Category:OWASP Oracle Project

About
The OWASP Oracle Project's goal is to enable administrator and developers using Oracle databases, frameworks or tooling to build secure applications efficiently.

Joining the Project
Marinus J. Kuivenhoven leads the project. The project's high level roadmap can be found at the OWASP Oracle Project Roadmap Remember to add the tag: to the end of new articles so that they're properly categorised.
 * Please submit your ideas for individual articles to the Oracle Project Article Wishlist.
 * If you'd like to contribute:
 * 1) visit the Tutorial,
 * 2) join the mailing list
 * 3) and pick a topic from the OWASP Oracle Table of Contents, or suggest a new topic.

=Oracle Security Overview=

Why Oracle Security???

 * Architects
 * With Oracle now supporting the grid computing architecture, security has spread from one machine to several, which increases the chance on a vulnerability.


 * Administrators
 * Oracle is not the fastest releaser of patches, but because of the complexity of most systems, also DBA's often take their time to patch the system, because they don't want to break a running application. Also Oracle is great at enabling a lot of features by default, if you don't know what they do and which you really need, you could have a lot more vulnerabilities than you could handle. A DBA simply needs to understand who is accessing their database and how it is done.


 * Developers
 * Legacy frameworks like Oracle Designer and Oracle Forms have built-in support for making a SQL injection, even when working in a non webbased enviroment. The newer framesworks (like ADF and Application Express) are great in making it easy to develop database oriented applications. But they are meta-frameworks, which makes understanding what is going on on a lower level, virtually impossible for most developers.


 * Deployers
 * Since most DBA's are now unintended Web- and ASadministrators, their knowledgde is small and one-sided.


 * Testers
 * Even though the old Oracle products are well known and the newer ones are J2EE based, their possibilties are not that well documented, so finding vulnerabilities for most testers will be a lot harder than say a .net enviroment.