Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements
- From: Michael Wehrle <michaelw436@xxxxxxxxx>
- To: Jared Still <jkstill@xxxxxxxxx>
- Date: Wed, 4 May 2011 21:28:00 -0400
Jared, sorry about the link. It looks like they have since moved the Oracle
By Example series into an Apex site that uses Single Sign On. Go to
www.oracle.com/technetwork/tutorials/index.html, then click on the link at
the bottom to access the "learning library". Once you have logged in, you
can search for "Using Transparent Data Encryption for Database 10g Release 2
".
As far as the patch, it was a one-off for my previous employer. And it took
lots of support calls, involving VP level and above, finally involving some
backline engineers to fix the problem. I am not sure what they would do if
you asked for the same patch, since its not publicly searchable. It never
hurts to ask about it though, since its truly a security issue for everyone,
that is not easily worked around.
On Wed, May 4, 2011 at 2:48 PM, Jared Still <jkstill@xxxxxxxxx> wrote:
> On Tue, May 3, 2011 at 11:42 AM, Michael Wehrle <michaelw436@xxxxxxxxx>wrote:
>
>> Jared, I had this issue (possibly similar) a few years back on a 10.2.0
>> database, and Oracle actually provided a patch for it. See my writeup about
>> it here
>> iamsys.wordpress.com/2010/03/16/how-to-protect-sensitive-bind-data-in-redo-logs/,
>> and if you have anymore questions, I will be glad to TRY to remember them,
>> as it was a few years ago.
>>
>>
> Thanks Michael.
>
> The test case referenced in your blog is no longer a valid URL.
> Do you know where to find it now.
>
> Also, the patch number referenced is not even found in MOS, leading
> me to believe it was a one off patch for you or your customer.
>
> Do you have any more info on where to find this in MOS?
>
>
> Jared Still
> Certifiable Oracle DBA and Part Time Perl Evangelist
> Oracle Blog: http://jkstill.blogspot.com
> Home Page: http://jaredstill.com
>
>
>
Other related posts:
