Secure your most important technology asset - Database

Mozilla Updates for Multiple Vulnerabilities

Cisco Updates for Multiple Vulnerabilities

Apple Updates for Multiple Vulnerabilities

MIT Kerberos Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

Sun Updates for Multiple Vulnerabilities in Java

Apple Quicktime Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

Adobe Flash updates for Multiple Vulnerabilities

I was wondering if anybody in this community could share references to relevant material/links/documents/research projects illustrating the current status of:

(1) Risk Analysis and Management in the space of Identity Management

(2) Identity Analytics

My current search and assessment of this space has identified various technologies, solutions and work coming from a “compliance management” perspective i.e. (a) assessing events and evidence (e.g. logs) against expected processes/policies and (b) providing results that indicate the level of compliance and risk exposure. This is what I call the “bottom-up” approach where the “risk assessment” is done against predefined policies and/or well defined situations.

So far I have not found good examples of “top-down” solutions that help decision makers (e.g. CIOs, CISOs, etc.) to explore trade-offs in the Identity Management space (e.g. making investments in education vs IT solutions vs outsourcing vs etc.) to understand the impact on factor of relevance for an organisation (e.g. costs, reputation, losses, trust, etc.), make compelling decisions and potentially help them to define suitable policies.

A specific example would be decision support solutions that help understanding the trade-offs between adopting (in an organisation) the usage of strong passwords, SSO, multi-factor authentication, etc. against involved costs, the value of the assets to be protected, the kind of involved users and the actual benefits in terms of security. More in general these solutions should provide insights about potential trade-offs between various possible choices in the IdM space (in terms of authentication, authorization, provisioning, federation/SSO, privacy, etc.) against complex organisational realities and their business objectives. Modelling and simulation might be required to cope with the involved complexity …

Is anybody aware of specific research/work/solutions in this space?

CIOs/CISOs are increasingly asked to justify the reasons behind their security investments and/or have to make investment choices that must “maximise” their “expected outcomes” based on ever-shrinking budgets. I see the opportunity for “top-down” decision support, modelling and simulation solutions that can effectively help these decision makers, specifically in the Identity Management space …

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

Microsoft Updates for Multiple Vulnerabilities

Wow, its been a while since I posted, I have been travelling all over the world over the last month or so, teaching my Oracle security class and also speaking at conferences and performing Oracle security audits. It's been a....[Read More]

Posted by Pete On 13/05/08 At 07:38 PM

I saw a post on the BAR Solutions blog today titled " Triggers… " that was very interesting as I have had the same issue in the past for different reasons. The blog post was around an issue where triggers....[Read More]

Posted by Pete On 01/05/08 At 01:22 PM

I have posted the slides to my talk from yesterday at the OUG Scotland SIG to my Oracle Security white papers page . They are the first entries in the page. The talk was 45 minutes about Oracle Forensics. This....[Read More]

Posted by Pete On 01/05/08 At 02:23 PM

I am writing this whilst sat on a train travelling at around 120mph between York and Darlington, this is probably my first blog entry written at speed! I saw that David had released his paper " Lateral SQL Injection: A....[Read More]

Posted by Pete On 30/04/08 At 08:26 AM

I was over in Norway this week and the Oracle User Group Norway (OUGN) asked me to speak at an evening user group meeting of theirs. This was a eally friendly group and it was a pleasure to speak there....[Read More]

Posted by Pete On 25/04/08 At 05:58 PM

If like me you code in C and use OCI instead of Pro*C then you will be interested in a library written by Vincent Rogier. I have looked at most C++ OCI libraries, and C libraries that encapsulate OCI in....[Read More]

Posted by Pete On 07/04/08 At 11:52 AM

I saw a post by Tim Hall on his blog recently that referenced a new article he had written about the new fine grained network access controls added in 11g. As this is an area I have also looked at....[Read More]

Posted by Pete On 08/04/08 At 10:25 AM

Oracle's pre-patch advisory note for the next Critical Patch Update (CPU) due this Tuesday (15th) states that there are 17 new security fixes for the database, two for Apex and two of which are remotely exploitable without authentication. The advisory....[Read More]

Posted by Pete On 14/04/08 At 10:17 AM

Great news today!  We have been selected as a semi-finalist Entrepreneur of the Year Program. This would be the third year in a row that we are part of this program.  We’ll be attending a reception tonight.

LewisC's An Expert's Guide To Oracle Technology

Today I will be writing about triggers. One of the questions I get fairly often is "what is the difference between a function, a procedure and a trigger?" I already wrote about functions and procedures in <a href="http://blogs.ittoolbox.com/oracle/guide/archives/learn-plsql-procedures-and-functions-13

A PLING panel has been held at the WWW 2008 conference (Beijing 23-25 April), discussing policies and Policy-aware Web.

The list of panellists includes: Renato Iannella (Moderator), Piero Bonatti, Llana Kagal, Thomas Roessler.

The slides presented in this panel are now available online.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

I will be speaking tomorrow at the Corporate Executive Board Conferences – Customize or Standardize?  Making the Right IT Choices with Scarce Resources.   I am particularly excited about the speaking engagement as I will be at the same conference — in fact it will be meeting with — Dr. Alan Greenspan.  As part of my presentation tomorrow, I’ll be showing the following video about the project from hell.  I think this summarizes what I feel about customizing IT projects.

LewisC's An Expert's Guide To Oracle Technology

Welcome to newbie Monday. Today's topic is choosing your database. Choosing a database for your business has some commonalities with choosing a database as a new developer or DBA. There are also differences though. Here are a few guidelines to getting started. This is not a complete guide but it is meant as a starting place.

If you are already an Oracle shop, or DB2 shop, or w

Biometrics has matured to the point where several technologies have been internationally standardized and incorporated into major international and national identity verification implementations across both the public and private sectors. Because these biometrics technologies are being incorporated into mainstream government to citizen (G2C) and business to consumer (B2C) identification processes, broader adoption of these technologies can be accomplished more quickly and at lower cost than was previously possible. The prospect of biometrics becoming the principle consumer and citizen identification method through incorporation into government and commercial credentials is now close enough for CISOs to begin active consideration for adopting them in their enterprise business processes.

The Oracle password cracker woraauthbf written by Laszlo Toth has been updated and released as a new version 0.21R2 (The R2) is the new part, so even if you are running version 0.21 then please download the new release. The....[Read More]

Posted by Pete On 31/03/08 At 10:33 AM

I guess there are people who don’t know about Oracle or Larry Ellison.  Shocking!  I guess life down under is just that. 

So Dell and HP are offering XP instead of Vista.  Even with all the tweaks Microsoft has made to desktop operating system — making it more intuitive, more secure and just generally having cool stuff — means that you need more memory and faster graphics.

Meanwhile, Windows XP users are getting a surprise.  Computer makers — including Dell, HP and Lenovo (IBM) — have found a loophole in the HP licensing scheme.  Under the Windows Vista licensing terms, XP can be provided for free under the terms of a downgrade license for select versions of the operating system.  That means any of the computer makers can install XP professional for free on some machines and in many cases this downgrade licensing option can be kept on as an operating system until 2009 or maybe even extended to 2010 in the case of windows XP home edition on.

Cloud computing — also known as grid computing (or you just call it on-demand computing) has been making headway in the press lately.  Aside from publications that stem from security to data privacy, there is a whole host of complex licensing and compliance issues that need to be addressed.  For example, in the world of cloud computing, there is one application that might the running on numerous servers.  Or, what happens when your software vendor decides to do an audit?  Do the vendors have service-level agreements with the software vendor for all the applications up and running OR would you be held accountable in some way?  While I believe grid computing is certainly a model that many companies will move towards in the distance future, there are too many complex issues that currently need to be resolved for cloud computing to be acceptable for any enterprise.

If you’re looking for a good, factual Cloud Computing 101 information, I would encourage you to read Paul Reubens’ Cloud Computing: Hot Air or Killer App?