Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: New Secure Application Role features in 9i

Re: New Secure Application Role features in 9i

From: Daniel Morgan <damorgan_at_exxesolutions.com>
Date: Thu, 29 May 2003 19:03:14 -0700
Message-ID: <3ED6BBE1.573491CF@exxesolutions.com> 





Brian Peasland wrote:



> About the only thing you are missing is that verifing by IP is only

> *one* way of testing for an authenticated user. And as you've shown,

> it's not a very good way. IP numbers can be spoofed, so this doesn't

> make a very secure way of authenticating the application role.

>

> <snipped>




I'll disagree on one minor point. IP addresses can only be spoofed if someone
knows what to spoof and if you have no mechanism in place to catch repeated
attempts and lock the door.



It is the same basic reason why checking v_$session for application name is
effective unless you give crackers a chance to play around and try to figure out
why they were locked out.



90+% of security is not letting anyone know how your security has been
implemented. They can't defeat what they don't know exists.


--
Daniel Morgan
http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp
damorgan_at_x.washington.edu
(replace 'x' with a 'u' to reply)


Received on Thu May 29 2003 - 21:03:14 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US