Secure your most important technology asset - Database

TA08-100A: Adobe Flash updates for Multiple Vulnerabilities

Adobe Flash updates for Multiple Vulnerabilities

TA08-099A: Microsoft Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

TA08-094A: Apple Quicktime Updates for Multiple Vulnerabilities

Apple Quicktime Updates for Multiple Vulnerabilities

TA08-066A: Sun Updates for Multiple Vulnerabilities in Java

Sun Updates for Multiple Vulnerabilities in Java

TA08-071A: Microsoft Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

TA08-079B: MIT Kerberos Updates for Multiple Vulnerabilities

MIT Kerberos Updates for Multiple Vulnerabilities

TA08-079A: Apple Updates for Multiple Vulnerabilities

Apple Updates for Multiple Vulnerabilities

TA08-087B: Cisco Updates for Multiple Vulnerabilities

Cisco Updates for Multiple Vulnerabilities

TA08-087A: Mozilla Updates for Multiple Vulnerabilities

Mozilla Updates for Multiple Vulnerabilities

TA08-134A: Microsoft Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

“IdM Risk Management” and “Identity Analytics”: Anything Else Apart From “Bottom-Up” Approaches?

I was wondering if anybody in this community could share references to relevant material/links/documents/research projects illustrating the current status of:

(1) Risk Analysis and Management in the space of Identity Management

(2) Identity Analytics

My current search and assessment of this space has identified various technologies, solutions and work coming from a “compliance management” perspective i.e. (a) assessing events and evidence (e.g. logs) against expected processes/policies and (b) providing results that indicate the level of compliance and risk exposure. This is what I call the “bottom-up” approach where the “risk assessment” is done against predefined policies and/or well defined situations.

So far I have not found good examples of “top-down” solutions that help decision makers (e.g. CIOs, CISOs, etc.) to explore trade-offs in the Identity Management space (e.g. making investments in education vs IT solutions vs outsourcing vs etc.) to understand the impact on factor of relevance for an organisation (e.g. costs, reputation, losses, trust, etc.), make compelling decisions and potentially help them to define suitable policies.

A specific example would be decision support solutions that help understanding the trade-offs between adopting (in an organisation) the usage of strong passwords, SSO, multi-factor authentication, etc. against involved costs, the value of the assets to be protected, the kind of involved users and the actual benefits in terms of security. More in general these solutions should provide insights about potential trade-offs between various possible choices in the IdM space (in terms of authentication, authorization, provisioning, federation/SSO, privacy, etc.) against complex organisational realities and their business objectives. Modelling and simulation might be required to cope with the involved complexity …

Is anybody aware of specific research/work/solutions in this space?

CIOs/CISOs are increasingly asked to justify the reasons behind their security investments and/or have to make investment choices that must “maximise” their “expected outcomes” based on ever-shrinking budgets. I see the opportunity for “top-down” decision support, modelling and simulation solutions that can effectively help these decision makers, specifically in the Identity Management space …

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

TA08-043C: Microsoft Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

License plate SQL Injection

Wow, its been a while since I posted, I have been travelling all over the world over the last month or so, teaching my Oracle security class and also speaking at conferences and performing Oracle security audits. It's been a....[Read More]

Posted by Pete On 13/05/08 At 07:38 PM

Slides from OUG Scotland DBA SIG on Oracle Forensics available

I have posted the slides to my talk from yesterday at the OUG Scotland SIG to my Oracle Security white papers page . They are the first entries in the page. The talk was 45 minutes about Oracle Forensics. This....[Read More]

Posted by Pete On 01/05/08 At 02:23 PM

Conditionally firing triggers

I saw a post on the BAR Solutions blog today titled " Triggers… " that was very interesting as I have had the same issue in the past for different reasons. The blog post was around an issue where triggers....[Read More]

Posted by Pete On 01/05/08 At 01:22 PM

Lateral SQL Injection and Conferences and security training

I am writing this whilst sat on a train travelling at around 120mph between York and Darlington, this is probably my first blog entry written at speed! I saw that David had released his paper " Lateral SQL Injection: A....[Read More]

Posted by Pete On 30/04/08 At 08:26 AM

Slides from OUGN Norway and RISK 2008 Norway available

I was over in Norway this week and the Oracle User Group Norway (OUGN) asked me to speak at an evening user group meeting of theirs. This was a eally friendly group and it was a pleasure to speak there....[Read More]

Posted by Pete On 25/04/08 At 05:58 PM

Two remotely exploitable without authentication bugs to be fixed

Oracle's pre-patch advisory note for the next Critical Patch Update (CPU) due this Tuesday (15th) states that there are 17 new security fixes for the database, two for Apex and two of which are remotely exploitable without authentication. The advisory....[Read More]

Posted by Pete On 14/04/08 At 10:17 AM

Fine Grained network Access Control in 11g

I saw a post by Tim Hall on his blog recently that referenced a new article he had written about the new fine grained network access controls added in 11g. As this is an area I have also looked at....[Read More]

Posted by Pete On 08/04/08 At 10:25 AM

C code API to encapsulate OCI

If like me you code in C and use OCI instead of Pro*C then you will be interested in a library written by Vincent Rogier. I have looked at most C++ OCI libraries, and C libraries that encapsulate OCI in....[Read More]

Posted by Pete On 07/04/08 At 11:52 AM

Semi-finalist in the 2008 Ernst & Young New Jersey entrepreneur

Great news today! We have been selected as a semi-finalist Entrepreneur of the Year Program. This would be the third year in a row that we are part of this program. We’ll be attending a reception tonight.

Learn Oracle: Triggers

LewisC's An Expert's Guide To Oracle Technology

Today I will be writing about triggers. One of the questions I get fairly often is "what is the difference between a function, a procedure and a trigger?" I already wrote about functions and procedures in <a href="http://blogs.ittoolbox.com/oracle/guide/archives/learn-plsql-procedures-and-functions-13

PLING panel at WWW 2008

A PLING panel has been held at the WWW 2008 conference (Beijing 23-25 April), discussing policies and Policy-aware Web.

The list of panellists includes: Renato Iannella (Moderator), Piero Bonatti, Llana Kagal, Thomas Roessler.

The slides presented in this panel are now available online.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

Crisis or Opportunity: leading through a down economy

I will be speaking tomorrow at the Corporate Executive Board Conferences – Customize or Standardize? Making the Right IT Choices with Scarce Resources. I am particularly excited about the speaking engagement as I will be at the same conference — in fact it will be meeting with — Dr. Alan Greenspan. As part of my [...]

A Complete Newbie’s Guide to Choosing a Database

LewisC's An Expert's Guide To Oracle Technology

Welcome to newbie Monday. Today's topic is choosing your database. Choosing a database for your business has some commonalities with choosing a database as a new developer or DBA. There are also differences though. Here are a few guidelines to getting started. This is not a complete guide but it is meant as a starting place.

If you are already an Oracle shop, or DB2 shop, or w

Biometrics: State Of The Art And Future Implications

Biometrics has matured to the point where several technologies have been internationally standardized and incorporated into major international and national identity verification implementations across both the public and private sectors. Because these biometrics technologies are being incorporated into mainstream government to citizen (G2C) and business to consumer (B2C) identification processes, broader adoption of these technologies can be accomplished more quickly and at lower cost than was previously possible. The prospect of biometrics becoming the principle consumer and citizen identification method through incorporation into government and commercial credentials is now close enough for CISOs to begin active consideration for adopting them in their enterprise business processes.

A new version of the Oracle password cracker woraauthbf is available

The Oracle password cracker woraauthbf written by Laszlo Toth has been updated and released as a new version 0.21R2 (The R2) is the new part, so even if you are running version 0.21 then please download the new release. The....[Read More]

Posted by Pete On 31/03/08 At 10:33 AM

Oracle Street Talk

I guess there are people who don’t know about Oracle or Larry Ellison. Shocking! I guess life down under is just that.

In Licensing loopholes in Microsoft Windows XP

So Dell and HP are offering XP instead of Vista. Even with all the tweaks Microsoft has made to desktop operating system — making it more intuitive, more secure and just generally having cool stuff — means that you need more memory and faster graphics. Meanwhile, Windows XP users are getting a surprise. Computer makers — [...]

Cloudy software licensing issues

Cloud computing — also known as grid computing (or you just call it on-demand computing) has been making headway in the press lately. Aside from publications that stem from security to data privacy, there is a whole host of complex licensing and compliance issues that need to be addressed. For example, in the world of [...]