His expertise in computer security derives from both working knowledge and experience with Oracle’s security products and database security, but also from his academic studies in the are
Trang 2Applied Oracle Security: Developing Secure
Database and Middleware Environments
Trang 4Applied Oracle Security: Developing Secure
Database and Middleware Environments
David C Knox
Scott G Gaetjen
Hamza Jahangir
Tyler Muth
Patrick Sack
Richard Wark
Bryan Wise
New York Chicago San Francisco
Lisbon London Madrid Mexico City Milan
New Delhi San Juan Seoul Singapore Sydney Toronto
Trang 5All trademarks are trademarks of their respective owners Rather than put a trademark symbol after every occurrence of a trademarked name,
we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs To contact a representative please e-mail us at bulksales@mcgraw-hill.com.
TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc (“McGraw-Hill”) and its licensors reserve all rights in and to the work Use
of this work is subject to these terms Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited Your right to use the work may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MER-CHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom McGraw-Hill has no responsibility for the content of any information accessed through the work Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
Information has been obtained by Publisher from sources believed to be reliable However, because of the possibility of human or mechanical error by our sources, Publisher, or others, Publisher does not guarantee to the accuracy, adequacy, or completeness of any information included in this work and is not responsible for any errors or omissions or the results obtained from the use of such information Oracle Corporation does not make any representations or warranties as to the accuracy, adequacy, or completeness of any information contained in this Work, and is not responsible for any errors or omissions.
Trang 6I dedicate this book to all those who not only aspire for greater achievements, but also follow through on obtaining them.
Dream big and do big!
—David Knox
I dedicate this book to my wife, Mary, and my two sons, Anthony and Jeffrey, for being patient and understanding while I worked on the book.
I love you guys and we now have the summer free so we can play.
–Scott Gaetjen
To my parents, Panahul Alam Jahangir and Nargis Jahangir, my two greatest
sources of warmth, support, and affection.
–Hamza Jahangir
I would like to dedicate this book to my loving wife, Sally, for her tireless support She invested as many hours as I did in this project, caring for our new son, Colin, on weekends and evenings so that I could pursue this
endeavor, and for that I am truly grateful.
–Tyler Muth
I dedicate this book to my wife, Wendi, and my sons, Collin, Ashtin, Giovanni, and Vinson Thank you for your support and understanding during the production of this book We have been through a lot this past year and have learned that family and friends is what really matters Love
to all of you, especially to my wife, Wendi XOXO.
—Pat Sack
I dedicate this book to my dad, Robert Wark, for his wisdom and love.
—Richard Wark
I dedicate this book to my father, Ronald, whose love of brain-teasers,
HP calculators, and spreadsheet macros started me down this wonderful
road I fi nd myself traveling.
—Bryan Wise
Trang 7Since joining Oracle in 1995, Mr Knox has worked with customer organizations including the Department of Defense, intelligence agencies, financial services, and a variety of other industries, giving him a broad understanding of key business drivers and processes His expertise in computer security derives from both working knowledge and experience with Oracle’s security products and database security, but also from his academic studies in the areas of multilevel security, cryptography, Lightweight Directory Access Protocol (LDAP), and Public Key Infrastructure (PKI)
Mr Knox is the author of Effective Oracle Database 10g Security By Design (McGraw-Hill Professional 2004) His other published work includes security contributions to Expert One on
One Oracle by Thomas Kyte (Worx Press 2001) and Mastering Oracle PL/SQL: Practical Solutions
(Apress 2003) He has also authored several Oracle whitepapers Mr Knox earned a bachelor’s degree in computer science from the University of Maryland and a master’s degree in computer science from Johns Hopkins University
Scott G Gaetjen, Technical Director, Oracle National Security Group, conducts research and
design on new security solutions, leveraging his 15 years of experience with Oracle technologies to provide advanced security capabilities to Oracle’s customers He has served as a technical lead and mentor for several customers in the U.S Department of Defense, U.S intelligence agencies, U.S civilian government, and the financial industries In the process of helping these customers meet their mission objectives, Mr Gaetjen has developed a keen technical understanding of operating system security, Oracle database security, J2EE application security, and identity management
Mr Gaetjen has been involved in the research and development of the Oracle Data Vault technology since its inception as a solution in 2004 under Oracle’s Consulting organization and participated in the efforts to make the solution into a true Oracle product
He earned a bachelor’s degree in mathematics from James Madison University and a master’s degree in computer systems management from the University of Maryland University College
Hamza Jahangir is currently a Principal Architect in the Enterprise Architecture group at
Oracle He has been with Oracle since 2004 and has been working with Oracle Database and middleware products for more than ten years As an architect, he spends much of his time in a technical advisory capacity to help his clients better understand and apply security products and technologies to solve security challenges, mainly those that span database and middleware environments (such as Identity Management, Access Management, Directories, and J2EE security)
Mr Jahangir also teaches security classes and spends time evangelizing best practices around bridging database and middleware security to Oracle user groups and professional communities around identity management, service-oriented architectures, and IT security He spends the remainder
of his working time on experimenting with new architectures and prototyping solutions around new application and enterprise security models
When he is not working, he enjoys spending time with his family, friends, and a nylon-string classical guitar He has a bachelor’s degree in computer science from Northeastern and is currently working toward an MBA at Georgetown
Tyler Muth is a Principal Technologist with the Oracle Public Sector division, specializing in
database and application security He leads Application Express workshops throughout the United States, advises customers on architecture decisions, and collaborates with customers to develop
Trang 8tactical applications He is a passionate contributor to the security community through
presentations at Oracle Technology Days and Oracle User Groups; his blog, www.tylermuth wordpress.com; and participation on the Oracle Technology Network forums
Prior to his current role, Mr Muth was one of the early developers on the Application Express development team, where he worked for more than five years He was a technical reviewer for several of Tom Kyte’s books, a contributing author for asktom.oracle.com, and a manager for a production system in zero-gravity
Patrick Sack, Technical Vice President, NSG Product Engineering, Oracle Corporation, runs the
Product Engineering division for Oracle’s National Security Group Prior to his current role overseeing Product Engineering and R&D Innovation for all Oracle technologies, he held positions as Vice President of Oracle’s Protected Enterprise & Security Business A majority of his career was spent within the Oracle Consulting group, driving innovative solutions and enhancing Oracle products Since joining Oracle in 1988, Mr Sack has worked with customer organizations, including the Department of Defense, intelligence agencies, financial services, and a variety of other industries, giving him a broad understanding of key business drivers and processes His expertise in information security derives from his working knowledge of Oracle products and application of these technologies on customers’ projects, including multilevel security
He specializes in Oracle’s Information Assurance technologies, architectures, and solutions He has been instrumental in driving new security technologies, features, and solutions for customers, such as Database Vault for Compliance He is the primary architect and founder of many of the advanced security capabilities available in the Oracle Database product offerings, including Oracle Database Vault, Oracle Audit Vault, Oracle Label Security, and fine-grained auditing He has filed many U.S patents with Oracle Corporation in the information security category, such as Multiple Database Security Policies, Row-Level Auditing, Database Vault, Mandatory Access Control Base, Dynamic Access Controls, and Auditing and Cross Domain Security
Mr Sack understands how critical information and security is to most organizations, asserting that the data must be available, accountable, and accessible He earned a bachelor’s degree in computer science from the State University of New York
Richard Wark, CISSP, works as a Principal Technologist in Oracle’s Enterprise Solutions Group,
helping to develop security and identity management solutions, demonstrations, and training since
2004 He is a “retread” at Oracle, having worked briefly for the City of San Antonio from 2002 to
2003 to help manage a large enterprise resource planning (ERP) project implementation He initially joined Oracle to work as a sales consultant working with Air Force customers across the country in
1996 Since then, he has worked on solutions for banks, airlines, financial institutions, and a host
of other customers to protect their data and practice good security
With more than 15 years of experience with Oracle products, Mr Wark has worked with customers to build secure database systems in the government, Department of Defense, healthcare industry, and other commercial sectors As a result of dealing with brilliant colleagues and customers with challenging problems, he has developed a working knowledge and some level of expertise in network security design, security policy creation, business continuity planning, data classification, secure database configuration, and large-scale implementation reality
Prior to joining Oracle, Mr Wark worked for Computer Sciences Corporation (CSC) and Science Applications International Corporation (SAIC) on DoD Oracle database projects, starting his professional career in 1991 as a UNIX admin and Informix DBA He holds a bachelor’s degree
in information systems from University of Texas, San Antonio
Bryan Wise is a Business Intelligence Solution Specialist for Oracle’s Public Sector division,
where he helps customers find secure, innovative ways to use their existing data and run their organizations more efficiently His career with Oracle technology started in the late 1990s while
Trang 9seminars, teaching mathematics at the Navy’s Nuclear Power school and various community colleges, as well as teaching database concepts at the University of Maryland University College
He holds bachelor’s and master’s degrees in mathematics from Brigham Young University and a master’s certificate in e-commerce engineering from Regis University
About the Technical Editors
Ben Ault is a Business Intelligence Specialist Manager at Oracle, where he has worked since
1995 He has focused on implementing and selling decision support and business intelligence solutions throughout his career He has spent the last several years concentrating on business intelligence and data warehousing solutions for Oracle’s Public Sector customers Prior to his time at Oracle, he worked as a Decision Support Consultant for IRI Software, where he designed and implemented custom database applications to provide executive-level analysis of sales, marketing, and financial data
Tammy Bednar has worked in the computer industry for more than 25 years She started out
coding applications in ADA and decided a change was needed Oracle hired her in the Database Support Organization 14 years ago and she has been involved with database releases since version 6.0.36 She started her Product Management career on the database High Availability team with Recovery Manager (RMAN) and database backup and recovery High availability and security go hand-in-hand, and Ms Bednar is currently a member of the Database Security development team, focusing on auditing and Oracle Audit Vault
Derrick Cameron leads the Business Intelligence team in Solutions Engineering at Oracle He
has worked with Oracle technology for more than 15 years and for Oracle (Canada, and then U.S.) for the past 12 years, initially working in applications consulting and later in sales, supporting data warehousing and business intelligence He is one of the primary architects of Oracle’s internal integrated BI demonstration and training platform (used at Oracle Open World), and is also the build lead for Oracle’s external partner BI platform He works closely with development to build cross-product integration solutions, and he also works with customers in the sales cycle when technical expertise is required Previously, he worked in financial accounting systems roles in the public sector and a financial institution
Sergio Leunissen joined Oracle in 1995 Since then, he has worked as a sales engineer,
developer, and product manager on technologies including Oracle Application Express, Oracle Database, Linux, and Oracle VM He was one of the original members of the Oracle Application Express team, helping to develop and bring the product to market In 2006, he helped launch the Unbreakable Linux support program He is currently Senior Director, Linux Business Solutions
Robert Lindsley is a Principal Sales Consultant in Oracle’s North American Public Sector
organization He specializes in Oracle’s business intelligence, analysis, and data warehousing solutions and has worked in the software industry for more than ten years Prior to that, Mr Lindsley was a research scientist, specializing in the analysis of large neuroscience datasets He has written several publications in the areas of multisensory integration and neuropharmacology
Trang 10Mr Lindsley has a bachelor’s degree from Cornell University in Ithaca, New York He lives in Washington, DC
Bill Maroulis is a Technical Director in Oracle’s National Security group He has more than 15
years experience in software development, with a primary focus on Oracle database security He is the lead database engineer for software components and MAC security policies that protect the Oracle Database in a cross-domain environment Mr Maroulis also teaches Oracle as an adjunct professor at Strayer University He has a bachelor’s degree in computer science from the North Carolina State University and a master’s in software engineering from the University of Maryland University College He lives in Virginia and enjoys spending time with his wife and daughter
Raj Mattamal, a co-president at Niantic Systems (www.nianticsystems.com), started developing
web applications at Oracle in 1995 with the very same people who came to create Oracle Application Express During his more than ten years with the company, he helped customers in a wide range of industries to deliver web-based solutions in Oracle Database In addition to helping customers with their applications, he developed numerous web applications for use internally at Oracle as well Outside of application development, Mr Mattamal spent much of his time with Oracle evangelizing the Oracle Application Express development environment This entailed teaching classes globally,
writing articles for Oracle Magazine, writing Technotes for the Oracle Technology Network, and
assisting with the development of training materials and workshops
Having earned a bachelor’s degrees in decision & information studies as well as marketing from the University of Maryland, Mr Mattamal continues to apply his knowledge of and passion for technology and business to real-world issues Since leaving Oracle in 2006, he went on to co-found Niantic Systems, LLC, which offers services and training to customers in a wide range
of business lines to help get the most out of their Oracle environments
Scott Spadafore is a member of the Application Express development team at Oracle
Corporation, now in his eighth year with that group Prior to this, he worked 7 years as an Oracle consultant doing various C/Pro*C custom development projects, DBA work, and security technical architecture/implementation for telco and local government customers throughout the United States Before joining Oracle, he spent 21 years helping Amdahl Corporation develop mainframe computers
in various roles as an engineering aide, MVS/VM systems programmer, C programmer, and software development manager
Peter Wahl is the Product Manager for Oracle’s Advanced Security option He has a masters’
degree from the University of Applied Sciences in Ravensburg/Germany and nearly 20 years of industry experience in product development, marketing, and business development As a member
of the Oracle Database Security development team since the initial release of Transparent Data Encryption (TDE), he has helped numerous enterprise customers deploy TDE to address PCI and other compliance requirements In addition, he serves as the worldwide contact for partner development and has led the certification of Oracle’s E-Business Suite, Peoplesoft, Siebel CRM, and JD Edwards EnterpriseOne Applications with TDE as well as the certification of multiple hardware security modules by partner vendors