The Security State of the Nation

Even though my social media profile is pretty available for Twitter and Linked in, I’m significantly conservative with other personal and financial data online.  The reversal of the Internet Privacy Rule, (I’ve linked to a Fox news link, as there was so much negative news on this one…) had everyone pretty frustrated, but then we need to look at security of personal information, especially financial data and (more...)

The Limits of Data Redaction

Data Security is becoming more and more important nowadays.
In fact it was always important, just as the expected problems increase (by count or value) management seems to be more aware now. Due to many discussions I started to have a look at DBMS_REDACT - which is an implementation to show only those data to users they are allowed to use.
One of my first places to go was Tim Halls Data Redaction (DBMS_REDACT) in (more...)

JDBC, Linux and Entropy

Some troubles — especially those happening only sporadically — are not so easy to shoot and call for a deeper understanding of the matter. In the following real-world example this means: SQL*Net Tracing and some knowledge about the inner workings of the server’s operating system, particularly random number generation. This case was suited well to demonstrate an approach to trouble-shoot […]

Password Last Change Time

I read that the PTIME column in the SYS.USER$ table shows when a user’s password was last changed so I decided to try it out in an Oracle 10 database:

  2  WHERE PRODUCT LIKE 'Oracle Database%'
  3  /



I noted the time and created a user:

  3  /


Update WordPress Installations to >4.7.2

This post is applicable for hosted wordpress installations where auto-updates are disabled. Yesterday, I noticed there was blog post "Hacked by Unknown" on Askdba blog. Post was written by White Hat Hacker who exploited the Content injection vulnerability in 4.7.0 and 4.7.1. This vulnerability allows any visitor (unauthorized user) to assume role to edit/create blog…

ADF BC Groovy Expression Security Policy Configuration

Today I'm going to explain how to configure Groovy expression security policy. This could be helpful, if you dont want to change trustMode property to trusted everywhere across the app, but looking for single configuration point.

My sample app -, contains bind variable with expression reference pointing towards custom method located in AM implementation class:

JDEV returns compilation error for Groovy expression, can't resolve applicationModule property:

Such kind (more...)

Enable HyperFIDO U2F Key on Linux

Recently, I bought the Hypersecu HyperFIDO K5 Key to help me secure access to several websites and services with U2F (“Universal Two-Factor Authorization”). This works fine on Windows, but with Linux things get a little complicated: The key isn’t accessible to all users by default. This has to be activated using udev rules, which is widely […]

Building a Hyper-V Environment for SharePoint / Cyberinc Entitlements Server Prototype – Part 3

In my previous post, I covered the installation of SQL Server 2016 SP1 for our Hyper-V environment. After that is completed, we are ready to install SharePoint Server 2016. That’s what I’ll be covering here. Firstly, you need to download a copy of the software. At the time of writing this post, SharePoint Server 2016 is available from Microsoft. That’s the version I’ve downloaded for installation on the VM.

Installing the Prerequisites

To start the (more...)

Building a Hyper-V Environment for SharePoint / Cyberinc Entitlements Server Prototype – Part 2

In the previous post in this series, I created the Hyper-V VM environment (running Windows Server 2012 R2) I’ll be using to build SharePoint Server 2016 on. The next step is to install either SQL Server 2014 or SQL Server 2016 for the database server requirements. Because I’m a geeky sort of guy and have to be on the bleeding edge, I’m going to use SQL Server 2016 with SP1, which is available from Microsoft (more...)

Building a Hyper-V Environment for SharePoint / Cyberinc Entitlements Server Prototype – Part 1

One of the areas I’ve been investigating as a technical architect at is using the Cyberinc Entitlements Server (CES) to provide attribute based access control (ABAC) access to documents stored in SharePoint. It’s an area we haven’t tested at all before, so it was important to build a prototype environment to satisfy ourselves that it really does work the way we want it to. At the time of writing this post, CES (more...)

Escape Special Characters APEX Demo

A few weeks ago I wrote more detail than expected regarding escaping of special characters.

I thought I'd add a simple demonstration, for reference.

Consider the following query, with variations of escaped column output.
with data as 
(select q'[G'day,]'||chr(10)
||'<br>APEX<script></script>' as string
from dual)
-- UI default
string dflt
-- where no tags expected
,apex_escape.html(string) protected
-- good for most things
,apex_escape.html_whitelist(string) whitelisted
-- replace line feeds with HTML line break. (more...)

Re-evaluating APEX Authorization Schemes

Authorization schemes in Oracle APEX are used to control access to page, buttons, and all sorts of other components.

In my experience, these are best defined at a privilege level, where the same privilege could be allocated to multiple business roles, but that's for another post.

In this post, I want to mention a cool API function called apex_authorization.reset_cache, which helps control the behaviour of these authorization schemes.


While googling something else (more...)

Trusted Information Sharing – ABAC Architecture

In my previous post, I introduced you to the two concepts of Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). ABAC resolves a number of the limitations associated with RBAC, as I discussed in that post. In this post, I wanted to drill into the architecture underlying ABAC a little bit more.

In simple terms, there are four main parts of the ABAC architecture. These are:

  • The Policy Decision Point (PDP) – this (more...)

APEX attributes for Escaping Special Characters

A relatively common on the forums is regarding the escaping of special characters in reports, but it seems the developer isn’t always sure what is actually happening and how to how to search for it.

It seems I’ve had this on my “to blog” list since April 2015, but now that 5.1 has been released, it seems more people are coming out to leave 4.x can’t work out where the Standard Report (more…)

Trusted Information Sharing – Some Underlying Concepts

In a recent post, I explained a little bit about what my new role at archTIS is. archTIS is a company that focuses on the area of Trusted Information Sharing. Trusted Information Sharing is a concept that not too many people would understand the complexities of. In fact, when I first started in my new role I wasn’t aware of just how complex it was myself! To explain all that complexity in a single (more...)

Password validation takes a while, how cool is that!!

You log in to your favorite web app and it takes a little while to get your login validated, or your password consumed, depending on your take on things,
You log in to your favorite APEX application, and after every 3rd shot, it takes a bit longer to retry

You are sure what you are doing and you are surely not drunk, but just mistyped the ****-password.

It is annoying, but is it?

I (more...)

WS Security – enabling passwordDigest authentication in an Oracle FMW environment

To have a basic level of authentication on web services (especially where there's no transport layer security) without having to pass clear text passwords in the WS Security headers. 

The concepts are fairly generic but this post is highly Oracle Fusion middleware specific. There can be complex decision tree (see [1]) involved when selecting the 'appropriate' level of security for any system. As security involves trade-offs between cost, performance, usability (more...)

Hit by the ‘Tech Support’ Scammers

I got a call earlier today from the Tech Support Scammers. You’ve probably heard of this horribly unethical practice already, but the premise is that they cold-call seemingly randomly and try to convince you that there is a problem with your PC/router, and then attempt to get you to allow them remote access to your PC to ‘fix it’. Some then claim problems are due to expired warranties on the computer and demand payment, others (more...)

Collaborate 16: My sessions

I’ll be at Collaborate 16 next month and looking forward to seeing lots of good friends, learning some new things, and sharing a little experience too. For the last of those, I’ll present 3 sessions, er, more like 2.2 sessions:

  • Wed, 13-Apr, 12:45-12:55pm: Oak Table World 10-minute Lightning talk “Tools used for security and compliance on Linux”
  • Wed, 13-Apr, 3-4pm: Oak Table World session “IPv6: What You Need to Know (with Linux & Exadata references)”
  • (more...)

Migrating application roles in OBIEE 11g

My last article talked about a maintenance and hassle free mechanism to implement security. The article moved the security architecture to roles created in EM. The next logical step is to move the roles from one environment to another because lets face it, manually creating roles is a lot of effort.

Oracle has a process to migrate the policy store from one environment to another and is described @

This (more...)