Bind variabler og PCI compliance

In the world of computer sicence – and especially within bank and finance – we recently have heard a lot of talk about PCI compliance. Yesterday I discovered a smal security threat related to the use of bind variables in Oracle. The use of bind variables actually stores sensitiv information – for instance social -and creditcardnumbers. It´s not the use of the bind variables itself that is the problem, but the fact that the bind values are stored unencrypted in a DBA view (DBA_HIST_SQLDATA) in the SYSAUX tablespace. When we add the fact that encryption of the SYSAUX tablespace is not supportet then it becomes a security problem, and this is not in accordance with our PCI requirements.

If this is the reason why Oracle in version released the parameter cursor_bind_capture_destination (or if this was just to save disk space) is to me unknown.
But never the less – we now have the opportunity to set this parameter to MEMORY or OFF (instead of MEMORY+DISK which is the default). This limit the storage of bind data to a short period of time in MEMORY, or prevents the storage of bind values totally (OFF).

Post a Comment

Your email is never published nor shared. Required fields are marked *