Re: Security Question - how do you deal with sensitive information hardcoded in SQL statements

  • From: Michael Wehrle <michaelw436@xxxxxxxxx>
  • To: Jared Still <jkstill@xxxxxxxxx>
  • Date: Thu, 5 May 2011 15:00:19 -0400

Jared, I have not tested this issue in 11g. I agree, that it should have
been identified as a bug, once Oracle decided to give us a one-off patch.
Its possible that it was quietly fixed in the latest versions.

On Thu, May 5, 2011 at 11:06 AM, Jared Still <jkstill@xxxxxxxxx> wrote:

> On Wed, May 4, 2011 at 6:28 PM, Michael Wehrle <michaelw436@xxxxxxxxx>wrote:
>
>> Jared, sorry about the link. It looks like they have since moved the
>> Oracle By Example series into an Apex site that uses Single Sign On. Go to
>> www.oracle.com/technetwork/tutorials/index.html, then click on the link
>> at the bottom to access the "learning library". Once you have logged in, you
>> can search for "Using Transparent Data Encryption for Database 10g
>> Release 2".
>>
>>
> Thanks, I will look for that.
>
>
>> As far as the patch, it was a one-off for my previous employer. And it
>> took lots of support calls, involving VP level and above, finally involving
>> some backline engineers to fix the problem. I am not sure what they would do
>> if you asked for the same patch, since its not publicly searchable. It never
>> hurts to ask about it though, since its truly a security issue for everyone,
>> that is not easily worked around.
>>
>>
> Have you tried this in 11g?
>
> It seems to me that failure to encrypt the data in AWR is a bug.
>
>
> Jared Still
> Certifiable Oracle DBA and Part Time Perl Evangelist
> Oracle Blog: http://jkstill.blogspot.com
> Home Page: http://jaredstill.com
>

Other related posts: