SlideShare a Scribd company logo

Security - The WLF Principle

Marco Gralike, profile picture
Marco Gralike

The document discusses database security from a DBA's perspective. It argues that DBAs should not be considered the weakest link in security and outlines steps they can take to strengthen security, such as implementing threat models. Threat models involve analyzing potential attacks, recovery options, and security measures based on real risks. The document advocates for DBAs to take a holistic, security-minded approach through ongoing learning, preparedness, and cooperation with others.

Technology
1 of 24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Oracle Database Security A Monty Python approach
Database secure, system flawed… Web App. – Database – OS – Network/LAN Firewall’s don’t help; don’t rely on… http://www.myserver.com/main.jsp?table=usertable ?user=app_owner
Security is a chain! A single weak link can break the entire system! http://www.schneier.com/essay-037.html
DBA = The Weakest Link? NO! So security is a NONE issue for DBA’s
So, it’s a dead parrot discussion! "I know a dead parrot when I see one, and I'm lookin' at one right now."
Why is a DBA <> The Weakest Link? Wants to know how it works Is as accurate as possible Takes responsibility Has to clean up the mess Is security aware!
Being security minded is a nasty habit ! You can’t be creative anymore Security is just no fun You are doing a lot of extra work, which should have be done by some else at the first place Security makes life complex No one likes you (if you start talking about security measures)
A DBA being aware of the WLF (the Weakest Link Factor) realizes: A DBA job can be healthy ! No stress anymore ! Everyone loves you ! The CREATE USER example…
CREATE USER ( Old DBA style) SQL> CREATE USER app_owner IDENTIFIED BY “#D1ff1cultP@ssw0rd” DEFAULT TABLESPACE app_data_01 TEMPORARY TABLESPACE app_temp QUOTA 10M ON app_data_01 PROFILE app_owner PASSWORD EXPIRE; SQL> GRANT create session TO app_owner; Plus X extra measures to ensure that it is difficult to use this account
CREATE USER ( New DBA style) SQL> CREATE USER app_owner IDENTIFIED BY app_owner; SQL> GRANT dba TO app_owner; This can now be implemented because off the Weakest Link Factor!
CREATE normal USER (This is the weakest link) SQL> CREATE USER app_user IDENTIFIED BY app_user; SQL> GRANT dba TO app_user; SQL> GRANT select any dictionary TO app_user;
Oracle Critical Patch Update Doesn’t make any sense anymore So more free weekends, less work No testing requirements Stable database systems No changes ;-) GREAT and all this, Just because we are Now Weakest Link Factor aware !
Try to imagine what WLF can do for you! Passwords on Post-it’s or text files named “passwords.txt” Unlocked keyboard, Unprotected access to PC’s Super user privileges for everyone Etcetera “ Life becomes so easy…”
Is this what we want?  OFF COURSE NOT ! … or at least, I hope you will agree, this isn’t what we want and be-aware that YOUR system is also compromised…
First steps to improvement Create a holistic security minded approach Do you best possible (ask college’s | Google!) Invest in knowledge Be realistic, but also be prepared (paranoia systems, backup and recover) Threat Models (not only “general” architecture design)
Threat Models http://www.schneier.com/essay-037.html A good design starts with a threat model: what the system is designed to protect , from whom , and for how long The threat model must take the entire system into account - not just the data to be protected, but the people who will use the system and how they will use it
Questions to be asked… http://www.schneier.com/essay-037.html What motivates the attackers? Must attacks be prevented, or can they just be detected? What kind of disaster recovery is possible? Analyze the real risks!
Threat model measures http://www.schneier.com/essay-037.html Threat models allow both product designers and consumers to determine what security measures they need.
Threat model awareness http://www.schneier.com/essay-037.html Does it makes sense to encrypt your hard drive if you don't put your files in a safe? Are the audit logs good enough to convince a court of law? Does all this effort make sense as long people do not lock there keyboards and / or do not care ?
General consequence off all our efforts? We are security aware, we have control We have become smarter Less damage, if security fails… Protected investment
Extra Result? A happy, stress free DBA ! A happy Development Team ! A happy Customer ! Great Team Work !
Brothers at Arms! So protect our Stuff!
Who buys a dead parrot anyway…?
I Hope You Have Enjoyed It Marco Gralike http://blog.gralike.com

More Related Content

PDF
Mere Paas Teensy Hai (Nikhil Mittal)
ClubHack
 
PPTX
SQL Injection Attacks - Is Your Data Secure? GroupBy Conference
Bert Wagner
 
PDF
Migrating to WP Engine
mesmonde
 
PDF
AWS Cloud Account Hacked
Ali Raza
 
PPTX
It All Started With a Wager About System Upgrades
Threat Stack
 
PPT
Dark Alleys/Internet Security
John Dorner
 
PPTX
Derby con 2014
TonikJDK
 
PPTX
Obfuscation Methods And Planning
tmacuk
 
Mere Paas Teensy Hai (Nikhil Mittal)
ClubHack
 
SQL Injection Attacks - Is Your Data Secure? GroupBy Conference
Bert Wagner
 
Migrating to WP Engine
mesmonde
 
AWS Cloud Account Hacked
Ali Raza
 
It All Started With a Wager About System Upgrades
Threat Stack
 
Dark Alleys/Internet Security
John Dorner
 
Derby con 2014
TonikJDK
 
Obfuscation Methods And Planning
tmacuk
 

Similar to Security - The WLF Principle (20)

PPT
Database Systems Security
amiable_indian
 
PPTX
Unit 2 - Chapter 7 (Database Security).pptx
SakshiGawde6
 
PDF
oracle
tarunamoria
 
PPTX
Oracle database threats - LAOUC Webinar
Osama Mustafa
 
PPT
1.Security Overview And Patching
phanleson
 
PPT
DB security
ERSHUBHAM TIWARI
 
PDF
5db-security.pdf
HODCA1
 
PPT
Survey Presentation About Application Security
Nicholas Davis
 
PDF
Analysis of Various Attributes to Have a Secure Database
IOSR Journals
 
PPT
Protection and Security in Operating Systems
vampugani
 
PDF
Oracle ADF Architecture TV - Design - Designing for Security
Chris Muir
 
DOC
SalemPhilip_ResearchReport
Philip Salem
 
PPTX
Database security
Arpana shree
 
DOCX
Database security
Mehrdad Jingoism
 
PDF
Hijacking a Pizza Delivery Robot (using SQL injection)
Priyanka Aash
 
PPTX
Lecturesocial media ppt social media ppt social media ppt 5.pptx
1230200206
 
PPT
Application Security Part 1 Threat Defense In Client Server Applications ...
Greg Sohl
 
PPTX
unit 5 in the database for master of Engineering
poonkodiraja2806
 
DOCX
Excel Data Reporting Assignment 3 Data Analysis (Feasibility .docx
gitagrimston
 
PPTX
download-20171010121559download-20171010121559.pptx
2024proj005
 
Database Systems Security
amiable_indian
 
Unit 2 - Chapter 7 (Database Security).pptx
SakshiGawde6
 
oracle
tarunamoria
 
Oracle database threats - LAOUC Webinar
Osama Mustafa
 
1.Security Overview And Patching
phanleson
 
DB security
ERSHUBHAM TIWARI
 
5db-security.pdf
HODCA1
 
Survey Presentation About Application Security
Nicholas Davis
 
Analysis of Various Attributes to Have a Secure Database
IOSR Journals
 
Protection and Security in Operating Systems
vampugani
 
Oracle ADF Architecture TV - Design - Designing for Security
Chris Muir
 
SalemPhilip_ResearchReport
Philip Salem
 
Database security
Arpana shree
 
Database security
Mehrdad Jingoism
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Priyanka Aash
 
Lecturesocial media ppt social media ppt social media ppt 5.pptx
1230200206
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Greg Sohl
 
unit 5 in the database for master of Engineering
poonkodiraja2806
 
Excel Data Reporting Assignment 3 Data Analysis (Feasibility .docx
gitagrimston
 
download-20171010121559download-20171010121559.pptx
2024proj005
 
Ad

More from Marco Gralike (20)

PPTX
UKOUG2018 - I Know what you did Last Summer [in my Database].pptx
Marco Gralike
 
PPTX
eProseed Oracle Open World 2016 debrief - Oracle Management Cloud
Marco Gralike
 
PPTX
eProseed Oracle Open World 2016 debrief - Oracle 12.2.0.1 Database
Marco Gralike
 
PPTX
Oracle Database - JSON and the In-Memory Database
Marco Gralike
 
PPTX
UKOUG Tech15 - Going Full Circle - Building a native JSON Database API
Marco Gralike
 
PPTX
OakTable World 2015 - Using XMLType content with the Oracle In-Memory Column...
Marco Gralike
 
PDF
UKOUG Tech14 - Getting Started With JSON in the Database
Marco Gralike
 
PDF
UKOUG Tech14 - Using Database In-Memory Column Store with Complex Datatypes
Marco Gralike
 
PPTX
Ordina Oracle Open World
Marco Gralike
 
PPTX
Starting with JSON Path Expressions in Oracle 12.1.0.2
Marco Gralike
 
PDF
An introduction into Oracle VM V3.x
Marco Gralike
 
PDF
An introduction into Oracle Enterprise Manager Cloud Control 12c Release 3
Marco Gralike
 
PPT
XML Amsterdam - Creating structure in unstructured data
Marco Gralike
 
PPTX
An AMIS Overview of Oracle database 12c (12.1)
Marco Gralike
 
PPTX
Flexibiliteit & Snel Schakelen
Marco Gralike
 
PPTX
Hotsos 2013 - Creating Structure in Unstructured Data
Marco Gralike
 
PPTX
Expertezed 2012 Webcast - XML DB Use Cases
Marco Gralike
 
PPTX
BGOUG 2012 - Drag & drop and other stuff - Using your database as a file server
Marco Gralike
 
PPTX
BGOUG 2012 - XML Index Strategies
Marco Gralike
 
PPTX
BGOUG 2012 - Design concepts for xml applications that will perform
Marco Gralike
 
UKOUG2018 - I Know what you did Last Summer [in my Database].pptx
Marco Gralike
 
eProseed Oracle Open World 2016 debrief - Oracle Management Cloud
Marco Gralike
 
eProseed Oracle Open World 2016 debrief - Oracle 12.2.0.1 Database
Marco Gralike
 
Oracle Database - JSON and the In-Memory Database
Marco Gralike
 
UKOUG Tech15 - Going Full Circle - Building a native JSON Database API
Marco Gralike
 
OakTable World 2015 - Using XMLType content with the Oracle In-Memory Column...
Marco Gralike
 
UKOUG Tech14 - Getting Started With JSON in the Database
Marco Gralike
 
UKOUG Tech14 - Using Database In-Memory Column Store with Complex Datatypes
Marco Gralike
 
Ordina Oracle Open World
Marco Gralike
 
Starting with JSON Path Expressions in Oracle 12.1.0.2
Marco Gralike
 
An introduction into Oracle VM V3.x
Marco Gralike
 
An introduction into Oracle Enterprise Manager Cloud Control 12c Release 3
Marco Gralike
 
XML Amsterdam - Creating structure in unstructured data
Marco Gralike
 
An AMIS Overview of Oracle database 12c (12.1)
Marco Gralike
 
Flexibiliteit & Snel Schakelen
Marco Gralike
 
Hotsos 2013 - Creating Structure in Unstructured Data
Marco Gralike
 
Expertezed 2012 Webcast - XML DB Use Cases
Marco Gralike
 
BGOUG 2012 - Drag & drop and other stuff - Using your database as a file server
Marco Gralike
 
BGOUG 2012 - XML Index Strategies
Marco Gralike
 
BGOUG 2012 - Design concepts for xml applications that will perform
Marco Gralike
 
Ad

Recently uploaded (20)

PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Encapsulation theory and applications.pdf
gurumoop
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Teaching material agriculture food technology
LiaRayya
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Approach and Philosophy of On baking technology
30anthuong17
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 

Security - The WLF Principle

  • 1. Oracle Database Security A Monty Python approach
  • 2. Database secure, system flawed… Web App. – Database – OS – Network/LAN Firewall’s don’t help; don’t rely on… http://www.myserver.com/main.jsp?table=usertable ?user=app_owner
  • 3. Security is a chain! A single weak link can break the entire system! http://www.schneier.com/essay-037.html
  • 4. DBA = The Weakest Link? NO! So security is a NONE issue for DBA’s
  • 5. So, it’s a dead parrot discussion! &quot;I know a dead parrot when I see one, and I'm lookin' at one right now.&quot;
  • 6. Why is a DBA <> The Weakest Link? Wants to know how it works Is as accurate as possible Takes responsibility Has to clean up the mess Is security aware!
  • 7. Being security minded is a nasty habit ! You can’t be creative anymore Security is just no fun You are doing a lot of extra work, which should have be done by some else at the first place Security makes life complex No one likes you (if you start talking about security measures)
  • 8. A DBA being aware of the WLF (the Weakest Link Factor) realizes: A DBA job can be healthy ! No stress anymore ! Everyone loves you ! The CREATE USER example…
  • 9. CREATE USER ( Old DBA style) SQL> CREATE USER app_owner IDENTIFIED BY “#D1ff1cultP@ssw0rd” DEFAULT TABLESPACE app_data_01 TEMPORARY TABLESPACE app_temp QUOTA 10M ON app_data_01 PROFILE app_owner PASSWORD EXPIRE; SQL> GRANT create session TO app_owner; Plus X extra measures to ensure that it is difficult to use this account
  • 10. CREATE USER ( New DBA style) SQL> CREATE USER app_owner IDENTIFIED BY app_owner; SQL> GRANT dba TO app_owner; This can now be implemented because off the Weakest Link Factor!
  • 11. CREATE normal USER (This is the weakest link) SQL> CREATE USER app_user IDENTIFIED BY app_user; SQL> GRANT dba TO app_user; SQL> GRANT select any dictionary TO app_user;
  • 12. Oracle Critical Patch Update Doesn’t make any sense anymore So more free weekends, less work No testing requirements Stable database systems No changes ;-) GREAT and all this, Just because we are Now Weakest Link Factor aware !
  • 13. Try to imagine what WLF can do for you! Passwords on Post-it’s or text files named “passwords.txt” Unlocked keyboard, Unprotected access to PC’s Super user privileges for everyone Etcetera “ Life becomes so easy…”
  • 14. Is this what we want?  OFF COURSE NOT ! … or at least, I hope you will agree, this isn’t what we want and be-aware that YOUR system is also compromised…
  • 15. First steps to improvement Create a holistic security minded approach Do you best possible (ask college’s | Google!) Invest in knowledge Be realistic, but also be prepared (paranoia systems, backup and recover) Threat Models (not only “general” architecture design)
  • 16. Threat Models http://www.schneier.com/essay-037.html A good design starts with a threat model: what the system is designed to protect , from whom , and for how long The threat model must take the entire system into account - not just the data to be protected, but the people who will use the system and how they will use it
  • 17. Questions to be asked… http://www.schneier.com/essay-037.html What motivates the attackers? Must attacks be prevented, or can they just be detected? What kind of disaster recovery is possible? Analyze the real risks!
  • 18. Threat model measures http://www.schneier.com/essay-037.html Threat models allow both product designers and consumers to determine what security measures they need.
  • 19. Threat model awareness http://www.schneier.com/essay-037.html Does it makes sense to encrypt your hard drive if you don't put your files in a safe? Are the audit logs good enough to convince a court of law? Does all this effort make sense as long people do not lock there keyboards and / or do not care ?
  • 20. General consequence off all our efforts? We are security aware, we have control We have become smarter Less damage, if security fails… Protected investment
  • 21. Extra Result? A happy, stress free DBA ! A happy Development Team ! A happy Customer ! Great Team Work !
  • 22. Brothers at Arms! So protect our Stuff!
  • 23. Who buys a dead parrot anyway…?
  • 24. I Hope You Have Enjoyed It Marco Gralike http://blog.gralike.com