Re: Will CIS Oracle 11g security remediations break shrinkwrapped apps? Gotchas, lessons learned, and remediation methodologies

From: dnrg <>
Date: Thu, 19 Apr 2012 07:54:04 -0700 (PDT)
Message-ID: <>

Thanks Paul, Don, and Pete. Great stuff. Definitely helps. Lots to absorb. More than I can intelligently respond to. We're not supposed to post pure Thank You messages so I'll add a few comments. And also ask if anyone else would like to contribute to the great content that's already been posted. Would love to hear about others' experiences who've been tasked with remediation. _at_Paul:
> [...] Imagine if besides end of year code that is only used say once of year,
> that report writers are used that allow app users to generate reports on the fly.
> Imagine if statements are assembled and parsed using execute immediate where no dependency checking is possible.

Good points.

> [...]most third-party vendors (understandably) don't really want to actually review and remediate
>  all the potential security-related issues for their software.  There are tradeoffs between usablility and security,
> so many simply insist on over-privilege rather than suffer the increased support calls from people who are having usability issues.

Never thought of it this way. That explains a lot. I will forgive but not forget. :-)

> the biggest area is securtity design that should have been done day one.

That says a lot.

Thanks again for the thoughtful replies.


Received on Thu Apr 19 2012 - 09:54:04 CDT

Original text of this message