What Problem Are You Trying to Solve?


I've been spending a fair amount of time in forums like Stack Overflow, DBA Stack Exchange, and the Oracle Community forums, and I've seen a number of similar questions pop up in the last several months. They all go along the lines of, "Our security auditor said we need to do this thing, but we … Continue reading What Problem Are You Trying to Solve?

Five Thoughts on Oracle Security


Five different security related posts to which I have contributed on dba.stackexchange.com. I did not necessarily provide the accepted answer for these, but felt that the questions posed were interesting enough to warrant a mention.

Every Which Way But Loose


Rather than a one-size fits all solution - trying to handle everything through a Virtual Private Database policy - a proper security plan involves the use of a variety of techniques, each with their own place in the model. #oracle #vpd #security #roles #plsql #privileges #constraints

Top STIG – Part 6 (OS Accounts)


The final installment in my series on CAT I STIG controls is all about the use (or not) of the server operating system accounts that support the Oracle database. Two controls address the use of and access to the Oracle software installation account, and one addresses the privileges associated with individual user accounts for DBAs. … Continue reading Top STIG – Part 6 (OS Accounts)

Oracle 12c Database STIG Breakdown


This post contains a listing of all 199 Oracle 12c Database STIG controls from Release 16 (24 January 2020), organized by the five major categories of database security...

How To Complete a STIG Review


The simplest way to complete a DISA Secure Technical Implementation Guide (STIG) review is to start at the beginning of the checklist and work through it, one control item at a time. As you read each control, the information will be broken down into several distinct areas: metadata, content, and findings. Each control has metadata … Continue reading How To Complete a STIG Review

FIPS is a Four Letter Word


FIPS is a four letter word. It is also a source of some confusion when it comes to the Oracle database and DISA STIG compliance, which I will attempt to sort out to the best of my ability in this post.

code-obfuscation-toolkit


The code-obfuscation-toolkit allows you to obfuscate the source code of a variety of stored programs, including procedures, functions, package bodies, and type bodies. When wrapping an object, to further obfuscate the original code in the event that it is ever unwrapped, all comments and line breaks can also be removed.

How to Limit a User Connection to a Specific IP Address


Seriously, I find all the best questions about Oracle security on forums like Oracle Communities and AskTom. Sometimes I need to be careful, though. I have a tendency to jump right to implementation details in my head without always considering all of the ramifications of the original question. Sometimes the answers seem immediately obvious, but it doesn't usually take long before someone offers an observation that makes me sit back and think that maybe my first instinct needs some qualification. Case in point...

AntiVirus for my Database Server?


I've seen a couple of Oracle Community and AskTom posts over the last year or two about installing anti-virus software on Oracle database servers. Usually it is because someone in security told the sysadmin or the DBA that they had to install some kind of AV software because it was required. Been there; done that. I found out the hard way that doing so was a bad idea...

Automatically Protecting PII Data Columns with Transparent Data Encryption


What if you have a lot of potential PII data and you need to enforce some additional safeguards on it? How do I make this information actionable, and better yet how do I automate that action as much as possible?