Database Reference
In-Depth Information
A classic example from my own experience is the method used to pentest Oracle applications at a leading
security consultancy company. Given a public URL, the first step was to scan the web application for SQL injection.
If found, our pentesting team would attempt to run PL/SQL into the database that interacted with the OS. If that
privilege was gained then a reverse shell would be sent back from the victim production OS all the way to the
pentester's workstation. This scenario depended on a key architectural weakness, namely egress on the corporate
firewall. Some organizations still have egress from Oracle DB to the outside world. In fact, some still have
ingress
, but
not in financial services. Oracle encourages customers to enable egress from the internal DB estate to the Internet to
maintain a direct support channel. From a security standpoint this is a bad idea, which we will discuss later. The point
is that a security risk is commonly composed of multiple issues at different layers of the architecture, which when
combined enable a path of attack.
It is the responsibility of a security architect to join the layers together securely into a cohesive structure to block
these attacks. At this stage it will be useful to lay some foundations in security architecture before moving on to the
implementation details in EM12c.
Security Architecture Theory
Information security architecture can sound a bit abstract, so I am going to explain the basics in plain English. A shared
understanding of “architecture” is important in order to make inter-team communication effective.
So what do we mean by architecture? It is
how technology components fit together physically and logically in terms
of structure and process into an overarching, organization-wide system.
There are a number of well-known aides to designing enterprise architectures. The first are process models that
provide guidance:
TOGAF
(process methodology) - How to design enterprise architecture derived
from US DoD TAFIM model
MODAF
- UK Ministry of Defence version instigated after TOGAF
TOGAF Architecture Development Process
The process shown in Figure
16-2
can be iterative; it forms a roadmap to producing an architectural design.
