Workshop: SECURE CODING IN PL/SQL & HARDENING AND SECURING ORACLE
(PETE FINNIGAN)


Tuesday, 26-11-2019 and Wednesday, 27-11-2019, Ljubljana

 

When and where?
Workshop is organized as a part of INFOSEK Conference and takes place from Tuesday, 26th November 2019, to Wednesday, 27th November 2019, 9.00-17.00, at Bankart (Celovška cesta 150, Ljubljana). 

Trainer:
Pete Finnigan, Pete Finnigan Ltd., Oracle security expert

DAY 1 (26-11-2019): SECURE CODING IN PL/SQL

Course Description
This course teaches the delegates about the common security issues often located in PL/SQL code and is created by developers without an experience of database security. The course first places PL/SQL into the context of the problem of securing data and then looks at all of the common types of issues that make PL/SQL code vulnerable. Each type of PL/SQL coding issue is demonstrated so that the delegates can appreciate what vulnerable code looks like and then sample exploitations are demonstrated to show how the code is actually exploited by an attacker. Then for each example the code is re-written to show how it can be made secure. Common issues include SQL and PL/SQL injection and design issues that allow this to happen. The course also includes a look at other issues such as encryption, leakage of critical data, dangerous functions and use of incorrect privileges. The class also considers how to protect your PL/SQL code to make it harder for an attacker to steal or run code out of context.

Course Goals
The aim of the course is for the students to get an appreciation of how insecure PL/SQL coding can allow an attacker to steal data or abuse privilege.

Course Duration is instructor lead with demonstrations.

Course Pre-Requisites
The delegates must have a good working knowledge of PL/SQL ideally as a Developer or DBA to appreciate the content.
The class is intended for DBA’s and developers who can write PL/SQL and is of an intermediate level when vulnerabilities are explained but a developer who can write PL/SQL can understand the secure coding practices.

Course Material
The student will receive a URL to download a zip file that includes:

  • The course notes as PDF files
  • Free PL/SQL tools and scripts
  • All of the examples used as SQL and PL/SQL scripts

Course Outline

  • Data Theft

o This lesson covers why data can be stolen or privilege escalated in a database focusing on issues related to privileges assigned to PL/SQL, bad programming practices and leakage of data.
o This section is an overview to allow the student to see how PL/SQL fits into the security model intended to protect Data

  • Permissions

o We cover permissions of packages and procedures
o Design decisions that affect security
o PL/SQL used as part of a security solution such as VPD or encryption

  • Coding Errors

o This section introduces common PL/SQL Security programming issues and for each shows the issue in code form and exploitation and then also in terms of secure coding and solution. These include:
- Input validation
- Object validation
- Open interfaces
- SQL and PL/SQL and Other Injection issues
- File and external access
- Operating system commands
- Vulnerable and dangerous package use
- More

  • Dynamic SQL best practices
  • Encryption

o Discusses encryption in the database and show examples of weakness in code design, encryption keys and more
o Also highlights methods attackers can use to steal encrypted data or decrypt it in situ

  • Protecting PL/SQL

o This section discusses techniques to lock down PL/SQL in terms of
- Preventing IPR loss
- Prevent unauthorised execution both in the host database or if the code is removed
- License type features
- Wrapping and unwrapping

 

DAY 2 (27-11-2019): HARDENING AND SECURING ORACLE


Course Description
This course is a one day seminar that teaches the delegates how to perform simple yet cost effective security measures where appropriate in their databases. This is with a single goal to reduce the risk to attack, misuse and abuse of data held in their Oracle databases.The class starts the day with a detailed penetration test of our sample database and its applications and shows how the database platform itself can be attacked as well as data stolen or accessed in the database. The day goes on to harden the database in detail with lots of practical examples and the day is completed by a re-test of the attacks to show how much more secure the database has become.

Course Goals
Most databases that are built are unfortunately designed with a bigger focus on performance, functionality and availability with security being the poorer cousin. If you are charged with designing, building or managing an Oracle database then you must consider; what are the risks to the security and validity of “your data”. This class focuses on structured hardening and locking down of key data and key activities in your databases with some free tools and examples to help you improve your skills in securing data in an Oracle database.

Course is instructor lead with demonstrations. 

Course Pre-Requisites
The class is intended for DBA’s and security professionals who should appreciate the techniques used to lock down and secure the database. Developers will also appreciate some of the code based techniques used in context based security

Course Material
The student will receive a URL to download a zip file that includes:

  • The course notes as PDF files
  • Free PL/SQL tools and scripts
  • All of the examples used as SQL and PL/SQL scripts

Course Outline

  • Introduction

o Where does lock down fit in the data security process

  • Attack and Defence

o Penetration testing of the database and applications

o Review design choices and consequences

o Review data leakage and consequences

o Analyse the results and Audit trails

  • Hardening The Operating System and Network

o What is hardening

o Operating system hardening

- Defaults, clean up, lock down, permissions

o Network hardening

- Defaults, listener

  • Patching and Hardening the Database

o Database Security patches and hardening

o Setting parameters

o Controlling privileges on code and objects

o Default users and functionality

  • User based Security

o User Analysis and account security

o Profile design

o Privilege analysis, separation and duplication

o DBA roles and access

o Third party and developer access

  • Data and Context Based Security

o Data access privileges

o Account provisioning

o Resource Access

o Context based security and Break glass

  • Strong Audit Solutions

o Audit Levels and design

o Policy Based database Audit

o PFCLATK a toolkit

  • Finishing Up

o The journey today

o Hacking the demo system again

o Review

o Is it secure?

o Do we detect attacks?

About the trainer:
This course is fast paced and very interesting and is delivered by one of the most well known experts in database security. Pete Finnigan created the SANS Oracle security step-by-step guide and the CIS Oracle benchmark used by NIST, USA DoD and more is a reference to secure Oracle databases. Pete worked out the mechanisms that Oracle used to protect PL/SQL and showed how they can be easily defeated at the Black Hat conference in Las Vegas in 2006. Pete has published multiple books on databases security and speaks and publishes papers regularly. His company also produces the tool PFCLObfuscate used to protect IPR in PL/SQL and Oracle databases.

Price:
EARLY BIRD: 997 € + VAT (TILL 20-11-2019)
Regular price: 1497 € + VAT

*Food and drink is included in the price.

SIGN-UP FOR THE WORKSHOP HERE.

 

27. - 29.11.2019
Nova Gorica

Izkoristite 4% popust, ki velja samo še do nedelje!

1 dan
424€
407€
2 dni
600€
576€
3 dni
900€
864€
PRIJAVI SE

Cena velja za konference INFOSEK, GDPR (ZVOP-2) in CIO FORUM. Za NLP konferenco in delavnice so cene fiksne.

Izkoristite 4% popust, ki velja samo še do nedelje!

1 konferenčni dan
424€
407€

Cena velja za konference INFOSEK, GDPR (ZVOP-2) in CIO FORUM. Za NLP konferenco in delavnice so cene fiksne.

2 konferenčna dneva
600€
576€

Cena velja za konference INFOSEK, GDPR (ZVOP-2) in CIO FORUM. Za NLP konferenco in delavnice so cene fiksne.

3 konferenčni dnevi
900€
864€

Cena velja za konference INFOSEK, GDPR (ZVOP-2) in CIO FORUM. Za NLP konferenco in delavnice so cene fiksne.

Organizator konference

V sodelovanju z

Zlati partner

Platinasti sponzorji

Zlati sponzorji

Bronasti sponzorji

Sodelujoči

Medijski sponzorji

Ta spletna stran uporablja piškotke. Z obiskom in uporabo spletne strani soglašate s piškotki.  DOVOLIM Več informacij o piškotkih najdete in nastavitve tukaj.