From the outset, Oracle has delivered the industry's most advanced technology to safeguard data where it lives—in the database. Oracle provides a comprehensive portfolio of security solutions to ensure data privacy, protect against insider threats, and enable regulatory compliance for both Oracle and non-Oracle Databases. With Oracle's powerful database activity monitoring and blocking, privileged user and multi-factor access control, data classification, transparent data encryption, consolidated auditing and reporting, secure configuration management, and data masking, customers can deploy reliable data security solutions that do not require any changes to existing applications, saving time and money.
Security Inside Out: Latest Innovations in Oracle Database 12cTroy Kitch
Oracle Database 12c includes more new security capabilities than any other release in Oracle history! In this presentation you will learn about these capabilities, as well as innovative new solutions to protect Oracle Database instances and non-Oracle databases. Hear how Oracle is responding to customer requirements to stay ahead of the evolving threat and regulatory landscape with new preventive controls that include data redaction and a new unified platform that provides database traffic monitoring and enterprise wide auditing.
From the outset, Oracle has delivered the industry's most advanced technology to safeguard data where it lives—in the database. Oracle provides a comprehensive portfolio of security solutions to ensure data privacy, protect against insider threats, and enable regulatory compliance for both Oracle and non-Oracle Databases. With Oracle's powerful database activity monitoring and blocking, privileged user and multi-factor access control, data classification, transparent data encryption, consolidated auditing and reporting, secure configuration management, and data masking, customers can deploy reliable data security solutions that do not require any changes to existing applications, saving time and money.
Security Inside Out: Latest Innovations in Oracle Database 12cTroy Kitch
Oracle Database 12c includes more new security capabilities than any other release in Oracle history! In this presentation you will learn about these capabilities, as well as innovative new solutions to protect Oracle Database instances and non-Oracle databases. Hear how Oracle is responding to customer requirements to stay ahead of the evolving threat and regulatory landscape with new preventive controls that include data redaction and a new unified platform that provides database traffic monitoring and enterprise wide auditing.
Introducing Oracle Audit Vault and Database FirewallTroy Kitch
Join us to hear about a new Oracle product that monitors Oracle and non-Oracle database traffic, detects unauthorized activity including SQL injection attacks, and blocks internal and external threats from reaching the database. In addition this new product collects and consolidates audit data from databases, operating systems, directories, and any custom template-defined source into a centralized, secure warehouse. This new enterprise security monitoring and auditing platform allows organizations to quickly detect and respond to threats with powerful real-time policy analysis, alerting and reporting capabilities. Based on proven SQL grammar analysis that ensures accuracy, performance, and scalability, organizations can deploy with confidence in any mode. You will also hear how organizations such as TransUnion Interactive and SquareTwo Financial rely on Oracle today to monitor and secure their Oracle and non-Oracle database environments.
Oracle Audit Vault Training | Audit Vault - Oracle TrainingsOracleTrainings
Oracle Audit Vault is a centralized Oracle database that stores all the audit data from the agents & secure data . Join Audit Vault Training at Oracle Trainings
You can watch the replay for this Geek Sync webcast in the IDERA Resource Center: http://ow.ly/BgJm50A5oxB
Database security is critical these days with all of today’s growing regulatory and privacy requirements. While application developers might build some basic access security into their code, ultimately the buck stops at the database as the last bastion or firewall against data theft. So what Oracle features should DBA’s know and consider using? How do they work? What overhead if any do they add? Can those supplant or supplement what the developers build into the applications? DBA’s now more than ever must consider database security far more than just creating simple database user accounts.
Join IDERA and Oracle ACE Bert Scalzo while he covers all of the many fundamental database security mechanisms within Oracle and how to best leverage them. Furthermore examples both good and bad will be shown to make key points. Afterward DBA’s may well see their Oracle security options and alternatives in a far more comprehensive and positive light.
Security threats and increased regulation of sensitive information have expanded the use of encryption in the data center. As the number of servers that encrypt data expands, management of server encryption keys, certificates, and other secrets has become a challenge for enterprises. Introducing Oracle Key Vault, which enables customers to scale deployment of encryption and other security solutions that require key management by offering robust, central management of encryption keys, Oracle Wallets, Java Keystores and credential files. Highly optimized for Oracle Database with Oracle Advanced Security Transparent Data Encryption (TDE), Oracle Key Vault prevents loss of keys, secrets, and key storage files; mitigates forgotten passwords; and maintains consistent encryption key policies across the organization.
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot
The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data.
Using the popular AAA (Authentication, Authorisation, Auditing) framework EnterpriseDB will cover:
- Best practices for authentication (trust, certificate, MD5, Scram, etc).
- Advanced approaches, such as password profiles.
- Deep dive of authorisation and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction.
- Auditing, encryption, and SQL injection attack prevention
Introducing Oracle Audit Vault and Database FirewallTroy Kitch
Join us to hear about a new Oracle product that monitors Oracle and non-Oracle database traffic, detects unauthorized activity including SQL injection attacks, and blocks internal and external threats from reaching the database. In addition this new product collects and consolidates audit data from databases, operating systems, directories, and any custom template-defined source into a centralized, secure warehouse. This new enterprise security monitoring and auditing platform allows organizations to quickly detect and respond to threats with powerful real-time policy analysis, alerting and reporting capabilities. Based on proven SQL grammar analysis that ensures accuracy, performance, and scalability, organizations can deploy with confidence in any mode. You will also hear how organizations such as TransUnion Interactive and SquareTwo Financial rely on Oracle today to monitor and secure their Oracle and non-Oracle database environments.
Oracle Audit Vault Training | Audit Vault - Oracle TrainingsOracleTrainings
Oracle Audit Vault is a centralized Oracle database that stores all the audit data from the agents & secure data . Join Audit Vault Training at Oracle Trainings
You can watch the replay for this Geek Sync webcast in the IDERA Resource Center: http://ow.ly/BgJm50A5oxB
Database security is critical these days with all of today’s growing regulatory and privacy requirements. While application developers might build some basic access security into their code, ultimately the buck stops at the database as the last bastion or firewall against data theft. So what Oracle features should DBA’s know and consider using? How do they work? What overhead if any do they add? Can those supplant or supplement what the developers build into the applications? DBA’s now more than ever must consider database security far more than just creating simple database user accounts.
Join IDERA and Oracle ACE Bert Scalzo while he covers all of the many fundamental database security mechanisms within Oracle and how to best leverage them. Furthermore examples both good and bad will be shown to make key points. Afterward DBA’s may well see their Oracle security options and alternatives in a far more comprehensive and positive light.
Security threats and increased regulation of sensitive information have expanded the use of encryption in the data center. As the number of servers that encrypt data expands, management of server encryption keys, certificates, and other secrets has become a challenge for enterprises. Introducing Oracle Key Vault, which enables customers to scale deployment of encryption and other security solutions that require key management by offering robust, central management of encryption keys, Oracle Wallets, Java Keystores and credential files. Highly optimized for Oracle Database with Oracle Advanced Security Transparent Data Encryption (TDE), Oracle Key Vault prevents loss of keys, secrets, and key storage files; mitigates forgotten passwords; and maintains consistent encryption key policies across the organization.
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot
The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data.
Using the popular AAA (Authentication, Authorisation, Auditing) framework EnterpriseDB will cover:
- Best practices for authentication (trust, certificate, MD5, Scram, etc).
- Advanced approaches, such as password profiles.
- Deep dive of authorisation and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction.
- Auditing, encryption, and SQL injection attack prevention
Oracle Enterprise Manager 12c: updates and upgrades.Rolta
Oracle Enterprise Manager is tasked with handling the ever changing applications. For more efficient and user friendly experience OEM 12c has been evolved. The presentation discusses about these changes and how these changes will improve the performance to handle the changing environment.
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Andrejs Prokopjevs
Nowadays having a proper security configuration is a huge challenge, especially looking at the global hacks and personal data leak incidents that happened in IT a while back. Oracle EBS is not perfect and has lots of vulnerabilities covered by Oracle almost every quarter. A very small percent of Apps DBAs know all the features and options available, and usually, do not go over firewall/reverse proxy layer.
This presentation is going to cover an overview and recommendations of options and security features that are available and can be used out-of-the-box, and some of the non-trivial configurations that can help to keep your Oracle EBS system protected, per our experience.
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAsZohar Elkayam
Oracle Week 2017 slides.
Agenda:
Basics: How and What To Tune?
Using the Automatic Workload Repository (AWR)
Using AWR-Based Tools: ASH, ADDM
Real-Time Database Operation Monitoring (12c)
Identifying Problem SQL Statements
Using SQL Performance Analyzer
Tuning Memory (SGA and PGA)
Parallel Execution and Compression
Oracle Database 12c Performance New Features
SOUG Day Oracle 21c New Security FeaturesStefan Oehrli
With the Innovation Release 21c Oracle has introduced one or the other security feature. These include small improvements that make DB operation more secure and easier. But also completely new concepts like DB Nest, which introduce a new approach for databases, how DB security can be implemented in multitenant.
Enterprise-class security with PostgreSQL - 1Ashnikbiz
For businesses that handle personal data everyday, the security aspect of their database is of utmost importance.
With an increasing number of hack attacks and frauds, organizations want their open source databases to be fully equipped with the top security features.
Geek Sync | Handling HIPAA Compliance with Your Data AccessIDERA Software
You can watch the replay for this Geek Sync webcast in the IDERA Resource Center: http://ow.ly/UXKP50A5aZy
While medical facilities are most at risk for a HIPAA violation, most organizations in the United States have to comply with the law and can be hit with civil and criminal penalties.
Join IDERA and K. Brian Kelley as he looks at what you’re expected to meet with regards to data security. Brian will cover effective mechanisms, both inside SQL Server and out, to comply with these expectations and avoid a HIPAA violation. He will also talk general best practices which lead to and encourage proper data stewardship.
About Brian: Brian’s community involvement stems from being a SQL Server author, columnist, and Microsoft MVP with a focus on SQL Server and Windows security. His skillset extends beyond being a DBA; he has served as an infrastructure and security architect including solutions such as Citrix, virtualization, and Active Directory. Brian is a very active member of the IT community having spoken at DevConnections, SQL Saturdays, code camps, and user groups.
Oracle 23c offers cutting edge database security features for audit, encryption, authentication, authorization. SQL firewall provides real-
time protection from attacks and mitigate risks from SQL injection attacks, anomalous access, credential abuse or theft with centralized
administration.
Oracle 12c comes with a new Security offer, and a set of new features related to. By default, Oracle is not very well secured but it comes with a lot of tools and options to improve the security inside the database. The presentation will show to attendees that building a strong security policy based on 4 security topics can improve the data security. These ones are Authentication, Authorization, Encryption and Audit. Each of these four topics will be detailed by presenting Oracle 12c new security features, for example: privilege analysis, transparent network encryption and checksumming, unified auditing etc. Finally, a presentation on Database Vault will be made to show how a "divide and conquer" policy can improve the global security of Oracle databases.
SQL Server 2016: Just a Few of Our DBA's Favorite ThingsHostway|HOSTING
Join Rodney Landrum, Senior DBA Consultant for Ntirety, a division of HOSTING, as he demonstrates his favorite new features of the latest Microsoft SQL Server 2016 Service Pack 1.
During the accompanying webinar and slides, Rodney will touch on the following:
• A demo of his favorite new features in SQL Server 2016 and SP1 including:
o Query Store
o Database Cloning
o Dynamic Data Masking
o Create or Alter
• A review of Enterprise features that are now available in standard edition
• New information in Dynamic Management Views and SQL Error Log that will make your DBAs job easier.
The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data.
Using the popular AAA (Authentication, Authorization, Auditing) framework we will cover:
- Best practices for authentication (trust, certificate, MD5, Scram, etc).
- Advanced approaches, such as password profiles.
- Deep dive of authorization and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction.
- Auditing, encryption, and SQL injection attack prevention.
Note: this session is delivered in French
(ATS4-PLAT03) Balancing Security with access for DevelopmentBIOVIA
Administrators of Pipeline Pilot servers wish to have a controlled environment to ensure that ownership and access is properly identified and enforced. Protocol developers desire the ability to quickly easily publish protocols and updates for production use. End-users need deployed applications to be tested and maintained. It is important to establish policies that ensure that these often-conflicting needs are met in a balanced way appropriate for your environment. In this session we will discuss the commonly reported pain points and outline the types of policies and procedures that that can help bring harmony. Be prepared to discuss your own experiences!
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
By Design, not by Accident - Agile Venture Bolzano 2024
Presentation database security enhancements with oracle
1. Database Security Enhancements With Oracle
Database 11g
Daniel Wong
Director of Engineering, Database Security
Oracle Corporation
2. 2
Agenda
• About Oracle Software Security Assurance
• Overview of Security Enhancements in 11g
• Secure Configuration Enhancements
• Other Key Security Enhancements
• Q&A
3. 3
Oracle Software Security Assurance
All the processes, procedures, and
technologies that have been
implemented to ensure that Oracle’s
products are meeting our customers’
security requirements, while
providing for the most cost-effective
ownership experience.
Product
Development
Product
Definition
Ongoing
Assurance
Secure
Coding
Standards
4. 4
Oracle Software Security Assurance
Secure Configuration
• Enhance “out of the box installation” settings to be
more secure
• Remove default passwords
• Disable unneeded services
• Reduce proliferation of powerful privileges
• Identify and minimize potential effects of enhanced
secure configuration settings:
• Impacts resulting from version upgrade
• Impacts on Oracle and third-party applications
• Document and share current security best practices
• http://www.oracle.com/security/resource-library.html
5. 5
Oracle Software Security Assurance
Secure Configuration
• Goals:
• Improve security of default configuration
• Secure by Default while maintaining upgradability and usability
• Inputs:
• Internal: Various Oracle Software Security Assurance programs
• External: CIS, SANS, DISA
• Recent Enhancements:
• Locked default accounts, expired passwords
• Optional install of demo schemas
• Best Practices document
• Default password/account scanner
6. 6
Secure Configuration Enhancements
with 11g - Overview
1. Default Audit Settings
• Preconfigured
• Enhanced performance
2. Default Password Management
• Enhanced protection against brute force attack
• Complexity enforcement procedure
• Built-in default password scanner
3. Enhanced Authentication
• Case sensitive password authentication
• Control authentication version
4. Enhanced Access Control
• Improved security for several utl* packages
7. 7
Audit Settings
• Key requirement for compliance
• 10gR2: OFF by default
• 11g:
• AUDIT_TRAIL=DB by default in DBCA
• security-relevant actions audited
• Performance:
• Set audit_trail=XML or OS for best performance
• In our informal lab environment, we found 1-2% performance
degradation for the TPCC benchmark with AUDIT_TRAIL=DB
and our default auditing statements
8. 8
Updated Default Audit Settings
• Statement Audit option
• ROLE
• Privilege Audit Options
• CREATE USER
• ALTER USER
• DROP USER
• CREATE SESSION
• CREATE ANY TABLE
• ALTER ANY TABLE
• DROP ANY TABLE
• CREATE ANY PROCEDURE
• ALTER ANY PROCEDURE
• DROP ANY PROCEDURE
• ALTER PROFILE
• DROP PROFILE
• GRANT ANY PRIVILEGE
• GRANT ANY OBJECT PRIV.
• GRANT ANY ROLE
• CREATE ANY JOB
• CREATE EXTERNAL JOB
• CREATE ANY LIBRARY
• CREATE PUBLIC DB LINK
• EXEMPT ACCESS POLICY
• ALTER DATABASE
• ALTER SYSTEM
• AUDIT SYSTEM
9. 9
Default Profile Password Settings
• 10gR2
• FAILED_LOGIN_ATTEMPTS = 10
• all others: unlimited
• 11g - more restrictive
• FAILED_LOGIN_ATTEMPTS = 10 (no change)
• PASSWORD_LOCK_TIME = 1
• PASSWORD_GRACE_TIME = 7
• PASSWORD_LIFE_TIME = 180
• Balanced protection against Denial of Service (DOS)
and password attacks while keeping usability
10. 10
Password Complexity
• Supports case sensitive passwords
• Supports special and multi-byte characters to increase security and usability
• Takes effect immediately after password change
• Enhanced default password complexity verification
• Password Complexity Verification not enabled in default profile; can be
enabled via Enterprise Manager or SQL
• In utlpwdmg.sql in $ORACLE_HOME/admin directory
• SQL to set the password complexity verification
• ALTER PROFILE DEFAULT PASSWORD_VERIFY_FUNCTION
verify_function_11G
• This routine will verify that password
• Has minimum length of 8 characters
• Has at least one letter and one digit
• Is not username, reverse thereof, or username(1-100)
• Is not one of a few common passwords (e.g. welcome1)
• Must differ from previous password by at least 3 characters
11. 11
Password Complexity
Recommendations
• Default password profile parameters may not suit everyone
• Adjust the password settings to your security needs
• Change default password verification routine as per your needs
• Define at least two password profiles - one for users and one for
mid-tiers and administrators
• Password recommendations vary with use cases:
• See for example, recommendations for E-Business Suite - MetaLink
189367.1
• See also Visit OTN: otn.oracle.com -> products -> database ->
security and compliance for detailed recommendations
12. 12
Default Password View
• View DBA_USERS_WITH_DEFPWD will show all
accounts still using default passwords
• Over 140 default username/passwords collected from
the field, including application accounts for Peoplesoft
and Ebizs
• SQL> desc DBA_USERS_WITH_DEFPWD
• Name Null? Type
• ----------------------------------------- -------- ----------------------------
• USERNAME NOT NULL VARCHAR2(30)
• SQL> select * from DBA_USERS_WITH_DEFPWD
• 2 ;
• USERNAME
• ------------------------------
• JONES
13. 13
Enhanced Authentication
• Supports multi-bytes and special characters
• Case sensitive passwords always enforced
• Use SEC _ CASE _ SENSITIVE _ LOGON to turn it OFF if
necessary
• Set SQLNET . ALLOWED _ LOGON _ VERSION to highest OCI client
version in use:
• Use 8 if there are Oracle 8.x clients connecting to the DB
• Use 9 if there are Oracle 9.x clients connecting to the DB
• Use 11 if there are Oracle 10.x and/or 11.x clients connecting to the
DB
• Use 8 if there are pre-Oracle 11g JDBC pure Java client connecting
to the DB
• Use of SHA-1 hashing algorithm to protect password
14. 14
Enhanced Access Control
• Improved security for several utl* packages
• UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, etc.
• These packages will no longer allow connections to external
network services to non-privileged users by default
• SYS and XDB schemas will specifically remain
excluded from this kind of restriction
• DBAs will be able to specify what network services
database users will be allowed to access when using
these packages.
15. 15
Enhanced Access Control
Recommendations
• Open access to external network services only
minimally
• Specify down to hosts and ports, avoid unnecessary “*”
wildcards
• Have small number of ACLs for manageability and
performance
• Share ACLs among network services open to the same users
• Consider giving access indirectly through application
schemas
• Applications can further restrict user interaction with network
services
16. 16
Access Control Administration
• Administration via DBMS_NETWORK_ACL_ADMIN
• Grant access to a network service
• create_acl – create an ACL for the first user
• assign_acl – assign ACL to network service
• Grant access to more users in ACL – add_privilege
• Revoke access from users in ACL – delete_privilege
• Stop access to network services
• unassign_acl – take ACL away from network service
• All ACL changes are transactional
• Remember to “COMMIT” the transaction !!!
• View ACL settings via dictionary views
• DBA_NETWORK_ACLS – which network services have ACLs?
• DBA_NETWORK_ACL_PRIVILEGES – who are in the ACLs?
17. 17
Access Control Administration
Example
begin
dbms_network_acl_admin.create_acl(
acl => 'smtp-access.xml',
description => 'ACL for SMTP service',
principal => 'MAILAGENT',
is_grant => TRUE,
privilege => 'connect');
dbms_network_acl_admin.assign_acl(
acl => 'smtp-access.xml',
host => 'smtp-host.oracle.com',
lower_port => 25);
end;
/
commit;
18. 18
Access Control Administration
Example
SQL> select * from dba_network_acls;
HOST LOWER_PORT UPPER_PORT ACL
-------------------- ---------- ---------- -------------------------
smtp-host.oracle.com 25 25 /sys/acls/smtp-access.xml
SQL> select * from dba_network_acl_privileges;
ACL PRINCIPAL PRIVILEGE
------------------------- -------------------- ---------
/sys/acls/smtp-access.xml MAILAGENT connect
19. 19
How Do These Changes Impact
Installation?
• Default new installations will include audit and
password profiles
• Option during install to retain 10gR2 settings
• DBCA screens to:
• Revert back to 10gR2 settings for audit and/or password
• Apply new default settings
• Upgrades will not change the audit and password
profile settings
20. 20
Recommendations for Upgrades I
• Audit settings
• Turn on auditing for security sensitive DDL operations listed
• Set to DB or DB_extended for querability
• Set to OS or XML for performance
• Password Management
• Institute password policies by classifying users into a different
usage groups and assign dedicated profiles to each group
• Check DBA_USERS_WITH_DEFPWD for default passwords
21. 21
Recommendations for Upgrades II
• Authentication
• Identify sources of connection and set security level to highest
possible supported by the client
• Ask users to change password as soon as possible for case
sensitive password to take effect
• Look into EUS for centralized user management
• Reminder: we support connect username/password as SYSDBA
• Access Control
• Identify applications using utl_* packages, and identify and grant
appropriate new ACL privileges and confirm applications are running
fine
• Evaluate current privileges granted, follow least privileged model
22. 22
Other Key Security Enhancements
• Tablespace Encryption option in Transparent Data Encryption
• Allows bulk encryption at tablespace level
• No restriction on data types and indexes
• Works with all High Availability offerings
• Hardware Security Module and External Key Server support in
Transparent Data Encryption
• Provides additional option for security and key management services
by third party products
• Management of SYSDBA and SYSOPER in Enterprise User
Security
• Identity management of super users in databases
• Enhanced Kerberos support
• Cross realm and type 4 certificate support
• Support Microsoft KDC default encryption modes
23. 23
Oracle Software Security Assurance
Conclusion
• MAXIMUM SECURITY
• Best of breed security features
• Secure design from the
ground up
• Effective vulnerability
remediation process
• LOWER COST OF
OWNERSHIP
• Unwavering commitment to
maintaining our customer’s
security posture
• Predictable security patch
process
• Priority given to quality
24. 24
For More Information
• Oracle Software Security Assurance Web Site at
http://www.oracle.com/security/software-security-assurance.html
• Technical white papers and security guides
• Online security seminars and webcasts
• Blogs and more
• Critical Patch Update & Security Alerts
at http://www.oracle.com/technology/deploy/security/alerts.htm
• Critical Patch Updates and current security alerts
• Patch download
• CPU documentation & Risk Matrices
http://search.oracle.com
Oracle Software Security Assurance