The Future
Oracle 10g Release 2 is a good product. It's a vast improvement over 10g Release 1 when it comes to security. Oracle should be commended for that. However, it's not "mission accomplished" yet. There are still bugs in 10g Release 2—many of which are discussed in this book—and there are more to be found. Still, whereas it took only 5 to 10 minutes of searching to find a new bug on 10g Release 1, it takes a good day's effort or more to find one on 10g Release 2. The improvements are largely due to a heavy investment in source code auditing tools. While these tools do a great job of catching most flaws, they have a problem with boundaries—for example, when a PL/SQL procedure calls out to a C function or a Java function. The tools seem unable to pick up flaws that occur in these crossover points. Oracle needs to make improvements to these tools in order to catch these last remaining issues, too. Source code auditing tools should be used as a "last defense" mechanism. The real key to making great strides when it comes to improving security is in the way developers code. Good secure coding standards and procedures are a must. Much like the way Microsoft has published the standards and procedures relating to its Security Development Lifecycle, I'd invite Oracle to do the same. It can only be good for the industry as a whole.
Get The Oracle® Hacker's Handbook: Hacking and Defending Oracle now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
