Cyber security is goed, cyber-weerbaarheid (Cyber Resilience) is beter

Accepteer dat je wordt gehackt

Robbrecht van Amerongen

Robbrecht van Amerongen
Business Innovation Manager

Cyber security is een serieuze zaak. De bedreigingen die op ons afkomen beperken zich niet tot het missen van een aantal bestanden, het uitlekken van een adressenlijst of het uit de lucht halen van een website.

Inmiddels vormen IT-systemen een essentiële en serieuze rol in ons dagelijks leven. Het uitvallen of zelfs haperen van deze systemen kan drastische gevolgen hebben in de digitale en (more...)

Using Apex Authorization schemes in PL/SQL

The problem with using APEX authorization schemes in PL/SQL has been addressed several times in blogs and forums, but we occasionally still get questions  on how to solve this:

I have a page where users with admin roles can modify data and other users can only view it. Hiding the button to save the record is easily done with an authorization scheme:


However, now I want my items to be displayed as “Read Only” too. There is (more...)

UKOUG Tech14 slides – Exadata Security Best Practices

I think 2 years is long enough to wait between posts!

Today I delivered a session about Oracle Exadata Database Machine Best Practices and promised to post the slides for it (though no one asked about them :). I’ve also posted them to the Tech14 agenda as well.

Direct download: UKOUG Tech14 Exadata Security slides

Bulk authorizing Oracle Unified Directory (OUD) users by adding them to OUD groups from the Linux/Unix Command Line

When using Oracle Unified Directory (OUD) as an identity store, it is in some occasions needed to add OUD users to OUD groups by hand. When you have to grant privileges to one user, this is easily done through the Oracle Directory Services Manager (ODSM) interface. However doing so for more then one user and more then one group, this might easily turn into a dreadful job. Luckily there are some command line utilities which (more...)

Privilege Analysis mit 12c

Eine kleine persönliche Beichte, die regelmäßige Leser vielleicht nicht allzu sehr überrascht: Performance-Fragen interessieren mich deutlich mehr als solche der Security. Und noch ein Geständnis: ich habe gelegentlich Applikationen ausgeliefert, deren Berechtigungen größer waren als erforderlich - weil es mir zu mühsam und zu öde war, mich bis ins Detail mit der Privilegienvergabe zu beschäftigen. Für Entwickler, die unter ähnlichen Charakterschwächen leiden, gibt es in 12c jetzt ein großartiges neues Feature: die Privilege Analysis, bei (more...)

Progress update on my AWR repository

I received an email from a team member yesterday

Have you seen this?

Interesting idea – ever thought of implementing it?

Well of course I have implemented a AWR data repository and I thought I would catch-up on where I am with it and how it is being used.

The database started out on HPUX on about 2 years ago and is now on Linux on 11. (more...)

Securing Oracle GoldenGate Database Login in a Credential Store

Security is always a big deal.  In setting up Oracle GoldenGate the capture (extract) and apply (replicat) parameter files need to be configured to log in to the database which they will perform operations.  In order to do this the Oracle GoldenGate User name and password need to be provided in the parameter files.  Example 1 shows how the database login is traditionally done in a extract or replicat parameter file.

Example 1:

--Oracle Login

Code can be scary when you simplify it

Disclaimer: I’m not posting to make me look better, we’ve all written code that we’re later ashamed of, and I’m no different!

This is some code from a system I was maintaining some time ago. I’ve kept it since then because it illustrates a number of things NOT to do:

FUNCTION password_is_valid
  (in_password IN VARCHAR2)
-- do NOT copy this code!!! ...
  l_valid VARCHAR2(1);
  l_sql VARCHAR2(32000);
  CURSOR cur_rules IS
    SELECT REPLACE(sql_expression
                  ,''''  (more...)

Patching Time

Just a quick note to point out that the October PSU was just released. The database has a few more vulnerabilities than usual (31), but they are mostly related to Java and the high CVSS score of 9 only applies to people running Oracle on windows. (On other operating systems, the highest score is 6.5.)

I did happen to glance at the announcement on the security blog, and I thought this short (more...)

PeopleSoft and Shellshock

As many will have no doubt heard, there’s a new vulnerability that has been spotted, and there are already exploits for it in the wild.

The vulnerable systems are those running Bash – so Windows machines are safe, it’s just Unix/Linux and MacOSX.

Security Researcher Kasper Lindegaard from Secunia rates this as a bigger issue than the Heartbleed exploit discovered in April this year. “Heartbleed only enabled hackers to extract information, Bash enables hackers to execute (more...)

Enterprise User Security – Presentation Material available

On the presentations page you can find the my presentation material from DOAG regional meeting September 2014 in Munich about “Enterprise User Security”.

Using Post-Authentication to run process after APEX login

A frequent requirement, and hence frequent question on the forums is
How do I run procedure x after the user has logged in?
This is often required for such tasks as determining user access, such as populating a restricted Application Item relating to a role like F_IS_ADMIN based on the username defined in substitition string APP_USER

Those new to APEX and unfamiliar with certain concepts may consider using an Application Computation, firing "On New Instance (more...)

Avoid UTL_FILE_DIR Security Weakness – Use Oracle Directories Instead


The UTL_FILE database package is used to read from and write to operating system directories and files. By default, PUBLIC is granted execute permission on UTL_FILE. Therefore, any database account may read from and write to files in the directories specified in the UTL_FILE_DIR database initialization parameter [...] Security considerations with UTL_FILE can be mitigated by removing all directories from UTL_FILE_DIR and using the Directory functionality instead.

© Eddie Awad's Blog, (more...)

Define Your Own Role for Database Target Access in EM12c


  1. Enterprise Manager 12c (EM) installed and agents rolled out to database servers
  2. Access to EM offered to development teams with the primary purpose of allowing them to investigate application related database performance issues


The EM documentation covers a selection of privileges you might want to grant to users in database targets in order to allow them to be used for accessing EM functionality. The privileges mentioned are:

  3. EXECUTE on (more...)

Unlimited Session Timeout

There are a lot of security admins out there that are going to hate me for this post. There are a lot of system administrators, developers, and users, however, that will LOVE me for this post. The code I'm about to share with you will keep the logged in PeopleSoft user's session active as long as the user has a browser window open that points to a PeopleSoft instance. Why would you do this? I (more...)

The value of audit_trail=DB,EXTENDED

I was recently reading a blog entry by Dominic Brooks regarding auditing and I was intrigued by the line referring to the audit_trail parameter being set to DB, EXTENDED

Behaves the same as AUDIT_TRAIL=DB, but also populates the SQL bind and SQL text CLOB-type columns of the SYS.AUD$ table, when available.

Nothing wrong with that and straight from the manual but I was surprised that they were CLOBS. However on looking at them they (more...)

Incompetence or Malice?

We’ve just had a leak of 900,000 national identifier numbers here in Denmark. That’s about 16% of the total population, so it’s pretty big. These numbers are unique identifiers for a person (similar to Social Security Numbers) and are a good starting point for identity theft.

Never ascribe to malice that which can adequately be explained by incompetence.

Napoleon Bonaparte


So how did these numbers leak? Through plain incompetence and lack of procedures. It (more...)

They Took Away My Cloud

On Monday, a U.S. judge gave Microsoft control of 22 domains owned by domain hosting service Microsoft intended to filter out some domains used by malware, but promptly screwed up. The result was that millions of legitimate users could not access their servers.

This will happen again and again as infrastructure moves to centralized cloud providers. What do you think will happen if the server just above yours in the server rack (more...)

Is your database secure? Are you sure? Are you *really* sure?

Credit for finding this bug is given to Daniel Ekberg – He got the official credit given by Oracle Corp for helping out with security related bugs in the January 2014 CPU. He found the bug and had the tenacity to track down and prove that it was a bug and not just a flaw in the logging mechanism where this first was indicated to occur.

Today is the day when (more...)

Oracle 12c – New SYS-level Administration Privileges

For a while now, Oracle has been moving its security model toward a more differentiated set of privileges than just SYSDBA and SYSOPER.  We saw this in 11g with the SYSASM privilege.  This is in response to the growing number of DBA shops that delineate permissions at a more granular level, even among DBAs.  Rather than saying, “Here’s my DBA team, everyone has SYSDBA,” more and more IT shops are defining DBA (more...)