pl/sql secure coding - amazon s3 · youtube search for “may 2016 codetalk: securing pl/sql code...
TRANSCRIPT
PL/SQL Secure Coding
1© copyright Oraclewizard.com, Inc 2016
Important Terms
2© copyright Oraclewizard.com, Inc 2016
Exploit: Take advantage of a flaw or feature
SQL Injection: Change a sql statement so it executes code that was not intended. Think change the code execution path.
Hack: Anything can be hacked. Do something it was not intended to do or something you did not think it could do.
Spillage: Sensitive data has “spilled” outside it’s protected environment. It may not be compromised.
Leak: Sensitive data has spilled outside of it’s protected environment. It has been compromised.
Brain Hacking Demo
3© copyright Oraclewizard.com, Inc 2016
Anything can be hacked. Hacking is getting something to do what it was not intended to do or something you did not think it could do.
“Young man, success comes in can, failure comes in can’t.” Adm Grace Hopper to a young Robert Lockard 1978.
PL/SQL Secure Coding
4© copyright Oraclewizard.com, Inc 2016
PL/SQL Secure Coding
5© copyright Oraclewizard.com, Inc 2016
6
Four things a Developer can do now
rights
identify all dynamic SQL and PLSQL
Code Reviews
4 things developers can do now to improve security… in process …..
Accessable_by
Assign Role to package / procedure / function
Invoker / Definer
Put everything in packages
Split up your packages
sensitive
Non-Sensitive
Helper
Oooopsy, I lied, there are more than 4 things. :-)
Bind Variables rock
Error messages
DMBS_ASSERT
Error Messages
7© copyright Oraclewizard.com, Inc 2016
Error Messages
8© copyright Oraclewizard.com, Inc 2016
SQL Injection
9© copyright Oraclewizard.com, Inc 2016
SQL Injection
10© copyright Oraclewizard.com, Inc 2016
SQL InjectionBad Input
Strongly Typed API
IDS Snort
Database Firewall
Separate your data from your code
11
APP
App sensitive packag
Sensitive Tables
non sensitivepackage
non sensitive tables
SQL INJECTION BUG
© copyright Oraclewizard.com, Inc 2016
APP Schema
Limit the number of ways to get to your sensitive data. Trusted Path
12© copyright Oraclewizard.com, Inc 2016
Sensitive Tables
Your Functions, Procedures and
Packages
Non-Sensitive Tables
Limit the number of ways to get to your sensitive data. Trusted Path
13© copyright Oraclewizard.com, Inc 2016
Sensitive TableYour Functions,
Procedures and Packages
APISelectUpdateInsertDelete
Use Strongly Typed API
Database Objects SchemaAPI SCHEMAApplication Schema
Limit the number of ways to get to your sensitive data. Trusted Path
14© copyright Oraclewizard.com, Inc 2016
Sensitive Tables
Your Packages
APISelectUpdateInsertDelete
Non-Sensitive Tables
Database Objects SchemaAPI SCHEMAApplication Schema
Limit the number of ways to get to your sensitive data. Trusted Path
15© copyright Oraclewizard.com, Inc 2016
Sensitive Tables
Non-Sensitive Package
Sensitive API
Non-Sensitive Tables
Sensitive Package
NonSensitive
API
Separate your data from your code
16
App objectsAPP
App sensitive packag
Sensitive Tables
sensitiveselect role
API
sensitive select API
grant select to role
grant executeto APP
non sensitivepackage
SQL INJECTION BUG
© copyright Oraclewizard.com, Inc 2016
Separate your data from your code
17
App objectsAPP
App sensitive packag
Sensitive Tables
sensitiveselect role
API
sensitive select API
accessibleby
grant select to role
grant role to package
non sensitivepackage
X
© copyright Oraclewizard.com, Inc 2016
Does not have connect privs
Resources
http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
https://docs.google.com/spreadsheets/d/1Dvl_CbX2b0NGFzE2gVLQb1-Nc6litfpGtoTB9iytWfM/edit?usp=sharing
Youtube search for “May 2016 CodeTalk: Securing PL/SQL Code From Attacks
Google Search “sql injection proof pl/sql”
“
18© copyright Oraclewizard.com, Inc 2016
Contact Information
19
email: [email protected]: @YourNavionPilotblog: www.oraclewizard.comyoutube: www.youtube.com/user/n4281k
© copyright Oraclewizard.com, Inc 2016
Robert P. LockardOraclewizard, Inc.Hubzone Certified
Small Veteran Owned BusinessGlen Burnie, MD
USA