3200 Clever hackers are in my PC; wow!!

Hackers are clever people; they must be to hack other people and take over their private data and steal identities and money. I have to draw the limit at the number of hackers who claim to be in my PC....[Read More]

Posted by Pete On 19/05/19 At 10:08 PM

Integrigy at COLLABORATE 19 – Oracle E-Business Suite Security, Database Security, PeopleSoft Security

Heading to COLLABORATE 19? For the 12th consecutive year, Integrigy will be presenting on Oracle E-Business security, Oracle Database security, and PeopleSoft security. If you will be attending, be sure to schedule in one or more of our presentations.

Oracle E-Business Suite Security

Top 10 Oracle E-Business Suite Security Risks Tuesday April 9 - 10:30 AM-11:30 AM - GH 4th FL Republic C

How to Close the Window between Oracle CPU Security Release and Deployment (more...)

DBID Is Not Definitive When Used As An Identifier

Our Audit Trail toolkit PFCLATK has some brief documentation on the page that's linked here but in summary it is a comprehensive toolkit that allows quick and easy deployment of an audit trail into a customers database. We are currently....[Read More]

Posted by Pete On 12/03/19 At 09:20 PM

Hardening and Securing The Oracle Database Training in London

I posted last week that I will teach my two day class " How to Perform a Security Audit of an Oracle Database " with Oracle University in London on the 29th and 30th April 2019. We have now added....[Read More]

Posted by Pete On 11/03/19 At 11:52 AM

Stop The DBA Reading Data in Subtle Ways

The Problem: Dan asked me a question about whether the DBA can be stopped from accessing views such as V$SQL or V$SQL_BIND_CAPTURE with Database Vault because these views can be used to read data from the SGA. I have covered....[Read More]

Posted by Pete On 08/03/19 At 03:41 PM

Oracle Security Training in London with Oracle University

I have just agreed some training dates with Oracle University in London and I will be teaching my very popular two day class How to Perform a security audit of an Oracle database on the 29th and 30th April 2019....[Read More]

Posted by Pete On 07/03/19 At 12:15 PM

Oracle Security Blog Posts

I teach many training classes on Oracle security to lots of students worldwide both on-site and on-line and one area I often cover quote briefly is where can you find more information or keep up to date on Oracle security....[Read More]

Posted by Pete On 23/12/18 At 05:53 PM

Virtual Patching or Good Security Design instead?

I got an email from someone recently who asked me about virtual patching for Oracle as they were running an out of date version of Oracle and were thinking that virtual patching maybe a good solution to make their database....[Read More]

Posted by Pete On 19/12/18 At 01:32 PM

DOAG conference: Best of Oracle Security – older presentations (2013-2017)

Here is a list of older „Best-of“-presentations:

Best of Oracle Security 2017

Best of Oracle Security 2016

Best of Oracle Security 2015

Best of Oracle Security 2014

Best of Oracle Security 2013

DOAG 2018: Best of Oracle Security 2018

Last week I gave my yearly presentation “Best of Oracle Security 2018” at the DOAG 2018 conference in Nürnberg. In this presentation I talked about different Oracle exploits, a vulnerability in livesql.oracle.com, DNS data exfiltration in Oracle and how to audit SYSDBA connections in Oracle

 

Additionally I talked about the German DSGVO (GDPR) – „Wie wird die DSGVO umgesetzt und welche Lücken/Lügen gibt es?

.

Oracle Privilege Analysis Now Free in EE from 18c and back ported to all 12c

Wow!!, i just got an email from someone in Oracle to let me know that the Privilege Analysis feature of Database Vault has had its licensing changed from this week to now be free as part of an Enterprise Edition....[Read More]

Posted by Pete On 20/11/18 At 10:06 PM

Oracle Critical Patch Update July 2018 Oracle PeopleSoft Analysis and Impact

As with almost all previous Oracle E-Business Suite Critical Patch Updates (CPU), the July 2018 quarterly patch is significant and high-risk for PeopleSoft applications.  Despite the publicity, marketing, or naming of specific vulnerabilities, this quarter is no different than previous quarters in terms of risk and prioritization within your organization.

For this quarter, there are 15 security vulnerabilities patches in PeopleSoft applications and PeopleTools --

10 - PeopleTools

2 - PeopleSoft Financials

2 - (more...)

Oracle Critical Patch Update July 2018 Oracle E-Business Suite Analysis and Impact

As with almost all previous Oracle E-Business Suite Critical Patch Updates (CPU), the July 2018 quarterly patch is significant and high-risk. 51 of the past 55 quarterly patches are significant and high-risk as they fix one or more SQL injection vulnerabilities or other damaging security vulnerabilities in the web application of Oracle E-Business Suite. Despite the publicity, marketing, or naming of specific vulnerabilities, this quarter is no different than previous quarters in terms of risk (more...)

CVE-2017-10151 Oracle Identity Manager Vulnerability

Oracle has released an out-of-cycle security advisory (CVE-2017-10151) for a vulnerability affecting Oracle Identity Manager.  This vulnerability has a CVSS 3.0 base score of 10 out of 10.  Oracle Identity Manager is the identity governance component within the Oracle Identity Management solution.  All supported versions of Identity Manager are impacted from 11.1.1.7 to 12.2.1.3.0.  Most likely 11.1.1.1 through (more...)

Oracle Critical Patch Update October 2017 Oracle E-Business Suite Analysis and Impact

As with almost all previous Oracle E-Business Suite Critical Patch Updates (CPU), the October 2017 quarterly patch is significant and high-risk. 47 of the past 52 quarterly patches are significant and high-risk as they fix one or more SQL injection vulnerabilities or other damaging security vulnerabilities in the web application of Oracle E-Business Suite. Despite the publicity, marketing, or naming of specific vulnerabilities, this quarter is no different than previous quarters in terms of risk (more...)

Integrigy at Oracle Open World 2017

Integrigy will be presenting again this year on database security at Oracle Open World 2017 (San Francisco, October 1-5).  If you will be attending Open World, please join us for this informative session on database security.

The Thrifty DBA Does Database Security

Sunday, Oct 01, 10:45 a.m. - 11:30 a.m. | Moscone South - Room 159

Stephen Kost, Founder and CTO, Integrigy Corporation

Properly securing an Oracle Database requires significant effort and (more...)

SCAP OVAL SQL57_TEST Example For Oracle E-Business Suite

Last week I posted a blog introducing SCAP and OVAL. Here is a quick follow-up with a link to a sql57_test example using the Oracle E-Business Suite - it will suffice for any Oracle database.

A great book to read first on SCAP titled ‘Security Automation Essentials’ for $15 on Amazon is a must read:  https://www.amazon.com/Security-Automation-Essentials-Streamlined-Communication/dp/0071772510. I would highly recommend this book to anyone interested in SCAP and much thanks to Witte, Cook, Kerr and Shaffer (more...)

STIGS, SCAP, OVAL, Oracle Databases and ERP Security

Last week’s unprecedented ransomware cyber attacks (http://preview.tinyurl.com/lhjfjgk) caught me working through some research on security automation. The cyber attacks evidently were attributed to an unpatched Windows XP vulnerability. When challenged with securing 1,000s of assets such as all the Windows desktops and Linux servers in an organization, automation quickly becomes a requirement.

Automation is increasingly coming up in our client conversations about how to secure the technology ‘stack’ supporting large ERP (more...)

Oracle E-Business Suite APPS_NE Security Risks

The most recent version of the Oracle E-Business Suite, Release 12.2, introduces on-line patching to reduce downtime requirements. This new technical functionality is based on Edition-based redefinition provided by the Oracle 11gR2 database. For the E-Business Suite to make use of Editioning, Oracle has added a new schema to the ‘APPS’ family – the APPS_NE schema.

The APPS_NE schema is the owner of those objects previously owned by APPS that cannot be Editioned or (more...)

Recommended Approach for Oracle E-Business Suite 12.2 Mobile and Web Services Security

This is the eleventh and final posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Deploying Internet-based Oracle E-Business Suite web services requires proper configuration of the URL Firewall, both the url_fw.conf and url_fw_ws.conf and the use of a WAF – ideally the Oracle API Gateway. This recommendation applies equally to all whose only use of web services is (more...)