Re: Question re security
- From: Hans Forbrich <fuzzy.graybeard@xxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Wed, 15 Jan 2014 07:37:16 -0700
On 15/01/2014 3:58 AM, Nuno Souto wrote:
Strange audit requirements... Are you sure the auditors had a vague
notion what a
network connection between an app server and a db server does and how
it works?
Our auditors haven't got a clue, so we just ignore ANY of their
recommendations
on the subject. They are the kind that "tut-tut" at select access on
ALL_TABLES
given to PUBLIC. Mostly because they trust blindly the output of
"security check"
scripts they have been sold by "experts" who hadn't a clue in the
first place...
What I am sure of wrt auditor knowledge is that that the auditors can
fail the organization if their recommendations are not followed, and
that can get the org tossed from the NYSE/TSE and other exchanges. In
such a situation, DBAs with attitude are expendable.
But in this case, the organization has a legit reason for keeping and
analyzing the network traffic logs. I don't agree with the way they did
it, nor do I agree in general with the architecture the vendor has
chosen, but that is - according to the principal consultant - irrelevant.
Other related posts:
