®
Applied Oracle Security:
Developing Secure
Database and Middleware
Environments
This page intentionally left blank
®
Applied Oracle Security:
Developing Secure
Database and Middleware
Environments
David C. Knox
Scott G. Gaetjen
Hamza Jahangir
Tyler Muth
Patrick Sack
Richard Wark
Bryan Wise
New York Chicago San Francisco
Lisbon London Madrid Mexico City Milan
New Delhi San Juan Seoul Singapore Sydney Toronto
Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved. Except as permitted under the United States Copyright Act of
1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher.
ISBN: 978-0-07-161371-2
MHID: 0-07-161371-4
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-161370-5, MHID: 0-07-161370-6.
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name,
we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where
such designations appear in this book, they have been printed with initial caps.

McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training
programs. To contact a representative please e-mail us at
TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use
of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the
work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute,
disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own
noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to
comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE
ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY
INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY
DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MER-
CHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the
functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor
its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages
resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances
shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from
the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall
apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
Information has been obtained by Publisher from sources believed to be reliable. However, because of the possibility of human or
mechanical error by our sources, Publisher, or others, Publisher does not guarantee to the accuracy, adequacy, or completeness of any
information included in this work and is not responsible for any errors or omissions or the results obtained from the use of such information.
Oracle Corporation does not make any representations or warranties as to the accuracy, adequacy, or completeness of any information
contained in this Work, and is not responsible for any errors or omissions.
I dedicate this book to all those who not only aspire for greater
achievements, but also follow through on obtaining them.
Dream big and do big!
—David Knox
I dedicate this book to my wife, Mary, and my two sons, Anthony and

Jeffrey, for being patient and understanding while I worked on the book.
I love you guys and we now have the summer free so we can play.
–Scott Gaetjen
To my parents, Panahul Alam Jahangir and Nargis Jahangir, my two greatest
sources of warmth, support, and affection.
–Hamza Jahangir
I would like to dedicate this book to my loving wife, Sally, for her tireless
support. She invested as many hours as I did in this project, caring for our
new son, Colin, on weekends and evenings so that I could pursue this
endeavor, and for that I am truly grateful.
–Tyler Muth
I dedicate this book to my wife, Wendi, and my sons, Collin, Ashtin,
Giovanni, and Vinson. Thank you for your support and understanding
during the production of this book. We have been through a lot this past
year and have learned that family and friends is what really matters. Love
to all of you, especially to my wife, Wendi. XOXO.
—Pat Sack
I dedicate this book to my dad, Robert Wark, for his wisdom and love.
—Richard Wark
I dedicate this book to my father, Ronald, whose love of brain-teasers,
HP calculators, and spreadsheet macros started me down this wonderful
road I fi nd myself traveling.
—Bryan Wise
About the Authors
David C. Knox, Senior Director, Solution Engineering, Oracle Corporation, currently works as
a Senior Director for Oracle’s National Security Group. Prior to this role, he ran the Solution
Engineering division for Oracle North American Sales and Consulting, where he would oversee
Solutions Development and R&D innovation for all Oracle technologies. He has also held
positions as Senior Director of the Oracle Protected Enterprise & Security Business and as Chief
Engineer for Oracle’s Information Assurance Center.

Since joining Oracle in 1995, Mr. Knox has worked with customer organizations including the
Department of Defense, intelligence agencies, financial services, and a variety of other industries,
giving him a broad understanding of key business drivers and processes. His expertise in computer
security derives from both working knowledge and experience with Oracle’s security products and
database security, but also from his academic studies in the areas of multilevel security, cryptography,
Lightweight Directory Access Protocol (LDAP), and Public Key Infrastructure (PKI).
Mr. Knox is the author of Effective Oracle Database 10g Security By Design (McGraw-Hill
Professional 2004). His other published work includes security contributions to Expert One on
One Oracle by Thomas Kyte (Worx Press 2001) and Mastering Oracle PL/SQL: Practical Solutions
(Apress 2003). He has also authored several Oracle whitepapers. Mr. Knox earned a bachelor’s
degree in computer science from the University of Maryland and a master’s degree in computer
science from Johns Hopkins University.
Scott G. Gaetjen, Technical Director, Oracle National Security Group, conducts research and
design on new security solutions, leveraging his 15 years of experience with Oracle technologies to
provide advanced security capabilities to Oracle’s customers. He has served as a technical lead and
mentor for several customers in the U.S. Department of Defense, U.S. intelligence agencies, U.S.
civilian government, and the financial industries. In the process of helping these customers meet
their mission objectives, Mr. Gaetjen has developed a keen technical understanding of operating
system security, Oracle database security, J2EE application security, and identity management.
Mr. Gaetjen has been involved in the research and development of the Oracle Data Vault
technology since its inception as a solution in 2004 under Oracle’s Consulting organization and
participated in the efforts to make the solution into a true Oracle product.
He earned a bachelor’s degree in mathematics from James Madison University and a master’s
degree in computer systems management from the University of Maryland University College.
Hamza Jahangir is currently a Principal Architect in the Enterprise Architecture group at
Oracle. He has been with Oracle since 2004 and has been working with Oracle Database and
middleware products for more than ten years. As an architect, he spends much of his time in a
technical advisory capacity to help his clients better understand and apply security products
and technologies to solve security challenges, mainly those that span database and middleware
environments (such as Identity Management, Access Management, Directories, and J2EE security).

Mr. Jahangir also teaches security classes and spends time evangelizing best practices around
bridging database and middleware security to Oracle user groups and professional communities
around identity management, service-oriented architectures, and IT security. He spends the remainder
of his working time on experimenting with new architectures and prototyping solutions around new
application and enterprise security models.
When he is not working, he enjoys spending time with his family, friends, and a nylon-string
classical guitar. He has a bachelor’s degree in computer science from Northeastern and is currently
working toward an MBA at Georgetown.
Tyler Muth is a Principal Technologist with the Oracle Public Sector division, specializing in
database and application security. He leads Application Express workshops throughout the United
States, advises customers on architecture decisions, and collaborates with customers to develop
tactical applications. He is a passionate contributor to the security community through
presentations at Oracle Technology Days and Oracle User Groups; his blog, www.tylermuth
.wordpress.com; and participation on the Oracle Technology Network forums.
Prior to his current role, Mr. Muth was one of the early developers on the Application Express
development team, where he worked for more than five years. He was a technical reviewer for
several of Tom Kyte’s books, a contributing author for asktom.oracle.com, and a manager for a
production system in zero-gravity.
Patrick Sack, Technical Vice President, NSG Product Engineering, Oracle Corporation, runs the
Product Engineering division for Oracle’s National Security Group. Prior to his current role overseeing
Product Engineering and R&D Innovation for all Oracle technologies, he held positions as Vice
President of Oracle’s Protected Enterprise & Security Business. A majority of his career was spent
within the Oracle Consulting group, driving innovative solutions and enhancing Oracle products.
Since joining Oracle in 1988, Mr. Sack has worked with customer organizations, including the
Department of Defense, intelligence agencies, financial services, and a variety of other industries,
giving him a broad understanding of key business drivers and processes. His expertise in information
security derives from his working knowledge of Oracle products and application of these
technologies on customers’ projects, including multilevel security.
He specializes in Oracle’s Information Assurance technologies, architectures, and solutions. He
has been instrumental in driving new security technologies, features, and solutions for customers,

such as Database Vault for Compliance. He is the primary architect and founder of many of the
advanced security capabilities available in the Oracle Database product offerings, including Oracle
Database Vault, Oracle Audit Vault, Oracle Label Security, and fine-grained auditing. He has filed
many U.S. patents with Oracle Corporation in the information security category, such as Multiple
Database Security Policies, Row-Level Auditing, Database Vault, Mandatory Access Control Base,
Dynamic Access Controls, and Auditing and Cross Domain Security.
Mr. Sack understands how critical information and security is to most organizations, asserting
that the data must be available, accountable, and accessible. He earned a bachelor’s degree in
computer science from the State University of New York.
Richard Wark, CISSP, works as a Principal Technologist in Oracle’s Enterprise Solutions Group,
helping to develop security and identity management solutions, demonstrations, and training since
2004. He is a “retread” at Oracle, having worked briefly for the City of San Antonio from 2002 to
2003 to help manage a large enterprise resource planning (ERP) project implementation. He initially
joined Oracle to work as a sales consultant working with Air Force customers across the country in
1996. Since then, he has worked on solutions for banks, airlines, financial institutions, and a host
of other customers to protect their data and practice good security.
With more than 15 years of experience with Oracle products, Mr. Wark has worked with
customers to build secure database systems in the government, Department of Defense, healthcare
industry, and other commercial sectors. As a result of dealing with brilliant colleagues and customers
with challenging problems, he has developed a working knowledge and some level of expertise in
network security design, security policy creation, business continuity planning, data classification,
secure database configuration, and large-scale implementation reality.
Prior to joining Oracle, Mr. Wark worked for Computer Sciences Corporation (CSC) and
Science Applications International Corporation (SAIC) on DoD Oracle database projects, starting
his professional career in 1991 as a UNIX admin and Informix DBA. He holds a bachelor’s degree
in information systems from University of Texas, San Antonio.
Bryan Wise is a Business Intelligence Solution Specialist for Oracle’s Public Sector division,
where he helps customers find secure, innovative ways to use their existing data and run their
organizations more efficiently. His career with Oracle technology started in the late 1990s while
serving as an officer in the U.S. Navy. He managed all database administration and led application

and report development for the Navy’s Nuclear Power School.
Over the years, Mr. Wise has been an active participant in the Oracle community, including
providing presentations for the Mid Atlantic Association of Oracle Professionals, the Oracle
Government Users Group, and the Business Intelligence, Warehousing and Analytics Special
Interest Group of the IOUG. He is also a contributing author on the Oracle BI Publisher blog.
In addition to being an Oracle specialist, Mr. Wise has spent most of his career teaching. His
teaching assignments include developing and delivering hand’s-on Oracle Business Intelligence
seminars, teaching mathematics at the Navy’s Nuclear Power school and various community
colleges, as well as teaching database concepts at the University of Maryland University College.
He holds bachelor’s and master’s degrees in mathematics from Brigham Young University and a
master’s certificate in e-commerce engineering from Regis University.
About the Technical Editors
Ben Ault is a Business Intelligence Specialist Manager at Oracle, where he has worked since
1995. He has focused on implementing and selling decision support and business intelligence
solutions throughout his career. He has spent the last several years concentrating on business
intelligence and data warehousing solutions for Oracle’s Public Sector customers. Prior to his
time at Oracle, he worked as a Decision Support Consultant for IRI Software, where he designed
and implemented custom database applications to provide executive-level analysis of sales,
marketing, and financial data.
Tammy Bednar has worked in the computer industry for more than 25 years. She started out
coding applications in ADA and decided a change was needed. Oracle hired her in the Database
Support Organization 14 years ago and she has been involved with database releases since version
6.0.36. She started her Product Management career on the database High Availability team with
Recovery Manager (RMAN) and database backup and recovery. High availability and security go
hand-in-hand, and Ms. Bednar is currently a member of the Database Security development team,
focusing on auditing and Oracle Audit Vault.
Derrick Cameron leads the Business Intelligence team in Solutions Engineering at Oracle. He
has worked with Oracle technology for more than 15 years and for Oracle (Canada, and then U.S.)
for the past 12 years, initially working in applications consulting and later in sales, supporting data
warehousing and business intelligence. He is one of the primary architects of Oracle’s internal

integrated BI demonstration and training platform (used at Oracle Open World), and is also the
build lead for Oracle’s external partner BI platform. He works closely with development to build
cross-product integration solutions, and he also works with customers in the sales cycle when
technical expertise is required. Previously, he worked in financial accounting systems roles in the
public sector and a financial institution.
Sergio Leunissen joined Oracle in 1995. Since then, he has worked as a sales engineer,
developer, and product manager on technologies including Oracle Application Express, Oracle
Database, Linux, and Oracle VM. He was one of the original members of the Oracle Application
Express team, helping to develop and bring the product to market. In 2006, he helped launch the
Unbreakable Linux support program. He is currently Senior Director, Linux Business Solutions.
Robert Lindsley is a Principal Sales Consultant in Oracle’s North American Public Sector
organization. He specializes in Oracle’s business intelligence, analysis, and data warehousing
solutions and has worked in the software industry for more than ten years. Prior to that, Mr. Lindsley
was a research scientist, specializing in the analysis of large neuroscience datasets. He has written
several publications in the areas of multisensory integration and neuropharmacology.
Mr. Lindsley has a bachelor’s degree from Cornell University in Ithaca, New York. He lives in
Washington, DC.
Bill Maroulis is a Technical Director in Oracle’s National Security group. He has more than 15
years experience in software development, with a primary focus on Oracle database security. He is
the lead database engineer for software components and MAC security policies that protect the
Oracle Database in a cross-domain environment. Mr. Maroulis also teaches Oracle as an adjunct
professor at Strayer University. He has a bachelor’s degree in computer science from the North
Carolina State University and a master’s in software engineering from the University of Maryland
University College. He lives in Virginia and enjoys spending time with his wife and daughter.
Raj Mattamal, a co-president at Niantic Systems (www.nianticsystems.com), started developing
web applications at Oracle in 1995 with the very same people who came to create Oracle Application
Express. During his more than ten years with the company, he helped customers in a wide range of
industries to deliver web-based solutions in Oracle Database. In addition to helping customers with
their applications, he developed numerous web applications for use internally at Oracle as well.
Outside of application development, Mr. Mattamal spent much of his time with Oracle evangelizing

the Oracle Application Express development environment. This entailed teaching classes globally,
writing articles for Oracle Magazine, writing Technotes for the Oracle Technology Network, and
assisting with the development of training materials and workshops.
Having earned a bachelor’s degrees in decision & information studies as well as marketing
from the University of Maryland, Mr. Mattamal continues to apply his knowledge of and passion
for technology and business to real-world issues. Since leaving Oracle in 2006, he went on to
co-found Niantic Systems, LLC, which offers services and training to customers in a wide range
of business lines to help get the most out of their Oracle environments.
Scott Spadafore is a member of the Application Express development team at Oracle
Corporation, now in his eighth year with that group. Prior to this, he worked 7 years as an Oracle
consultant doing various C/Pro*C custom development projects, DBA work, and security technical
architecture/implementation for telco and local government customers throughout the United States.
Before joining Oracle, he spent 21 years helping Amdahl Corporation develop mainframe computers
in various roles as an engineering aide, MVS/VM systems programmer, C programmer, and
software development manager.
Peter Wahl is the Product Manager for Oracle’s Advanced Security option. He has a masters’
degree from the University of Applied Sciences in Ravensburg/Germany and nearly 20 years of
industry experience in product development, marketing, and business development. As a member
of the Oracle Database Security development team since the initial release of Transparent Data
Encryption (TDE), he has helped numerous enterprise customers deploy TDE to address PCI and
other compliance requirements. In addition, he serves as the worldwide contact for partner
development and has led the certification of Oracle’s E-Business Suite, Peoplesoft, Siebel CRM,
and JD Edwards EnterpriseOne Applications with TDE as well as the certification of multiple
hardware security modules by partner vendors.