Re: Will CIS Oracle 11g security remediations break shrinkwrapped apps? Gotchas, lessons learned, and remediation methodologies
- From: dnrg <dananrg@xxxxxxxxx>
- To: oracle-l <oracle-l@xxxxxxxxxxxxx>
- Date: Thu, 19 Apr 2012 07:54:04 -0700 (PDT)
Thanks Paul, Don, and Pete. Great stuff. Definitely helps. Lots to absorb. More
than I can intelligently respond to. We're not supposed to post pure Thank You
messages so I'll add a few comments. And also ask if anyone else would like to
contribute to the great content that's already been posted. Would love to hear
about others' experiences who've been tasked with remediation.
@Paul:
> [...] Imagine if besides end of year code that is only used say once of year,
> that report writers are used that allow app users to generate reports on the
> fly.
> Imagine if statements are assembled and parsed using execute immediate where
> no dependency checking is possible.
Good points.
@Don:
> [...]most third-party vendors (understandably) don't really want to actually
> review and remediate
> all the potential security-related issues for their software. There are
>tradeoffs between usablility and security,
> so many simply insist on over-privilege rather than suffer the increased
> support calls from people who are having usability issues.
Never thought of it this way. That explains a lot. I will forgive but not
forget. :-)
@Pete:
> the biggest area is securtity design that should have been done day one.
That says a lot.
Thanks again for the thoughtful replies.
Dana
--
//www.freelists.org/webpage/oracle-l
Other related posts:
