Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Back and a Question

Re: Back and a Question

From: John Kanagaraj <>
Date: Tue, 15 Aug 2006 11:21:55 -0700
Message-ID: <>


Welcome back!! (For those of you who don't know, Anjo is "The Man" who introduced the Wait Interface to the world via the YAPP paper! (I think that was way back in 95?)

I believe this flurry is because of two issues: One - SOX (for the US based publicly held companies) and related scrambling to become and stay "security compliant"; Two - the steady increase in attacks against Database enabled/front-ended systems and widely publicized loss/theft of information. The former requires meeting rather stringent controls and periodically test and report that they have been met which needs some "auditor-acceptable" tools. In the latter case as well, you need to have tools that can test end-to-end security and not just at the database layer. As for the talk, both consulting and end user organizations need to talk about DB security, normally as a precursor to finding something workable.

BUT... the issue is this: Implementing security was (and still is!) generally an after-thought. (Aka - "First to Market - security and good design be d***ed"). Once an application is rolled out, there are a bunch of hackers out there whose job it is to break in. Up until a few years ago, hacking was mostly for bragging rights practised among computer nerds. However, when hackers realized that there is $$ involved, it quickly escalated and now attracts all the criminal elements. Hence, organizations are caught between needing to secure both new apps being rolled out as well as existing ones that have already been implemented versus being "first to market" and "easy to use/develop".... This is why you are seeing a lot of talk (to keep auditors/shareholders happy) and less action (unable to change existing apps/procedures without breaking them or building in security right from inception).

As well, there are lots of specific areas within the broader "DB Security" - there is auditing / reporting, penetration testing, log mining, etc., and specific tools out there for each of these areas. You might want to look at the SANS Institure website for starters.

Hope this helps!
John Kanagaraj

On 8/15/06, Anjo Kolk <> wrote:
> So I made it back on the list, I have a question for you all about DB
> security. There seems to be a lot of talk about DB security, but not a lot
> of action. Is that true, and if it is true why don't customers act? There
> are products out there to check for DB security, how are they doing? Does
> any body on this list use them?
> Please share your thoughts and comments,
> --
> Anjo Kolk
> Owner and Founder OraPerf Projects
> tel: +31-577-712000
> mob: +31-6-55340888

Received on Tue Aug 15 2006 - 13:21:55 CDT

Original text of this message