Jared, Is that the book from sans.org?
Thanks, Paul --- Jared Still <[EMAIL PROTECTED]> wrote: > Yes, I will ditto the recommendation for Pete Finnigan's book. > > Jared > > On Fri, 2003-10-24 at 10:29, DENNIS WILLIAMS wrote: > > Paul - We have some of the similar issues here > (network/firewall/VPN/Oracle > > Net). Based on your description of your business, you probably have > some > > competent network engineers on staff. My experience is that they > routinely > > handle issues like this, and you probably won't need to get > involved in the > > actual configuration. However, you should educate yourself in the > security > > issues involved so you can participate intelligently in any > discussions from > > the database point of view. As a starter, I am including two recent > > excellent postings to this list from Tim Gorman and Ian MacGregor. > Just > > scroll down. > > > > Dennis Williams > > DBA > > Lifetouch, Inc. > > [EMAIL PROTECTED] > > > > Sent: Thursday, August 07, 2003 10:25 AM > > To: Multiple recipients of list ORACLE-L > > > > > > Sandro, > > > > There is an excellent book on "Oracle Security" available online > from > > "http://www.sans.org";. Concise, organized, and prioritized. Also, > Newman > > and Theriault's "Oracle Security Handbook" from Oracle Press is > chock full > > of common sense... > > > > Not sure what the question about "automating the migration of > stored > > procedures" refers to. Could you provide more information? I > don't think I > > understand the problem... > > > > Storing password files on the database server is mainly an exercise > in > > ensuring that OS security and file permissions properly > implemented. If you > > cannot ensure that OS files are properly secured, then the entire > Oracle > > database is at risk, not to mention files containing clear-text > passwords. > > After all, one can view data within datafiles using programs other > than the > > Oracle RDBMS... > > > > The idea of creating production schemas/logins to separate object > ownership > > from application/end-user access is excellent. To avoid using > synonyms, > > consider the functionality of the "ALTER SESSION SET CURRENT_SCHEMA > = > > <ownership-schema>" command being executed in an AFTER LOGON > trigger in all > > accounts used for end-user access. It is a little-known but > wonderfully > > manageable bit of functionality... > > > > Hope this helps... > > > > -Tim > > -----Original Message----- > > Sent: Wednesday, October 01, 2003 5:19 PM > > To: Multiple recipients of list ORACLE-L > > > > > > Our security folks just sent me this. > > > > Ian MacGregor > > Stanford Linear Accelerator Center > > [EMAIL PROTECTED] > > > > -----Original Message----- > > Sent: Tuesday, September 30, 2003 1:35 PM > > To: [EMAIL PROTECTED] > > > > > > I've posted the presentation I gave at OracleWorld last month. This > > presentation covers writing secure code in Oracle databases and > Oracle > > Application Server. The topics covered include: > > > > Managing state > > Query parameters > > Hidden fields > > Cookies > > Cross-site scripting > > SQL Injection > > PL/SQL Injection > > Buffer overflows in EXTPROC > > Resources > > > > You can download the presentation at > > http://www.appsecinc.com/techdocs/presentations.html under the > heading > > "Writing Secure Code in Oracle Presentation". > > > > I welcome comments and criticisms. > > > > Regards, > > Aaron > > _______________________________ > > Aaron C. Newman > > CTO/Founder > > Application Security, Inc. > > www.appsecinc.com > > Phone: 212-420-9270 > > Fax: 212-420-9680 > > - Securing Business by Securing Enterprise Applications - > > > > > > Sent: Friday, October 24, 2003 10:14 AM > > To: Multiple recipients of list ORACLE-L > > > > > > We are an Application Service Provider--we maintain a set of > servers in > > a colocation facility and our customers use our application via the > > Web. Security is a paramount concern, of course, and only our Web > > server has a public IP address, with the application and database > > servers completely private. > > > > We supply a number of standard reports, but most of our customers > want > > some custom reports as well. We would like to give them access to > our > > database, possibly over a VPN, but only if security can be > maintained. > > I'd like to know if anyone has faced such a situation, and what > kind of > > configuration (network/firewall/VPN/Oracle Net) might make such > access > > possible. > > > > TIA, > > > > > > > > ===== > > Paul Baumgartel > > Transcentive, Inc. > > www.transcentive.com > > > > __________________________________ > > Do you Yahoo!? > > The New Yahoo! Shopping - with improved product search > > http://shopping.yahoo.com > > -- > > Please see the official ORACLE-L FAQ: http://www.orafaq.net > > -- > > Author: Paul Baumgartel > > INET: [EMAIL PROTECTED] > > > > Fat City Network Services -- 858-538-5051 http://www.fatcity.com > > San Diego, California -- Mailing list and web hosting > services > > > --------------------------------------------------------------------- > > To REMOVE yourself from this mailing list, send an E-Mail message > > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > > the message BODY, include a line containing: UNSUB ORACLE-L > > (or the name of mailing list you want to be removed from). You may > > also send the HELP command for other information (like > subscribing). > > -- > > Please see the official ORACLE-L FAQ: http://www.orafaq.net > > -- > > Author: DENNIS WILLIAMS > > INET: [EMAIL PROTECTED] > > > > Fat City Network Services -- 858-538-5051 http://www.fatcity.com > > San Diego, California -- Mailing list and web hosting > services > > > --------------------------------------------------------------------- > > To REMOVE yourself from this mailing list, send an E-Mail message > > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > > the message BODY, include a line containing: UNSUB ORACLE-L > > (or the name of mailing list you want to be removed from). You may > > also send the HELP command for other information (like > subscribing). > > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.net > -- > Author: Jared Still > INET: [EMAIL PROTECTED] > === message truncated === __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Paul Baumgartel INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
