Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements

From: Michael Wehrle <michaelw436_at_gmail.com>
Date: Wed, 4 May 2011 21:28:00 -0400
Message-ID: <BANLkTinW3168XiydhYiMiZDbu7WEhYm97g_at_mail.gmail.com>

Jared, sorry about the link. It looks like they have since moved the Oracle By Example series into an Apex site that uses Single Sign On. Go to www.oracle.com/technetwork/tutorials/index.html, then click on the link at the bottom to access the "learning library". Once you have logged in, you can search for "Using Transparent Data Encryption for Database 10g Release 2 ".

As far as the patch, it was a one-off for my previous employer. And it took lots of support calls, involving VP level and above, finally involving some backline engineers to fix the problem. I am not sure what they would do if you asked for the same patch, since its not publicly searchable. It never hurts to ask about it though, since its truly a security issue for everyone, that is not easily worked around.

On Wed, May 4, 2011 at 2:48 PM, Jared Still <jkstill_at_gmail.com> wrote:

> On Tue, May 3, 2011 at 11:42 AM, Michael Wehrle <michaelw436_at_gmail.com>wrote:
>
>> Jared, I had this issue (possibly similar) a few years back on a 10.2.0
>> database, and Oracle actually provided a patch for it. See my writeup about
>> it here
>> iamsys.wordpress.com/2010/03/16/how-to-protect-sensitive-bind-data-in-redo-logs/,
>> and if you have anymore questions, I will be glad to TRY to remember them,
>> as it was a few years ago.
>>
>>
> Thanks Michael.
>
> The test case referenced in your blog is no longer a valid URL.
> Do you know where to find it now.
>
> Also, the patch number referenced is not even found in MOS, leading
> me to believe it was a one off patch for you or your customer.
>
> Do you have any more info on where to find this in MOS?
>
>
> Jared Still
> Certifiable Oracle DBA and Part Time Perl Evangelist
> Oracle Blog: http://jkstill.blogspot.com
> Home Page: http://jaredstill.com
>
>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Wed May 04 2011 - 20:28:00 CDT

This message: [ Message body ]
Next message: Ram Raman: "slow sql question"
Previous message: Jared Still: "Re: Just as a learning exercise"
In reply to: Jared Still: "Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements"
Next in thread: Jared Still: "Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements"
Reply: Jared Still: "Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message