Update in web security for Oracle
The media is full of reports of large
corporations loosing millions of personal customer details, such as the loss in
Canada of millions of dollars worth of personal customer information from TJX,
the parent company for TJ Maxx, announced that that 40 million of their
customers' credit and debit card details were
stolen over the Internet.
Some people aid and abet Oracle criminals
by publishing details of how to hack into an Oracle database, further exposing
the database community.
Even the FBI admits that they cannot
control the rush of overseas crime and criminals hackers constantly scour the
Internet seeking exposed Oracle databases.
These constant threats from criminals begs
the question about whether it is prudent to allow access to any of your
corporate information on the Internet.
While hardware-level issues (WEP vs. WPA), are easily addressed,
Oracle web security management is constantly evolving and we see
these main areas of Oracle web security management:
Oracle Server Access Security
Server access security refers to preventing
unwanted access to the server environment and ensuring controlled access to the
IT staff. There are several technologies that are employed to assist with
external server access:
Kerberos security - This popular
"ticket"-based authentication system provides password-based server access
Authentication servers (Radius
servers) - Secure authentication servers provide positive identification
for external users.
Password security consolidation - Many vendors offer tools to consolidate passwords among dozens of servers.
Oracle SQL Injection Threats
SQL injection remains a serious security
exposure for improperly configured Oracle databases. All external gateways
must be carefully controlled, including bot detection mechanisms to block
criminal testing and probing. See these related notes on SQL injection
The network web encryption is vitally
important to Oracle security. If the Oracle Advanced Security option is
used, encryption can increase security and verify packet integrity on network
transmission of Oracle data. See
here for an
excellent description of Oracle encryption.
The prudent IT manager will always
carefully test any Oracle application that is deployed on the web, using trusted
advisors and white hat hackers who can certify that the Oracle web application
does not have any security exposures.
- For a complete treatment of the topic of Oracle security on the web, see these
books and resources:
Oracle Forensics, by Paul M. Wright, Rampant TechPress
Oracle Privacy Security Auditing, By Arup Nanda, and Donald K. Burleson,