Update in web security for Oracle

The media is full of reports of large corporations loosing millions of personal customer details, such as the loss in Canada of millions of dollars worth of personal customer information from TJX, the parent company for TJ Maxx, announced that that 40 million of their customers' credit and debit card details were stolen over the Internet.

Some people aid and abet Oracle criminals by publishing details of how to hack into an Oracle database, further exposing the database community.

From XKCD

Even the FBI admits that they cannot control the rush of overseas crime and criminals hackers constantly scour the Internet seeking exposed Oracle databases.

These constant threats from criminals begs the question about whether it is prudent to allow access to any of your corporate information on the Internet.

While hardware-level issues (WEP vs. WPA), are easily addressed, Oracle web security management is constantly evolving and we see these main areas of Oracle web security management:

Oracle Server Access Security

Server access security refers to preventing unwanted access to the server environment and ensuring controlled access to the IT staff. There are several technologies that are employed to assist with external server access:
 

• Kerberos security - This popular "ticket"-based authentication system provides password-based server access authentication.
   

• Authentication servers (Radius servers) - Secure authentication servers provide positive identification for external users.
   

• Password security consolidation - Many vendors offer tools to consolidate passwords among dozens of servers.
   

Oracle SQL Injection Threats

SQL injection remains a serious security exposure for improperly configured Oracle databases.  All external gateways must be carefully controlled, including bot detection mechanisms to block criminal testing and probing.  See these related notes on SQL injection threats:

Oracle encryption

The network web encryption is vitally important to Oracle security.  If the Oracle Advanced Security option is used, encryption can increase security and verify packet integrity on network transmission of Oracle data.  See here for an excellent description of Oracle encryption.
 

The prudent IT manager will always carefully test any Oracle application that is deployed on the web, using trusted advisors and white hat hackers who can certify that the Oracle web application does not have any security exposures.