You may want to warn your CIO and IT Security Manager that some bad press about Oracle security will be coming later this week and next week.  The annual Black Hat conference in Las Vegas is Wednesday and Thursday of this week.  Every year this conference gets significant media exposure -- last year was the controversy regarding Cisco and Michael Lynn.  There doesn't seem to be any major headlines this year, so the press may be digging for stories.

A number of Oracle security experts are presenting on various topics and the press is always looking for dirt on Oracle.  Here is a quick overview of the Oracle related presentations --

1. "How to Unwrap Oracle PL/SQL" by Pete Finnigan - Most DBAs assume that wrapped Oracle code is fairly secure and this is often used to protect sensitive code and encryption keys.  This presentation will debunk this myth and show actually how easy it is unwrap the code.  The press will jump on this presentation as another example on how Oracle is not secure.  I think the true story is that many more bug hunters will now have access to the wrapped source code of standard Oracle packages and in the coming months you will see an increase in the number of Oracle security bug reports.
   
2. "Oracle Rootkits 2.0: The Next Generation" by Alexander Kornbrust - Alex has presented on Oracle rootkits before, but has refined and expanded the Oracle rootkit concept.
   
3. "TBA" by David Litchfield - Again this year David has not released the topic of his talk.  At previous conferences, David has released information regarding un-patched Oracle vulnerabilities.  It will be interesting to see what presentation topic is this year.
   

http://www.cipher.org.uk/index.php?p=projects/bugle.project

The Oracle Applications Security Blog will be an unique analysis and commentary on Oracle related security topics, especially related to Oracle Applications (the official product name is "Oracle E-Business Suite"). Since the Oracle Applications technology stack also includes most of the other Oracle products, I will also cover the Oracle Database, Oracle Application Server, and Oracle development products. My goal is to use this as a forum for some experimentation into presenting security topics in a different way.

I believe the security community generally does a poor job of communicating with the rest of world and does not understand the Oracle products. I am looking to borrow techniques and ideas from other disciplines, like economic forecasting, to provide information that will help you to make better decisions and plans related to the security of your Oracle implemenations.

Please feel free to e-mail me any comments, suggestions, or other feedback. As this is an on-going "project" (aka experiment), I am more than open to feedback either positive or negative.

- Stephen Kost