Skip navigation.

Security Blogs

Oracle Security Training In York

Pete Finnigan - Wed, 2015-11-25 09:20

We ran a five day Oracle Security training event in York, England from September 21st to September 25th at the Holiday Inn hotel. This proved to be very successful and good fun. The event included back to back teaching by....[Read More]

Posted by Pete On 22/10/15 At 08:49 PM

Categories: Security Blogs

New Presentation - Building Practical Oracle Audit Trails

Pete Finnigan - Wed, 2015-11-25 09:20

I wrote a presentation on designing and building practical audit trails back in 2012 and presented it once and then never again. By chance I did not post the pdf's of these slides at that time. I did though some....[Read More]

Posted by Pete On 01/10/15 At 05:16 PM

Categories: Security Blogs

Protect Your APEX Application PL/SQL Source Code

Pete Finnigan - Wed, 2015-11-25 09:20

Oracle Application Express is a great rapid application development tool where you can write your applications functionality in PL/SQL and create the interface easily in the APEX UI using all of the tools available to create forms and reports and....[Read More]

Posted by Pete On 21/07/15 At 04:27 PM

Categories: Security Blogs

Oracle Security and Electronics

Pete Finnigan - Wed, 2015-11-25 09:20

How does Oracle Security and Electronic mix together? - Well I started my working life in 1979 as an apprentice electrician in a factory here in York, England where I live. The factory designed and built trains for the national....[Read More]

Posted by Pete On 09/07/15 At 11:24 AM

Categories: Security Blogs

New Conference Speaking Dates Added

Pete Finnigan - Wed, 2015-11-25 09:20

In the last few years I have not done as many conference speaking dates as I used to. This is simply because when offered they usually clashed with pre-booked work. I spoke for the UKOUG in Dublin last year and....[Read More]

Posted by Pete On 06/07/15 At 09:40 AM

Categories: Security Blogs

Happy 10th Belated Birthday to My Oracle Security Blog

Pete Finnigan - Wed, 2015-11-25 09:20

Make a Sad Face..:-( I seemed to have missed my blogs tenth which happened on the 20th September 2014. My last post last year and until very recently was on July 23rd 2014; so actually its been a big gap....[Read More]

Posted by Pete On 03/07/15 At 11:28 AM

Categories: Security Blogs

Oracle Database Vault 12c Paper by Pete Finnigan

Pete Finnigan - Wed, 2015-11-25 09:20

I wrote a paper about Oracle Database Vault in 12c for SANS last year and this was published in January 2015 by SANS on their website. I also prepared and did a webinar about this paper with SANS. The Paper....[Read More]

Posted by Pete On 30/06/15 At 05:38 PM

Categories: Security Blogs

Unique Oracle Security Trainings In York, England, September 2015

Pete Finnigan - Wed, 2015-11-25 09:20

I have just updated all of our Oracle Security training offerings on our company website. I have revamped all class pages and added two page pdf flyers for each of our four training classes. In have also updated the list....[Read More]

Posted by Pete On 25/06/15 At 04:36 PM

Categories: Security Blogs

Basic OBIEE Enumeration Checklist

Several clients and partners have asked for this checklist lately. Posting it for those who may find it useful:

  1. If possible ask for the following:
    1. System diagram
    2. All URLs – WebLogic, Enterprise Manager and OBIEE
    3. Ask about load balancer and reverse proxy
    4. WebLogic accounts and passwords for both /EM and /Console
    5. TNSNAMES info and DB accounts and passwords for WebLogic repository database
    6. Ideally O/S accounts and passwords for server supporting WebLogic – will need for WLST scripts
    7. Request copy of config.xml file for each environment. If o/s accounts are surrendered these can be easily obtained.
  2. Network probe
    1. NMAP scan for WebLogic and OBIEE ports 7001, 9701 and 9703. Suggest scanning 9700 – 9710. Also NMAP scan for Oracle networking 1521 (default).  Suggest scanning 1520-1530
    2. Check WebLogic and OBIEE specific URLs. For public facing, use Google. For internal construct URLs using information gathered from NMAP:



Administration Server Console


Enterprise Manager Console


Enterprise Manager Agent


Oracle Portal


Oracle Forms


Oracle Reports


Oracle Discoverer Viewer



If external Google: intitle:"WebLogic Server" intitle:"Console Login" inurl:console –


Look for: analytics/saw.dll

e.g. if external Google: Inurl: analytics/saw.dll –


  1. Inventory the databases associated with WebLogic. Issue the following from the repository databases:
  2. Read and analyze the primary WebLogic configurations. The primary config file is the /domains/DOMAIN_NAME/config/config.xml 
  3. Get server information, suggest running WLST scripts for – Google several good examples: ‘wlst script list servers and information’
  4. Get WebLogic user information, suggest running WLST scripts for – Google several good examples: ‘wlst script list users’
  5. For OBIEE authentication will first be done by WebLogic. WebLogic will determine who can access OBIEE. WebLogic groups may or may not then drive authorization. Older OBIEE solutions also might internally authenticate within the repository (RDP).  Overall security authorization within OBIEE can be at control at various levels; Catalog/Presentation, RPD and within the data sources or a combination of everything. There can also be no security/authorization e.g. authentication by WebLogic to use OBIEE and then handoff to a PUBLIC / generic OBIEE report.
Tags: Oracle Fusion MiddlewareOracle Business Intelligence (OBIEE)
Categories: APPS Blogs, Security Blogs

Coding in PL/SQL in C style, UKOUG, OUG Ireland and more

Pete Finnigan - Wed, 2015-10-21 08:05

My favourite language is hard to pin point; is it C or is it PL/SQL? My first language was C and I love the elegance and expression of C. Our product PFCLScan has its main functionallity written in C. The....[Read More]

Posted by Pete On 23/07/14 At 08:44 PM

Categories: Security Blogs

DAM tools, IBM Guardium, Oracle E-Business Suite, PeopleSoft and SAP

A question we have answered a few times in the last few months is whether or not, and if so, how easy do Database Activity Monitoring (DAM) tools such as IBM Guardium support ERP platforms such as the Oracle E-Business Suite, PeopleSoft and SAP. The answer is yes; DAM tools can support ERP systems. For example, IBM Guardium has out-of-the-box policies for both the E-Business Suite and SAP – see figures one and two below.

There are many advantages to deploying a DAM solution to protect your ERP platform, the first being additional defense-in-depth for one of your most critical assets. You can read more here ( Integrigy Guide to Auditing and Logging in Oracle E-Business Suite)  about Integrigy’s recommendations for database security programs. DAM solutions allow for complex reporting as well as 24x7 monitoring and easy relaying of alerts to your SIEM (e.g. Splunk or ArcSight).

Deploying DAM solutions to protect your SAP, PeopleSoft or E-Business Suite is a not-plug-and-play exercise. IBM Guardium’s out-of-the-box policies for the E-Business Suite require configuration to be of any value – see figure three below. The out-of-the-box DAM policies are a good starting point and Integrigy rarely sees them implemented as is. Integrigy also highly recommends, if at all possible, to complete a sensitive data discovery project prior to designing your initial DAM policies. Such projects greatly help to define requirements as well as offer opportunities for data clean up.

Overall, to design and implement an initial set of Guardium policies for the E-Business Suite (or any other ERP package) is usually a few weeks of effort depending on your size and complexity.

If you have any questions, please contact us at

Figure 1- Seeded Guardium Policies for EBS and SAP

Figure 2- Guardium E-Business Suite PCI Policy

Figure 3- Example of Blank Configuration




Tags: AuditingOracle E-Business SuiteIBM Guardium
Categories: APPS Blogs, Security Blogs

Integrating PFCLScan and Creating SQL Reports

Pete Finnigan - Wed, 2015-09-30 05:50

We were asked by a customer whether PFCLScan can generate SQL reports instead of the normal HTML, PDF, MS Word reports so that they could potentially scan all of the databases in their estate and then insert either high level....[Read More]

Posted by Pete On 25/06/14 At 09:41 AM

Categories: Security Blogs