have seen is Arup Nanda's Project Lockdown which I am amazed is not included in the Oracle security for beginners page. I guess its more about what a beginner wants to acheive; to secure their data or to learn the Oracleproduct stack. Don't dismiss the page but remember for Oracle security there are also external options to Oracles page even if that is links back into Oracles site such as project lockdown.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "Oracle audit vault is available for trial download"] [Next entry: "Oracle BI Suite and Row Level Security"]
May 2007
- Pete Finnigan UKOUG Leeds April 2007 slides available - 05/03/2007 by 05/03/2007
- Pete Finnigan to speak about Oracle security - 05/06/2007 by 05/06/2007
- Oracle audit vault is available for trial download - 05/09/2007 by 05/09/2007
- Getting started with Oracle security - 05/11/2007 by 05/11/2007
- Oracle BI Suite and Row Level Security - 05/15/2007 by 05/15/2007
- Oracle forensics part 4 - live response - 05/17/2007 by 05/17/2007
- 15 free SQL Injection scanners - 05/20/2007 by 05/20/2007
- UKOUG Unix Sig - Hacking and Securing Oracle - 05/21/2007 by 05/21/2007
- A new database security blog talks about propogating middle tier and application user identities - 05/24/2007 by 05/24/2007
- A new Oracle security blog in English and German and some Oracle security videos - 05/28/2007 by 05/28/2007
- David Litchfield announces Open Software Database forensics toolkit - 05/29/2007 by 05/29/2007
Archives
Syndication
Powered by gm-rss 2.0.0
