Re: Database Security

Hi,

Yisheng (dongwei_at_creek.eel.ufl.edu) wrote:
: I would like to discuss with anyone who has experience in Oracle database
: security. Any suggestion is also appreciate. Right now we are facing a very
: important issue in database developement. We use Oracle as our database
: server. In our application code we would like to have different roles enabled
: at different time. To do this we create different roles and grant them to all
: the users. By use: Alter User Default Role None, we disable all the roles from
: all the users and use Set Role command in the application code to enable
: different role at different time. It looks fine at the first look. However, if
: it happen that any of the users can get a chance to have a look of the source
: code, he would be able to grant a role to himself by writing his own
: application code. It is really a big hole in the security of Oracle database.
: We don't want the users to get any information from the application code. But
: it looks like that Oracle can't do anything about it. I would like to hear
: from you about this Security stuff in Oracle.

: Brant
 

: My E-Mail: dongwei_at_creek.eel.ufl.edu

One other security hole is opened when users use our new SQL Inspector (Oracle version) tool. This tool shows ALL OCI calls made by any Windows application, including SQL queries and database logins (Usernames, Servers, Passwords). Lastly, without having source code, the user can see all of the queries sent by any Windows application and log them into an output file for later re-execution.

The SQL Inspector is really designed to be a performance tuning and analysis tool, however, it is also used as a trace monitor.

-- 

David L. Cherin  (blagoon_at_netcom.com)
Blue Lagoon Software, Inc.
(818) 345-2200, ext. 112
(818) 345-8905/Fax

"The company that provides JET Inspector, ODBC Inspector,
 and SQL Inspector for Windows"