Oracle Unbreakable == Oxymoron

  And I ask once again… why do people run Oracle?


Designing for Security

I just finished reading this article on NoSQL security. It raised a couple of concerns: 1. Systems require security. Hard stop. no if’s and’s or but’s about it. Designing security from the start is a hard task. At Microsoft there are several practices and resources we use to design and evaluate security. These have been…


Forgot Your Password?

I’ve seen three basic patterns for handling forgotten web site passwords: Send a change password link to the email address on file Ask one or more challenge questions (or personal information) to unlock the change password screen Send the password, in plain text, to the email address on file There are different variations of these…


Oy vey – Poor Security Habits Highlighted Again

The March 2011 issues of Database Trends and Application has an article that highlights the results of a new survey of DBAs and DBA Managers that reveals complacency results in lax oversight of sensitive information. You can read the article here. While every aspect of the research finding is is disturbing what I found most…

Zero Tolerance for Ignorance, Laziness and Unprofessionalism

How many databases in the world do you think are storing your personal information? Tens? Hundreds? Thousands? I have no clue what the answer is but my guess is it’s closer to thousands than tens. Why is this an interesting question? In my line of work I speak with lots of DBAs and I’m absolutely…


Guarding Against SQL Injection

Securing the database is only part of the security equation, a very important part, but still not the entire picture. DBAs need to educate their developer counterparts on developing secure applications which access the data tier. I would go as far as to put in place a security review process for any application that accesses…


Oracle Warns of Critical DB Server Vulnerabilities Excerpt: The database server giant plans to issue patches for at least 41 vulnerabilities "Two of these vulnerabilities may be remotely exploited without authentication, i.e., may be exploited over a network without the need for a username and password," the company warned. I fail to understand why the Oracle community puts up with this.