||Peter Koletzke is a Technical Director and Principal Instructor for Quovera in Palo Alto, California. He has over thirty years of industry experience and has presented at various Oracle user group conferences over 340 times. Additionally, he has won awards such as Pinnacle Publishing's Technical Achievement, ODTUG Editor's Choice (four times), ODTUG Best Speaker, NY Oracle Users Group Editor's Choice (three times), East Coast Oracle/Southeastern Oracle Users Conference Oracle Designer Award, and the ODTUG Volunteer of the Year. Peter is an Oracle ACE Director, an Oracle Certified Master, and co-author – variously with Duncan Mills, Avrom Roy-Faderman, and Dr. Paul Dorsey of the Oracle Press (McGraw-Hill Professional) books "Oracle JDeveloper 11g Handbook," "Oracle JDeveloper 10g for Forms & PL/SQL Developers," "Oracle JDeveloper 10g Handbook," "Oracle9i JDeveloper Handbook," "Oracle JDeveloper 3 Handbook," "Oracle Developer Advanced Forms and Reports," "Oracle Designer Handbook, 2nd Edition," and "The Oracle Designer/2000 Handbook."
Proper design of an application includes security plans, which ensure that specific data is available only to specific user groups. Application design should also include security plans for guarding against data or application tampering. These two aspects can easily be set aside while developers are caught up in the process of developing PL/SQL code to fulfill an application's requirements. So it is important to work security plans into the initial technical specifications and test plans. Then you need to know how to implement the proper safeguards.
This session focuses on techniques you can use in PL/SQL to guard against unintended data access and unauthorized use of your application code. It explores the PL/SQL code and policy objects required to prevent access violations through the database feature Virtual Private Database (VPD also known as Fine-grained Access, FGA) implemented using the Oracle package, DBMS_RLS.
The session also explains how to use the database package DBMS_ASSERT to guard against SQL injection, where users can attempt to gain unintended access to data or database operations. In addition, the presentation discusses methods for hiding data using VPD column hiding (DBMS_RLS and DBMS_REDACT) and encryption using DBMS_CRYPTO and DBMS_OBFUSCATION_TOOLKIT. It also mentions some new features of Oracle 12c aimed at enforcing proper access to PL/SQL: role grants to code units and white lists (ACCESSIBLE BY). All of these techniques should help your ability to secure data and application code for systems you create.