Yes, I will ditto the recommendation for Pete Finnigan's book. Jared
On Fri, 2003-10-24 at 10:29, DENNIS WILLIAMS wrote: > Paul - We have some of the similar issues here (network/firewall/VPN/Oracle > Net). Based on your description of your business, you probably have some > competent network engineers on staff. My experience is that they routinely > handle issues like this, and you probably won't need to get involved in the > actual configuration. However, you should educate yourself in the security > issues involved so you can participate intelligently in any discussions from > the database point of view. As a starter, I am including two recent > excellent postings to this list from Tim Gorman and Ian MacGregor. Just > scroll down. > > Dennis Williams > DBA > Lifetouch, Inc. > [EMAIL PROTECTED] > > Sent: Thursday, August 07, 2003 10:25 AM > To: Multiple recipients of list ORACLE-L > > > Sandro, > > There is an excellent book on "Oracle Security" available online from > "http://www.sans.org";. Concise, organized, and prioritized. Also, Newman > and Theriault's "Oracle Security Handbook" from Oracle Press is chock full > of common sense... > > Not sure what the question about "automating the migration of stored > procedures" refers to. Could you provide more information? I don't think I > understand the problem... > > Storing password files on the database server is mainly an exercise in > ensuring that OS security and file permissions properly implemented. If you > cannot ensure that OS files are properly secured, then the entire Oracle > database is at risk, not to mention files containing clear-text passwords. > After all, one can view data within datafiles using programs other than the > Oracle RDBMS... > > The idea of creating production schemas/logins to separate object ownership > from application/end-user access is excellent. To avoid using synonyms, > consider the functionality of the "ALTER SESSION SET CURRENT_SCHEMA = > <ownership-schema>" command being executed in an AFTER LOGON trigger in all > accounts used for end-user access. It is a little-known but wonderfully > manageable bit of functionality... > > Hope this helps... > > -Tim > -----Original Message----- > Sent: Wednesday, October 01, 2003 5:19 PM > To: Multiple recipients of list ORACLE-L > > > Our security folks just sent me this. > > Ian MacGregor > Stanford Linear Accelerator Center > [EMAIL PROTECTED] > > -----Original Message----- > Sent: Tuesday, September 30, 2003 1:35 PM > To: [EMAIL PROTECTED] > > > I've posted the presentation I gave at OracleWorld last month. This > presentation covers writing secure code in Oracle databases and Oracle > Application Server. The topics covered include: > > Managing state > Query parameters > Hidden fields > Cookies > Cross-site scripting > SQL Injection > PL/SQL Injection > Buffer overflows in EXTPROC > Resources > > You can download the presentation at > http://www.appsecinc.com/techdocs/presentations.html under the heading > "Writing Secure Code in Oracle Presentation". > > I welcome comments and criticisms. > > Regards, > Aaron > _______________________________ > Aaron C. Newman > CTO/Founder > Application Security, Inc. > www.appsecinc.com > Phone: 212-420-9270 > Fax: 212-420-9680 > - Securing Business by Securing Enterprise Applications - > > > Sent: Friday, October 24, 2003 10:14 AM > To: Multiple recipients of list ORACLE-L > > > We are an Application Service Provider--we maintain a set of servers in > a colocation facility and our customers use our application via the > Web. Security is a paramount concern, of course, and only our Web > server has a public IP address, with the application and database > servers completely private. > > We supply a number of standard reports, but most of our customers want > some custom reports as well. We would like to give them access to our > database, possibly over a VPN, but only if security can be maintained. > I'd like to know if anyone has faced such a situation, and what kind of > configuration (network/firewall/VPN/Oracle Net) might make such access > possible. > > TIA, > > > > ===== > Paul Baumgartel > Transcentive, Inc. > www.transcentive.com > > __________________________________ > Do you Yahoo!? > The New Yahoo! Shopping - with improved product search > http://shopping.yahoo.com > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.net > -- > Author: Paul Baumgartel > INET: [EMAIL PROTECTED] > > Fat City Network Services -- 858-538-5051 http://www.fatcity.com > San Diego, California -- Mailing list and web hosting services > --------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.net > -- > Author: DENNIS WILLIAMS > INET: [EMAIL PROTECTED] > > Fat City Network Services -- 858-538-5051 http://www.fatcity.com > San Diego, California -- Mailing list and web hosting services > --------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
