Re: Securing the Database Structure
Hi It isn't possible to hide the structure of the database successfully, as your customers DBA will access the database and can query its structure - tables, indexes, constraints etc from the dictionary and work out how quite a lot of your tables interact. That said if you want to make it difficult then obfuscate all the table names, index names etc, i.e. don't use a table called EMPLOYEE_SALARIES use a table called say HH1. Do not name columns where there is a join with the same name in two different tables. ensure you wrap any PL/SQL and make sure your applications source cannot be read. To make it harder to infer joins between tables don't implement constraints in the database do it in the application (bad). Anyone with some little effort should be able to construct an entity diagram either manually or using a tool. You cannot wrap views so joins can be extrapolated from those, also setting trace in the database or SQL*Net trace for a period of time and use of your application would extract enough SQL to give someone a good idea of how your entity relationships work.. I think you are wasting your time to try and hide the database structure! hth kind regards Pete -- Pete Finnigan email:[EMAIL PROTECTED] Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Pete Finnigan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Securing the Database Structure
Coming from the perspective of one who has needed to get to a DB structure of a purchased app, you might have some luck using obfuscation. Ever try to reverse engineer an 800-table schema with no RI? It can be done (we've done it), but with the help of the app source. One other 3rd-party app has implemented some of Oracle's object types and such in 8i, and the schemas don't seem to be able to be successfully exp/imp'd. Then again, I didn't try that hard... Rich Rich Jesse System/Database Administrator [EMAIL PROTECTED] Quad/Tech Inc, Sussex, WI USA > -Original Message- > From: Hussain Ahmed Qadri [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 23, 2003 9:54 AM > To: Multiple recipients of list ORACLE-L > Subject: Securing the Database Structure > > > Hi all, > When you develop a software and you intend to sell it, are > there any ways of saving your database structure. Because > obviously we don't give the fmb's, we only give the > executable. But to run the software we need to have the > database and there are ways by which the database structure > can be seen, imp/exp is an example for one. I know by getting > the database structure it would be very difficult to > interpret the system, but structure is the core of the whole > thing. So I wanted to ask what are the steps that are > followed when you are packaging your software to sell and > what are the security measures to protect your application, > forms, database structures, etc. > Plus any good method/utility to encrypt the contents of a > batch file but at the same time allowing it to be executed. > > Thanks and regards, > > Hussain -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jesse, Rich INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Securing the Database Structure
Hussain I think Joe and Dick both make excellent points. The key to understanding your product probably doesn't lie with your database structure. Most vendors do this well enough just by having obscurely named tables and columns. Most sites buy Oracle because they expect to use it on an enterprise scale. If your application will be used in a very closed manner (no reason for the customer DBA to maintain it), then perhaps you should consider providing an embedded database with your application. This would also save you and your customer a lot of money. Dennis Williams DBA, 80%OCP, 100% DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Wednesday, July 23, 2003 10:20 AM To: Multiple recipients of list ORACLE-L I wouldnt be concerned with hiding the db structure, look at peopleslop(aka peoplesoft), the structure is there for all to see but how its implemented is all on program code, yes you can eventually figure out how its all related(took me 6 months on one of the versions but I figured out all of those PS tables and how there were inter-related). joe Hussain Ahmed Qadri wrote: >Hi all, >When you develop a software and you intend to sell it, are there any ways of saving your database structure. Because obviously we don't give the fmb's, we only give the executable. But to run the software we need to have the database and there are ways by which the database structure can be seen, imp/exp is an example for one. I know by getting the database structure it would be very difficult to interpret the system, but structure is the core of the whole thing. So I wanted to ask what are the steps that are followed when you are packaging your software to sell and what are the security measures to protect your application, forms, database structures, etc. >Plus any good method/utility to encrypt the contents of a batch file but at the same time allowing it to be executed. > >Thanks and regards, > >Hussain > > > > -- Joseph S Testa Chief Technology Officer Data Management Consulting p: 614-791-9000 f: 614-791-9001 -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Joe Testa INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: DENNIS WILLIAMS INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Securing the Database Structure
Hussain, As someone who has to support third party, purchased applications it is my firm belief that you want to make this as transparent as possible. Why, because no data system purchased today will operate in a vacuum. They have to be integrated into the remainder of the applications that the purchaser has. May I take a case in point? We've recently acquired a copy of SmartTime, a labor tracking application. Well this application needs data from both our HR system and ERP system as well as feeding data back into ERP. Now the vendor is not going to create those interfaces, but they did provide help in identifying the tables in their application that that we need to interface to. Without being able to see the database definitions we would not have been able to do that & consequently would have gone elsewhere. Dick Goulet Senior Oracle DBA Oracle Certified 8i DBA -Original Message- Sent: Wednesday, July 23, 2003 10:54 AM To: Multiple recipients of list ORACLE-L Hi all, When you develop a software and you intend to sell it, are there any ways of saving your database structure. Because obviously we don't give the fmb's, we only give the executable. But to run the software we need to have the database and there are ways by which the database structure can be seen, imp/exp is an example for one. I know by getting the database structure it would be very difficult to interpret the system, but structure is the core of the whole thing. So I wanted to ask what are the steps that are followed when you are packaging your software to sell and what are the security measures to protect your application, forms, database structures, etc. Plus any good method/utility to encrypt the contents of a batch file but at the same time allowing it to be executed. Thanks and regards, Hussain -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Hussain Ahmed Qadri INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Goulet, Dick INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Securing the Database Structure
I wouldnt be concerned with hiding the db structure, look at peopleslop(aka peoplesoft), the structure is there for all to see but how its implemented is all on program code, yes you can eventually figure out how its all related(took me 6 months on one of the versions but I figured out all of those PS tables and how there were inter-related). joe Hussain Ahmed Qadri wrote: Hi all, When you develop a software and you intend to sell it, are there any ways of saving your database structure. Because obviously we don't give the fmb's, we only give the executable. But to run the software we need to have the database and there are ways by which the database structure can be seen, imp/exp is an example for one. I know by getting the database structure it would be very difficult to interpret the system, but structure is the core of the whole thing. So I wanted to ask what are the steps that are followed when you are packaging your software to sell and what are the security measures to protect your application, forms, database structures, etc. Plus any good method/utility to encrypt the contents of a batch file but at the same time allowing it to be executed. Thanks and regards, Hussain -- Joseph S Testa Chief Technology Officer Data Management Consulting p: 614-791-9000 f: 614-791-9001 -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Joe Testa INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Securing the Database Structure
Hi all, When you develop a software and you intend to sell it, are there any ways of saving your database structure. Because obviously we don't give the fmb's, we only give the executable. But to run the software we need to have the database and there are ways by which the database structure can be seen, imp/exp is an example for one. I know by getting the database structure it would be very difficult to interpret the system, but structure is the core of the whole thing. So I wanted to ask what are the steps that are followed when you are packaging your software to sell and what are the security measures to protect your application, forms, database structures, etc. Plus any good method/utility to encrypt the contents of a batch file but at the same time allowing it to be executed. Thanks and regards, Hussain -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Hussain Ahmed Qadri INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
