Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed

PUBLIC Regex in the absence of Definer’s Rights Roles

Been ill this week with man flu ~ not bird or swine flu, much more serious than that..

..So back to the plot.. In the current absence of Definer’s Rights Roles, there is a temptation for Devs to GRANT EXECUTE to PUBLIC on their new packages so the privs can carry through to other schema’s packages. PUBLIC is too wide a grouping, and just because it is the only Definer’s Rights Role, does not mean that ALL grants should be made to it. This is bad habit picked up to save working out the actual privileges required.
Therefore it is a good idea to alert to these PUBLIC grants using HH RegEx rules with the MATCHES keyword as below:

statement MATCHES 'to\s*public'

Note that the character literals in the regEx are case insensitive with HH.

For more in depth RegEx rule writing there is a nice page on Sentrigo’s web site at the URL below, which I recommend reading:

Additionally I would like to mention, Alex’s Anti Hacker class in SF, taking place January 12-14, 2010 in San Francisco, California.
I know Alex has experience of implementing defensive solutions with a number of commercial customers and is at the cutting edge of offensive research as well, which is a powerful combination. The syllabus looks interesting so worth checking out…and maybe taking in the Bay Area and the bridge at the same time.


Leave a Reply

You must be logged in to post a comment.