'The biggest change of course is the multi-tenant or is it multitenant? addition to the database with root containers, seed containers, pluggable databases, CDB's PDBs and more. I have already had a play with my existing PL/SQL tools and also our scanner PFCLScan and have found out quite a lot so far.
In terms of security, there are a lot of new features at the high level
- I will discuss these in a future post but the biggest for security is
the multi-tenant or pluggable databases as we now have local and global
or common users and privileges and database objects and even parameters
that are local or global.' - Pete Finnigan
Coupled with the apparent lack of core competency in the DAM arena, clients of the software manufacturers flogging theses products are probably also deficient in at least three other fundamental aspects of DBMS security activity monitoring products:  Education / Training within the scope of the products,  Scrutiny of the Monitoring Log Output, and  probably the key to everything - the ability to read SQL statements.
Quite negative news indeed, for the all-encompassing server, daemon, code and database control product, not to mention the huge numbers of deployed bits in both the public and private sectors. Recent Java exploits, piggybacked on these Oracle Enterprise Manager vulns, puts the database leviathan into a tenuous posture of insecure cruft deployment.
Whilst all of the enumerated vulns have been officially patched by the company, a vast ocean of deployments are not being updated, generally due to recalcitrant DBAs and their System Administrator colleagues (thereby displaying misguided rationale, as generally, they're fearful of patchsets targeting Oracle products, due to the severe impact of the crufty bits applied to extant Oracle instances, and the subsequent possibility of significant downtime). - mxh
Meanwhile, in Oracle Database news, Tanel Poder, perhaps one of the most highly respected, yet quitely competent Oracle professionals has released version 4.2 of his well known [and heavily utilized by DBAs in-the-know] Snapper tool targeting Oracle Database performance metrics.
Whilst not necessarily security related his work is both highly rated, feature rich, yet lightweight in DBMS impact, oh, and did I mention available at no charge? If you are in any way related to Oracle DBMS products, you need Snapper 4.x. Keep a sharp eye out for Tanel's seminars, also highly rated.
via Oracle Corporation (NasdaqGS: ORCL) comes the sad news of the passing of Mark Townsend, the Redwood Shores, California database, applications and hardware leviathan's Vice President of Product Development for Oracle Database. His technical acumen was legendary, as such, he was known as the company's "Single Source of Truth" for database products. Infosecurity.US extends our sincere condolences to the Townsend family, his friends and colleagues.