Never mind, I see that it is. Thanks. --- Paul Baumgartel <[EMAIL PROTECTED]> wrote: > Jared, > > Is that the book from sans.org? > > Thanks, > > Paul > > > --- Jared Still <[EMAIL PROTECTED]> wrote: > > Yes, I will ditto the recommendation for Pete Finnigan's book. > > > > Jared > > > > On Fri, 2003-10-24 at 10:29, DENNIS WILLIAMS wrote: > > > Paul - We have some of the similar issues here > > (network/firewall/VPN/Oracle > > > Net). Based on your description of your business, you probably > have > > some > > > competent network engineers on staff. My experience is that they > > routinely > > > handle issues like this, and you probably won't need to get > > involved in the > > > actual configuration. However, you should educate yourself in the > > security > > > issues involved so you can participate intelligently in any > > discussions from > > > the database point of view. As a starter, I am including two > recent > > > excellent postings to this list from Tim Gorman and Ian > MacGregor. > > Just > > > scroll down. > > > > > > Dennis Williams > > > DBA > > > Lifetouch, Inc. > > > [EMAIL PROTECTED] > > > > > > Sent: Thursday, August 07, 2003 10:25 AM > > > To: Multiple recipients of list ORACLE-L > > > > > > > > > Sandro, > > > > > > There is an excellent book on "Oracle Security" available online > > from > > > "http://www.sans.org". Concise, organized, and prioritized. > Also, > > Newman > > > and Theriault's "Oracle Security Handbook" from Oracle Press is > > chock full > > > of common sense... > > > > > > Not sure what the question about "automating the migration of > > stored > > > procedures" refers to. Could you provide more information? I > > don't think I > > > understand the problem... > > > > > > Storing password files on the database server is mainly an > exercise > > in > > > ensuring that OS security and file permissions properly > > implemented. If you > > > cannot ensure that OS files are properly secured, then the entire > > Oracle > > > database is at risk, not to mention files containing clear-text > > passwords. > > > After all, one can view data within datafiles using programs > other > > than the > > > Oracle RDBMS... > > > > > > The idea of creating production schemas/logins to separate object > > ownership > > > from application/end-user access is excellent. To avoid using > > synonyms, > > > consider the functionality of the "ALTER SESSION SET > CURRENT_SCHEMA > > = > > > <ownership-schema>" command being executed in an AFTER LOGON > > trigger in all > > > accounts used for end-user access. It is a little-known but > > wonderfully > > > manageable bit of functionality... > > > > > > Hope this helps... > > > > > > -Tim > > > -----Original Message----- > > > Sent: Wednesday, October 01, 2003 5:19 PM > > > To: Multiple recipients of list ORACLE-L > > > > > > > > > Our security folks just sent me this. > > > > > > Ian MacGregor > > > Stanford Linear Accelerator Center > > > [EMAIL PROTECTED] > > > > > > -----Original Message----- > > > Sent: Tuesday, September 30, 2003 1:35 PM > > > To: [EMAIL PROTECTED] > > > > > > > > > I've posted the presentation I gave at OracleWorld last month. > This > > > presentation covers writing secure code in Oracle databases and > > Oracle > > > Application Server. The topics covered include: > > > > > > Managing state > > > Query parameters > > > Hidden fields > > > Cookies > > > Cross-site scripting > > > SQL Injection > > > PL/SQL Injection > > > Buffer overflows in EXTPROC > > > Resources > > > > > > You can download the presentation at > > > http://www.appsecinc.com/techdocs/presentations.html under the > > heading > > > "Writing Secure Code in Oracle Presentation". > > > > > > I welcome comments and criticisms. > > > > > > Regards, > > > Aaron > > > _______________________________ > > > Aaron C. Newman > > > CTO/Founder > > > Application Security, Inc. > > > www.appsecinc.com > > > Phone: 212-420-9270 > > > Fax: 212-420-9680 > > > - Securing Business by Securing Enterprise Applications - > > > > > > > > > Sent: Friday, October 24, 2003 10:14 AM > > > To: Multiple recipients of list ORACLE-L > > > > > > > > > We are an Application Service Provider--we maintain a set of > > servers in > > > a colocation facility and our customers use our application via > the > > > Web. Security is a paramount concern, of course, and only our > Web > > > server has a public IP address, with the application and database > > > servers completely private. > > > > > > We supply a number of standard reports, but most of our customers > > want > > > some custom reports as well. We would like to give them access > to > > our > > > database, possibly over a VPN, but only if security can be > > maintained. > > > I'd like to know if anyone has faced such a situation, and what > > kind of > > > configuration (network/firewall/VPN/Oracle Net) might make such > > access > > > possible. > > > > > > TIA, > > > > > > > > > > > > ===== > > > Paul Baumgartel > > > Transcentive, Inc. > > > www.transcentive.com > > > > > > __________________________________ > > > Do you Yahoo!? > > > The New Yahoo! Shopping - with improved product search > > > http://shopping.yahoo.com > > > -- > > > Please see the official ORACLE-L FAQ: http://www.orafaq.net > > > -- > > > Author: Paul Baumgartel > > > INET: [EMAIL PROTECTED] > > > > > > Fat City Network Services -- 858-538-5051 > http://www.fatcity.com > > > San Diego, California -- Mailing list and web hosting > > services > > > > > > --------------------------------------------------------------------- > > > To REMOVE yourself from this mailing list, send an E-Mail message > > > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and > in > > > the message BODY, include a line containing: UNSUB ORACLE-L > > > (or the name of mailing list you want to be removed from). You > may > > > also send the HELP command for other information (like > === message truncated ===
__________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Paul Baumgartel INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).