On the presentations page you can find the my presentation material from DOAG regional meeting September 2014 in Munich about “Enterprise User Security”.
How do I run procedure x after the user has logged in?This is often required for such tasks as determining user access, such as populating a restricted Application Item relating to a role like F_IS_ADMIN based on the username defined in substitition string APP_USER
Those new to APEX and unfamiliar with certain concepts may consider using an Application Computation, firing "On New Instance (more...)
One of the often given advices on hardening a database is to run scripts without broadcasting your login data at the same time. According to Arup Nanda in his famous articles on “Project Lockdown” you have three options to run your scripts without letting everybody in on your password secrets:
- Start your scripts under /nolog and add your login to the SQL-script your running
- Start SQL*Plus under /nolog and add the login at the beginning (more...)
The Fusion Middleware 12.1.3 platform contains the ESS or Enterprise Scheduler Service. This service can be used as an asynchronous, schedule based job orchestrator. It can execute jobs that are Operating System jobs, Java calls (local Java or EJB), PL/SQL calls, and Web Service calls (synchronous, asynchronous and one-way) including SOA composite, Service Bus and ADF BC web services.
Jobs and schedules can be defined from client applications through a Java API or (more...)
The UTL_FILE database package is used to read from and write to operating system directories and files. By default, PUBLIC is granted execute permission on UTL_FILE. Therefore, any database account may read from and write to files in the directories specified in the UTL_FILE_DIR database initialization parameter [...] Security considerations with UTL_FILE can be mitigated by removing all directories from UTL_FILE_DIR and using the Directory functionality instead.
- Enterprise Manager 12c (EM) installed and agents rolled out to database servers
- Access to EM offered to development teams with the primary purpose of allowing them to investigate application related database performance issues
The EM documentation covers a selection of privileges you might want to grant to users in database targets in order to allow them to be used for accessing EM functionality. The privileges mentioned are:
- SELECT ANY DICTIONARY
- CREATE SESSION
- EXECUTE on (more...)
There are a lot of security admins out there that are going to hate me for this post. There are a lot of system administrators, developers, and users, however, that will LOVE me for this post. The code I'm about to share with you will keep the logged in PeopleSoft user's session active as long as the user has a browser window open that points to a PeopleSoft instance. Why would you do this? I (more...)
I was recently reading a blog entry by Dominic Brooks regarding auditing and I was intrigued by the line referring to the audit_trail parameter being set to DB, EXTENDED
Behaves the same as AUDIT_TRAIL=DB, but also populates the SQL bind and SQL text CLOB-type columns of the SYS.AUD$ table, when available.
Nothing wrong with that and straight from the manual but I was surprised that they were CLOBS. However on looking at them they (more...)
I wrote about the Code Based Access Control (CBAC) stuff in Oracle Database 12c a while back.
- Code Based Access Control (CBAC) : Granting Roles to PL/SQL Program Units in Oracle Database 12 Release 1 (12.1)
I’ve recently “completed the set” by looking at the INHERIT PRIVILEGES and BEQUEATH CURRENT_USER stuff for PL/SQL code and views respectively.
We’ve just had a leak of 900,000 national identifier numbers here in Denmark. That’s about 16% of the total population, so it’s pretty big. These numbers are unique identifiers for a person (similar to Social Security Numbers) and are a good starting point for identity theft.
Never ascribe to malice that which can adequately be explained by incompetence.
So how did these numbers leak? Through plain incompetence and lack of procedures. It (more...)
On Monday, a U.S. judge gave Microsoft control of 22 domains owned by domain hosting service No-IP.com. Microsoft intended to filter out some domains used by malware, but promptly screwed up. The result was that millions of legitimate users could not access their servers.
This will happen again and again as infrastructure moves to centralized cloud providers. What do you think will happen if the server just above yours in the server rack (more...)
Credit for finding this bug is given to Daniel Ekberg – https://www.linkedin.com/profile/view?id=10435009. He got the official credit given by Oracle Corp for helping out with security related bugs in the January 2014 CPU. He found the bug and had the tenacity to track down and prove that it was a bug and not just a flaw in the logging mechanism where this first was indicated to occur.
Today is the day when (more...)
Database administrators, by the very essence of their job descriptions, are the protectors of their organization’s core data assets. They are tasked with ensuring that key data stores are safeguarded against any type of unauthorized data access. Ensuring that data is protected on a 24 x 7 basis is a complex task. External intrusions and internal employee data thefts combine to make many IT professionals lie awake at night thinking about how they can secure (more...)
The above phase means “who will guard the guards themselves?” and is relevant in many security contexts.
Here in Denmark, we are currently having our own “News of the World” affair. In our case, a contractor at the payment processor handling almost all Danish credit cards was able to automatically send a tip to a journalist whenever a celebrity used his or her credit card. That makes it hard to take an incognito honeymoon (more...)
As long as your link between the applications share the session ID, the solution is simple - set the cookie name the same across your applications.
Shared components -> Authentication Schemes -> Edit current scheme -> Session cookie attributes -> Cookie Name
|Set same cookie (more...)|
The Heartbleed bug has shown that security vulnerabilities can pop up everywhere. Unfortunately, many IT organizations depend on a single security layer to secure their network – and as the ineffectiveness of the Maginot Line proved, that is a risky strategy. You need multiple security layers – what soldiers call Defence in Depth.This illustration is from my weekly Technology That Fits newsletter – sign up here.
I'm currently at IOUG Collaborate 2014 in Las Vegas, and I recently finished my 2-hour deep dive into WebCenter. I collected a bunch of tips & tricks in 5 different areas: metadata, contribution, consumption, security, and integrations:
As usual, a lot of good presentations this year, but the Collaborate Mobile App makes it a bit tough to find them...
Bezzotech will be at booth (more...)
The fun thing about doing the hard yards to code up the algorithm is that you get a deeper level of understanding about what's going on. Take these lines: