David Peake
Oracle Application Express 3.2 Forms Conversion
Stupid laptop battery. This would have been done during.
Anyway, it was a tad depressing to see this presentation. All ApEx all the time. The first 20 minutes were an overview of ApEx. Yeah, I know, it's cool. Thanks for reminding me that I can't sell it to anyone. I had Miladin interested in it, but I left before we could really do anything.
I attended because my new place has Oracle Forms and there doesn't seem to be a lot of experience with them. The Forms Converter is part of the latest release, 3.2.
First, you convert your OLB or menu files using the forms2xml utility.
Next, create a workspace and associate it to your Forms application schema.
Create a conversion project.
Analyze the Oracle Forms application.
Generate the Oracle ApEx application.
Voila! You're done. Now all you have to do is customize to suit your needs. Very nice stuff indeed.
You can find a tutorial on Oracle-by-Example (OBE) here.
Monday, May 4, 2009
COLLABORATE 09: Data Security Challenge
I had planned on attending the class on running Oracle in the Amazon EC2 Cloud, but scanning the classrooms on my way, I found another security related class.
Data Security Challenge: Be the Winning DBA
Paul Needham and Tammy Bednar
Oracle Database Security Product Management
Oracle
This presentation is similar to the DBA 2.0 presentation, you know, the old school (SQL scripts) vs. the new school (OEM).
Paul played the part of the old school. Tammy was new school.
The Problem
Data breach in a competitor's company forced the CEO to bring in Paul and Tammy as security experts. They were directed to encrypt the data by 9 PM.
Naturally, Paul wanted to use DBMS_CRYPTO. He altered the table changing the column to RAW and then encrypted the data. They got a "call" about 1 minute later...all the applications are broken. Nice.
Tammy steps in and using OEM, turns on Data Vault and sets up a realm on the affected table. Though not before flashing back Paul's table so the applications would work again. The table (column really) is not encrypted.
Data Vault was pretty cool. Tammy locked Paul out in just a couple of clicks. Something about realms going on there...I'll have to do some research.
Audit Vault was next up. Own, separate server which can collect from any Oracle database, some Microsoft SQL Server versions and a few SYSBASE versions. Audit Vault also has separate login for the admistrator (who's watching the watcher?).
Next up, Forms Conversion (--> Application Express).
Data Security Challenge: Be the Winning DBA
Paul Needham and Tammy Bednar
Oracle Database Security Product Management
Oracle
This presentation is similar to the DBA 2.0 presentation, you know, the old school (SQL scripts) vs. the new school (OEM).
Paul played the part of the old school. Tammy was new school.
The Problem
Data breach in a competitor's company forced the CEO to bring in Paul and Tammy as security experts. They were directed to encrypt the data by 9 PM.
Naturally, Paul wanted to use DBMS_CRYPTO. He altered the table changing the column to RAW and then encrypted the data. They got a "call" about 1 minute later...all the applications are broken. Nice.
Tammy steps in and using OEM, turns on Data Vault and sets up a realm on the affected table. Though not before flashing back Paul's table so the applications would work again. The table (column really) is not encrypted.
ALTER TABLE oe.customer_orders MODIFY ( credit_card ENCRYPT USING 'AES128' );This is part of the Advanced Security option. Very cool stuff. The change is immediate and it won't break your application.
Data Vault was pretty cool. Tammy locked Paul out in just a couple of clicks. Something about realms going on there...I'll have to do some research.
Audit Vault was next up. Own, separate server which can collect from any Oracle database, some Microsoft SQL Server versions and a few SYSBASE versions. Audit Vault also has separate login for the admistrator (who's watching the watcher?).
Next up, Forms Conversion (--> Application Express).
COLLABORATE 09: Anatomy of a Database Attack
This morning I attended Anatomy of a Database Attack Through Forensics, presented by Josh Shaul of Application Security, Inc.
I've always been interested in the security aspects of Oracle going back to their start at the CIA. I've even gotten myself into trouble proving these types of things to others (I'll never do that again without saying something to someone prior). I've read David Litchfield's The Oracle Hacker's Handbook.
Mr. Shaul went through 2 attack vectors one against 10gR2 and one against 11g. In the 10g attack, the user only had the CREATE SESSION and was able to gain access utilizing a sys package that has a SQL Injection vulnerability. One anonymous block and the DBA role was acquired. I could have sworn that packages in SYS had to be given explicitly? Hmmm...
Attack 2 the user had CREATE SESSION and CREATE PROCEDURE. Creating a procedure within their schema that used Invokers rights. This one was in fact fixed in the most recent (April) CPU. So patch 'em up.
Some other notes from his presentation:
Database Vulnerabilities
Default accounts and passwords
Easily guessed passwords
Missing patches
Misconfigurations
Excessive privileges
External Threats
Web app attacks (sql injection)
Insider mistakes
Weak or non-existent audit controls
Social engineering
He also discussed The Heartland data breach which forced us to take a second look at how we did things and ended up tightening up our controls. VPD, Least Privilege, and others were used.
I'm off to Running Oracle in the Amazon EC2 Cloud.
I've always been interested in the security aspects of Oracle going back to their start at the CIA. I've even gotten myself into trouble proving these types of things to others (I'll never do that again without saying something to someone prior). I've read David Litchfield's The Oracle Hacker's Handbook.
Mr. Shaul went through 2 attack vectors one against 10gR2 and one against 11g. In the 10g attack, the user only had the CREATE SESSION and was able to gain access utilizing a sys package that has a SQL Injection vulnerability. One anonymous block and the DBA role was acquired. I could have sworn that packages in SYS had to be given explicitly? Hmmm...
Attack 2 the user had CREATE SESSION and CREATE PROCEDURE. Creating a procedure within their schema that used Invokers rights. This one was in fact fixed in the most recent (April) CPU. So patch 'em up.
Some other notes from his presentation:
Database Vulnerabilities
Default accounts and passwords
Easily guessed passwords
Missing patches
Misconfigurations
Excessive privileges
External Threats
Web app attacks (sql injection)
Insider mistakes
Weak or non-existent audit controls
Social engineering
He also discussed The Heartland data breach which forced us to take a second look at how we did things and ended up tightening up our controls. VPD, Least Privilege, and others were used.
I'm off to Running Oracle in the Amazon EC2 Cloud.
Sunday, May 3, 2009
COLLABORATE 09: Registration, Bearings, etc.
When I found out I would be attending, I decided to make it a family affair. So we have peepaw and grandma (my parents), wifey and the kids. Staying at a condo about 10 miles from the Orange County Convention Center (OCCC).
Got into town last night. It was a rough 80 minute drive from Tampa. I feel bad for all those who don't have it so easy.
Finding the OCCC
I had wifey bring me to the OCCC since I wouldn't need a car during the day. As we were leaving the condo, we stopped at the guest services building to get on their wifi. Frustrated with their crappy connection, I jumped back in the car and off we went. Wifey had directions there via her iPhone so we tried to follow those. If I have directions I will typically follow them, if I don't, I wing it. That makes me adventurous (or stupid). About an hour later (remember, 10 miles away) we finally arrived.
Registration
Having scored a media pass, I figured I would get some sort of cool, all-access pass reserved only for the "special" people. Nope. Though not a shocker...I still have a hard time thinking of myself as media (I do know that I am "special" though). I found my booth to register (seriously, I had to do my ABCs in my head to make sure I wasn't going to the wrong one...I did that in November while voting). One minute later off to get my backpack, aka schwag.
Etc.
I'm sitting outside the Speaker Ready Room on a bean bag, charging my battery, watching people and using the wifi. At 3:15 I'm going to check out the OAUG New Speaker Orientation. I can ask questions and meet a few past speakers.
I'm scheduled to do an interview with Jan Wagoner on Tuesday. All I know now is that he is the past president of OAUG. I have no angles yet. What the heck am I going to write about? I'll have to find some others around here that know him or just wing it (as I do way too often...I'm thinking being prepared is far easier and less stressful).
Got into town last night. It was a rough 80 minute drive from Tampa. I feel bad for all those who don't have it so easy.
Finding the OCCC
I had wifey bring me to the OCCC since I wouldn't need a car during the day. As we were leaving the condo, we stopped at the guest services building to get on their wifi. Frustrated with their crappy connection, I jumped back in the car and off we went. Wifey had directions there via her iPhone so we tried to follow those. If I have directions I will typically follow them, if I don't, I wing it. That makes me adventurous (or stupid). About an hour later (remember, 10 miles away) we finally arrived.
Registration
Having scored a media pass, I figured I would get some sort of cool, all-access pass reserved only for the "special" people. Nope. Though not a shocker...I still have a hard time thinking of myself as media (I do know that I am "special" though). I found my booth to register (seriously, I had to do my ABCs in my head to make sure I wasn't going to the wrong one...I did that in November while voting). One minute later off to get my backpack, aka schwag.
Etc.
I'm sitting outside the Speaker Ready Room on a bean bag, charging my battery, watching people and using the wifi. At 3:15 I'm going to check out the OAUG New Speaker Orientation. I can ask questions and meet a few past speakers.
I'm scheduled to do an interview with Jan Wagoner on Tuesday. All I know now is that he is the past president of OAUG. I have no angles yet. What the heck am I going to write about? I'll have to find some others around here that know him or just wing it (as I do way too often...I'm thinking being prepared is far easier and less stressful).
Subscribe to:
Posts (Atom)