I am very much impressed by your profile and thank you very much for your desire to share knowledge.
Can you briefly outline simple guidelines to ensure that the security requirements are made a part of any Oracle upgrade plan? Please provide a brief checklist to be given to customers, so that the project managers/management doesn't overlook this aspect.
The question of implementing database security is complex. The security has to be looked into at the OS layer, network layer, database settings, the application code, application server layer and implementation with third party tools. Even for experts, they may not have a complete understanding of the other areas, other than their area of expertise. In such a scenario, how to prepare the project plan and implement the same? How to make the learning curve simple for all the interested parties, so that the overall objective is fulfilled?
The most important part about securing a new database or new application is to develop a security model very early in the development process (make sure it is part of the requirements gathering process) and adhere to it throughout development and deployment. There's relatively little that can be done to secure anything just before it is deployed when compared to what can be done if security is considered early in the project.
I've read one book on Oracle security and it has some good general pointers, though I don't think it was worth the high price. The book is "Oracle security: Step-by-step" by Pete Finnigan, published by SANS and available at https://store.sans.org/store_item.php?item=80.
There's another book by Marlene L. Theriault and Aaron Newman (both highly respected and knowledgeable people) from Oracle Press named "Oracle security handbook." I have not reviewed it and it was published in 2001, but most security principles do not "expire," so I would expect that this book will still have many good tips. It has received good reviews on Amazon: https://www.amazon.com/exec/obidos/tg/detail/-/0072133252/ref=cm_bg_d_5/002-1148334-4877611?v=glance.
From a high level perspective, security is always about risk. If you think that your system is impenetrable, think again. Someone else will always be building a better mousetrap. Database security should be reviewed periodically and any available updates or patches should be applied. I find it helpful to consult the Oracle security alerts section on OTN regularly at http://otn.oracle.com/deploy/security/alerts.htm (You can also subscribe to have them eemailed to you at that URL.)
Dig Deeper on Oracle database security
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.