Security Question - how do you deal with sensitive information hardcoded in SQL statements

From: Jared Still <jkstill@xxxxxxxxx>
To: Oracle-L Freelists <oracle-l@xxxxxxxxxxxxx>
Date: Mon, 2 May 2011 10:49:17 -0700

First, the assumption is that you are working with a 3rd party application,
and there
is nothing you can do to modify the SQL statements used by the app.

Nor are you able at this time to apply an extra cost option, such as ASO.

How do you deal with sensitive information that may be hardcoded into SQL
statements?

This kind of SQL presents all kinds of problems.

* statspack/AWR reports showing Top SQL
* queries for cached SQL
* execution plans.
* trace files
* probably many more I am not thinking of at the moment.

The problem arises when any sensitive information (SSN, CC#, etc) appears as
a
hardcoded value in a SQL statement, and the SQL in question is a subject of
current performance discussions, or troubleshooting of database and SQL
issues.

The SQL statements get sent to Oracle support as part of AWR or Statspack
reports,
execution plan analysis, trace files etc.

They can also inadvertently appear in emails, meetings and even
presentations.

How do you deal with this?
This issue has the potential for a fairly serious security breach.

TIA,

Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist
Oracle Blog: http://jkstill.blogspot.com
Home Page: http://jaredstill.com

Follow-Ups:
- RE: Security Question - how do you deal with sensitive information hardcoded in SQL statements
  - From: D'Hooge Freek
- RE: Security Question - how do you deal with sensitive information hardcoded in SQL statements
  - From: Lange, Kevin G
- Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements
  - From: Jared Still

Other related posts:

» Security Question - how do you deal with sensitive information hardcoded in SQL statements - Jared Still
» RE: Security Question - how do you deal with sensitive information hardcoded in SQL statements- D'Hooge Freek
» Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements- David Fitzjarrell
» Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements- Michael Moore
» RE: Security Question - how do you deal with sensitive information hardcoded in SQL statements- D'Hooge Freek
» RE: Security Question - how do you deal with sensitive information hardcoded in SQL statements- Lange, Kevin G
» Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements- Stephane Faroult
» RE: Security Question - how do you deal with sensitive information hardcoded in SQL statements- Kenneth Naim
» RE: Security Question - how do you deal with sensitive information hardcoded in SQL statements- Jorgensen, Finn
» RE: Security Question - how do you deal with sensitive information hardcoded in SQL statements- Kenneth Naim
» Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements- Wolfgang Breitling
» Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements- Jared Still
» Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements- Niall Litchfield
» Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements- Michael Wehrle
» Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements- Pavel
» Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements- Jared Still
» Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements- Michael Wehrle
» Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements- Jared Still
» Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements- Michael Wehrle