Jared,
Is that the book from sans.org?
Thanks,
Paul
- Jared Still <jkstill_at_cybcon.com> wrote:
> Yes, I will ditto the recommendation for Pete Finnigan's book.
>
> Jared
>
> On Fri, 2003-10-24 at 10:29, DENNIS WILLIAMS wrote:
> > Paul - We have some of the similar issues here
> (network/firewall/VPN/Oracle
> > Net). Based on your description of your business, you probably have
> some
> > competent network engineers on staff. My experience is that they
> routinely
> > handle issues like this, and you probably won't need to get
> involved in the
> > actual configuration. However, you should educate yourself in the
> security
> > issues involved so you can participate intelligently in any
> discussions from
> > the database point of view. As a starter, I am including two recent
> > excellent postings to this list from Tim Gorman and Ian MacGregor.
> Just
> > scroll down.
> >
> > Dennis Williams
> > DBA
> > Lifetouch, Inc.
> > dwilliams_at_lifetouch.com
> >
> > Sent: Thursday, August 07, 2003 10:25 AM
> > To: Multiple recipients of list ORACLE-L
> >
> >
> > Sandro,
> >
> > There is an excellent book on "Oracle Security" available online
> from
> > "http://www.sans.org". Concise, organized, and prioritized. Also,
> Newman
> > and Theriault's "Oracle Security Handbook" from Oracle Press is
> chock full
> > of common sense...
> >
> > Not sure what the question about "automating the migration of
> stored
> > procedures" refers to. Could you provide more information? I
> don't think I
> > understand the problem...
> >
> > Storing password files on the database server is mainly an exercise
> in
> > ensuring that OS security and file permissions properly
> implemented. If you
> > cannot ensure that OS files are properly secured, then the entire
> Oracle
> > database is at risk, not to mention files containing clear-text
> passwords.
> > After all, one can view data within datafiles using programs other
> than the
> > Oracle RDBMS...
> >
> > The idea of creating production schemas/logins to separate object
> ownership
> > from application/end-user access is excellent. To avoid using
> synonyms,
> > consider the functionality of the "ALTER SESSION SET CURRENT_SCHEMA
> =
> > <ownership-schema>" command being executed in an AFTER LOGON
> trigger in all
> > accounts used for end-user access. It is a little-known but
> wonderfully
> > manageable bit of functionality...
> >
> > Hope this helps...
> >
> > -Tim
> > -----Original Message-----
> > Sent: Wednesday, October 01, 2003 5:19 PM
> > To: Multiple recipients of list ORACLE-L
> >
> >
> > Our security folks just sent me this.
> >
> > Ian MacGregor
> > Stanford Linear Accelerator Center
> > ian_at_slac.stanford.edu
> >
> > -----Original Message-----
> > Sent: Tuesday, September 30, 2003 1:35 PM
> > To: NTBUGTRAQ_at_LISTSERV.NTBUGTRAQ.COM
> >
> >
> > I've posted the presentation I gave at OracleWorld last month. This
> > presentation covers writing secure code in Oracle databases and
> Oracle
> > Application Server. The topics covered include:
> >
> > Managing state
> > Query parameters
> > Hidden fields
> > Cookies
> > Cross-site scripting
> > SQL Injection
> > PL/SQL Injection
> > Buffer overflows in EXTPROC
> > Resources
> >
> > You can download the presentation at
> > http://www.appsecinc.com/techdocs/presentations.html under the
> heading
> > "Writing Secure Code in Oracle Presentation".
> >
> > I welcome comments and criticisms.
> >
> > Regards,
> > Aaron
> > _______________________________
> > Aaron C. Newman
> > CTO/Founder
> > Application Security, Inc.
> > www.appsecinc.com
> > Phone: 212-420-9270
> > Fax: 212-420-9680
> > - Securing Business by Securing Enterprise Applications -
> >
> >
> > Sent: Friday, October 24, 2003 10:14 AM
> > To: Multiple recipients of list ORACLE-L
> >
> >
> > We are an Application Service Provider--we maintain a set of
> servers in
> > a colocation facility and our customers use our application via the
> > Web. Security is a paramount concern, of course, and only our Web
> > server has a public IP address, with the application and database
> > servers completely private.
> >
> > We supply a number of standard reports, but most of our customers
> want
> > some custom reports as well. We would like to give them access to
> our
> > database, possibly over a VPN, but only if security can be
> maintained.
> > I'd like to know if anyone has faced such a situation, and what
> kind of
> > configuration (network/firewall/VPN/Oracle Net) might make such
> access
> > possible.
> >
> > TIA,
> >
> >
> >
> > =====
> > Paul Baumgartel
> > Transcentive, Inc.
> > www.transcentive.com
> >
> > __________________________________
> > Do you Yahoo!?
> > The New Yahoo! Shopping - with improved product search
> > http://shopping.yahoo.com
> > --
> > Please see the official ORACLE-L FAQ: http://www.orafaq.net
> > --
> > Author: Paul Baumgartel
> > INET: treegarden_at_yahoo.com
> >
> > Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> > San Diego, California -- Mailing list and web hosting
> services
> >
> ---------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L
> > (or the name of mailing list you want to be removed from). You may
> > also send the HELP command for other information (like
> subscribing).
> > --
> > Please see the official ORACLE-L FAQ: http://www.orafaq.net
> > --
> > Author: DENNIS WILLIAMS
> > INET: DWILLIAMS_at_LIFETOUCH.COM
> >
> > Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> > San Diego, California -- Mailing list and web hosting
> services
> >
> ---------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L
> > (or the name of mailing list you want to be removed from). You may
> > also send the HELP command for other information (like
> subscribing).
>
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Jared Still
> INET: jkstill_at_cybcon.com
>
=== message truncated ===
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Paul Baumgartel
INET: treegarden_at_yahoo.com
Fat City Network Services -- 858-538-5051 http://www.fatcity.com
San Diego, California -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
Received on Mon Oct 27 2003 - 11:49:27 CST
