| Javascript Feeds RSS Feed Security Dashboard | SearchSecurity.com |
|
Oracle Database Listener Security Guide A guide to properly securing the Oracle Database Listener. Integrigy Consulting has found the Database Listener to be one of the most frequently overlooked security risks at customers. An overview of the Database Listener, its unique security risks, and step-by-step recommendations for securing it are provided.
08/30/2004
|
|
Database Administration with Protected Enterprise Data This document tries to address the issue of “enabling DBAs to carry out their tasks without being exposed to enterprise data, especially in remote-administration environments”. Many organizations may not want to disclose their enterprise data to the technicians though they expect their database to be managed seamlessly. This issue is of particular importance in today’s growing trend of out-sourced administration of databases. This is also a matter of concern for an organization that is compelled to keep the database open to “greenhorn” DBAs till they prove their commitment to the organization’s ethical standards and security. The purpose of this document is to have an essential discussion over devising a proper security policy for each of the possible tasks that can be carried out while being in full accordance and conformance with enterprise’s security concerns.
Sethuraj Nair,
08/02/2004
|
|
Oracle Collaboration Suite Security Oracle Collaboration Suite version 9.0.3 is a many faceted product delivering a collaborative communication platform including email, IMAP, POP3, Webmail, Portal, calendar, Oracle Files, wireless, voicemail and fax services. Oracle Collaboration Suite is built upon the Oracle 9iAS version 2 application server and Oracle 9i version 2 Database. "Oracle is the undisputed market leader in formal security evaluations, with fourteen independent security evaluations against every major worldwide criteria over the past ten years" (Davidson, p.5). "Oracle's Unbreakable commitment means making products progressively more secure by default, so that products are acceptably secure out-of-the-box, with minimal additional action by administrators" (Davidson, p.11). The Security design process for the implementation of Oracle Collaboration Suite requires evaluation and execution of a number of systems and configuration choices.
By Christopher A. Bennett, 03/31/2004
|
|
Deploying a website built using Oracle9iAS Portal This paper is a case study of the deployment of a website built using the Portal component of Oracle9i Application Server (Oracle9iAS) in 2001. It has been submitted as the practical assignment for GSEC certification (Version 1.4b, Option 2). The paper describes the scenario and the product, Oracle9i AS (Standard Edition) Release 1 for Windows NT 4.0, before performing a high-level risk analysis of the website. The architecture implemented is discussed in terms of risk. The paper also identifies the security vulnerabilities discovered with Oracle9i AS during the six-month development period and the steps taken to harden an "out-of-the-box" version.
By Steve Coates, 03/28/2004
|
|
An Overview of Oracle Database Security Features The intent of this paper is to give a new user of Oracle database software, or anyone cons idering the use of Oracle or an Oracle application, a basic understanding of the security capabilities of Oracle database software. It is beyond the scope of this paper to cover all of the countless security features and options available in Oracle. This paper covers Oracle 8i release 3, unless otherwise noted. Although the newest vers ion, Oracle 9i is expected to be available during the Spring of 2001, Oracle 8i is currently the most widely used. Oracle database software has many sophisticated security features which make it an excellent database system for practically any application. Data confidentiality, integrity, and availability can all be well protected with a properly designed Oracle database.
By Lorraina Hazel, 03/24/2004
|
|
Conducting a Security Audit of an Oracle Database This paper has been written from the perspective of an external, independent auditor with the task of conducting a security audit on a system based around an Oracle database. The methodology presented in the Federal Information System Controls Audit Manual is described as a foundation for conducting the audit. Specific security issues related to Oracle databases are discussed based on the methodology. The focus of the paper is on auditing access controls to Oracle databases. What should the auditor evaluate and test to enable him to give an informed opinion about the security of an information system based on an Oracle database? A number of issues that the auditor should evaluate are discussed in the paper, with indications of how these issues should be dealt with by the entity being audited.
By Egil Andresen, 03/24/2004
|
|
Oracle Row Level Security: Part 2 In part one of this short article series we looked at some of the advantages of Oracle's row level security, what it can be used for, and looked at a simple example of how it works. We'll conclude this series by testing the policies that have been setup, demonstrate a few of the data dictionary views that allow for management and monitoring, cover some other issues and features, and then see if the data can be viewed by hackers or malicious users through the use of trace files.
By Pete Finnigan, 03/22/2004
|
|
Oracle Row Level Security: Part 1 In this short paper I want to explore the rather interesting row level security feature added to Oracle 8i and above, starting with version 8.1.5. This functionality has been described as fine grained access control or row level security or virtual private databases but they all essentially mean the same thing. We will come back to this shortly but before we do that lets get to what this paper is about. This paper is meant as an overview; a taster in fact of what row level security can be used for and how it can be used, with some simple examples to illustrate. I want to also discuss some of the issues with row level security. Finally, I also want to show how to view what row level security components have been implemented in the database and also touch on how to view how the actual database queries are altered by the row level security functionality in the oracle optimizer.
By Pete Finnigan, 03/22/2004
|
|
Introduction to Simple Oracle Auditing This article will introduce the reader to the basics of auditing an Oracle database. Oracle's RDBMS is a functionally rich product and there are a number of auditing alternatives available to the reader. Because auditing Oracle is such a huge subject, doing all of it justice would take an entire book, so this paper will cover the basics of why, when and how to conduct an audit. It will also use a couple of good example cases to illustrate how useful Oracle audit can be to an organization.
By Pete Finnigan, 03/22/2004
|
|
A Simple Oracle Host-Based Scanner As with any large software package, the default installation of Oracle does not provide for the most secure system out of the box. Indeed, some aspects of the default installation are remarkably insecure. There is a high dependency on the database administrator (dba) to ensure that the system is correctly configured, thereby avoiding some of these issues.
By Pete Finnigan, 03/20/2004
|
