PL/SQL Secure Coding

1© copyright Oraclewizard.com, Inc 2016

Important Terms

2© copyright Oraclewizard.com, Inc 2016

Exploit: Take advantage of a flaw or feature

SQL Injection: Change a sql statement so it executes code that was not intended. Think change the code execution path.

Hack: Anything can be hacked. Do something it was not intended to do or something you did not think it could do.

Spillage: Sensitive data has “spilled” outside it’s protected environment. It may not be compromised.

Leak: Sensitive data has spilled outside of it’s protected environment. It has been compromised.

Brain Hacking Demo

3© copyright Oraclewizard.com, Inc 2016

Anything can be hacked. Hacking is getting something to do what it was not intended to do or something you did not think it could do.

“Young man, success comes in can, failure comes in can’t.” Adm Grace Hopper to a young Robert Lockard 1978.

PL/SQL Secure Coding

4© copyright Oraclewizard.com, Inc 2016

PL/SQL Secure Coding

5© copyright Oraclewizard.com, Inc 2016

6

Four things a Developer can do now

rights

identify all dynamic SQL and PLSQL

Code Reviews

4 things developers can do now to improve security… in process …..

Accessable_by

Assign Role to package / procedure / function

Invoker / Definer

Put everything in packages

Split up your packages

sensitive

Non-Sensitive

Helper

Oooopsy, I lied, there are more than 4 things. :-)

Bind Variables rock

Error messages

DMBS_ASSERT

Error Messages

7© copyright Oraclewizard.com, Inc 2016

Error Messages

8© copyright Oraclewizard.com, Inc 2016

SQL Injection

9© copyright Oraclewizard.com, Inc 2016

SQL Injection

10© copyright Oraclewizard.com, Inc 2016

SQL InjectionBad Input

Strongly Typed API

IDS Snort

Database Firewall

Separate your data from your code

11

APP

App sensitive packag

Sensitive Tables

non sensitivepackage

non sensitive tables

SQL INJECTION BUG

© copyright Oraclewizard.com, Inc 2016

APP Schema

Limit the number of ways to get to your sensitive data. Trusted Path

12© copyright Oraclewizard.com, Inc 2016

Sensitive Tables

Your Functions, Procedures and

Packages

Non-Sensitive Tables

Limit the number of ways to get to your sensitive data. Trusted Path

13© copyright Oraclewizard.com, Inc 2016

Sensitive TableYour Functions,

Procedures and Packages

APISelectUpdateInsertDelete

Use Strongly Typed API

Database Objects SchemaAPI SCHEMAApplication Schema

Limit the number of ways to get to your sensitive data. Trusted Path

14© copyright Oraclewizard.com, Inc 2016

Sensitive Tables

Your Packages

APISelectUpdateInsertDelete

Non-Sensitive Tables

Database Objects SchemaAPI SCHEMAApplication Schema

Limit the number of ways to get to your sensitive data. Trusted Path

15© copyright Oraclewizard.com, Inc 2016

Sensitive Tables

Non-Sensitive Package

Sensitive API

Non-Sensitive Tables

Sensitive Package

NonSensitive

API

Separate your data from your code

16

App objectsAPP

App sensitive packag

Sensitive Tables

sensitiveselect role

API

sensitive select API

grant select to role

grant executeto APP

non sensitivepackage

SQL INJECTION BUG

© copyright Oraclewizard.com, Inc 2016

Separate your data from your code

17

App objectsAPP

App sensitive packag

Sensitive Tables

sensitiveselect role

API

sensitive select API

accessibleby

grant select to role

grant role to package

non sensitivepackage

X

© copyright Oraclewizard.com, Inc 2016

Does not have connect privs

Resources

http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf

https://docs.google.com/spreadsheets/d/1Dvl_CbX2b0NGFzE2gVLQb1-Nc6litfpGtoTB9iytWfM/edit?usp=sharing

Youtube search for “May 2016 CodeTalk: Securing PL/SQL Code From Attacks

Google Search “sql injection proof pl/sql”

“

18© copyright Oraclewizard.com, Inc 2016

Contact Information

19

email: security@oraclewizard.comtwitter: @YourNavionPilotblog: www.oraclewizard.comyoutube: www.youtube.com/user/n4281k

© copyright Oraclewizard.com, Inc 2016

Robert P. LockardOraclewizard, Inc.Hubzone Certified

Small Veteran Owned BusinessGlen Burnie, MD

USA