| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.misc -> Re: New Secure Application Role features in 9i
Jeff Rimland wrote:
> >
> > It is the same basic reason why checking v_$session for application name
> is
> > effective unless you give crackers a chance to play around and try to
> figure out
> > why they were locked out.
>
> Do you know if there is any way to capture the application's unique Program
> ID instead of the application name? That way a malicious programmer
> wouldn't be able to just create another app with the same name...
>
> >
> > 90+% of security is not letting anyone know how your security has been
> > implemented. They can't defeat what they don't know exists.
> >
>
> very true!
>
> > --
> > Daniel Morgan
> > http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp
> > damorgan_at_x.washington.edu
> > (replace 'x' with a 'u' to reply)
> >
> >
No. But I think it is important to realize that for a malicious programmer to create another app. that programmer must have reason to believe it will work and opportunity to test it.
The solution is to trap invalid attempts to connect and then shut down the account not to just sit there and let them try again and again until they get it right.
If someone can't connect correctly after two or three tries it is time for them to present themself, in person, to the appropriate security person to explain what is happening and why.
-- Daniel Morgan http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp damorgan_at_x.washington.edu (replace 'x' with a 'u' to reply)Received on Fri May 30 2003 - 09:09:11 CDT
 |
 |