Database Reference
In-Depth Information
Therault and Heney's book
Oracle Security
, published by O'Reilly Media in 1998, lays the foundation for the
subject from a DBA's perspective and includes the first published Oracle security policy.
In a related vein, David Litchfield's
Oracle Hacker's Handbook
credits George Guninski for publishing the first
public Oracle security vulnerabilities in 1999.
Oracle's release of 9i in 2000 attempted to address some of these new security concerns with the introduction of
Dictionary Protection (
O7_dictionary_accessibility
), and in 2001 Oracle declared 9i was “unbreakable.” This was
synchronized with Oracle's own
Security Handbook
publication, written by Therault and Newman.
In August 2001, Pete Finnigan published his classic Oracle Security paper, which can be found at:
Then in February 2002, David Litchfield shared a large number of Oracle security vulnerabilities at the Blackhat
conference. The subject of Oracle security changed from being an interesting technical specialty to being mainstream
news after David's releases at Blackhat and the subsequent interactions with Oracle's CSO in the media, which are
already well documented.
Less well documented has been the process of informal scientific research that has taken place outside of
formal organizations, such as companies or universities, and has been led by individual technologists often loosely
collaborating and able to move more quickly than large organizations.
A number of additional researchers, including Alex Kornbrust, Cesar Cerrudo, Esteban Fayo, Joxean Koret, Laszlo
Toth and Slavik Markovich, among others, realized that there was a market for adding security onto Oracle products,
as evidenced by the security alerts, seen here:
These are released quarterly, with credit kindly given to each researcher—if they do not publish outside of Oracle
until the issue is fixed:
The patches are recorded back to 2000 for posterity on Oracle's website:
So it seems that the “red rag to the bull”, which was the Unbreakable campaign, has resulted in a more secure
database. As Tom Kyte once mentioned, the best way to find the bugs in your software is to announce it is perfect and
publish it to your competitors. It is an efficient way to gain free peer review, but many unforeseen architectural design
issues have also been identified, which have been difficult, if not impossible, to fix. These issues have been present
since before the Unbreakable campaign and remain to this day.
When that campaign started I was working on Oracle security with a number of technology companies in the
United Kingdom. Following Pete Finnigan as the resident Oracle security expert at Pentest Ltd in Manchester, I then
filled David Litchfield's London-based role at NGS, taught Oracle security for SANS.org, and led Oracle security
projects for the world's premier financial services institutions in London and globally, which resulted in my being
invited to lead Security for the 12c Beta.
Before we move on to 12c, we will detail the current body of technical security knowledge built from those early
days and leading to the point where Oracle's market share is 48 percent (According to Gartner 2013).
