Unwrapping PL/SQL
There was very little press coverage regarding Oracle security from last week's Black Hat security conference in Las Vegas. I am a little surprised about the lack of attention in the media regarding Pete Finnigan's presentation on unwrapping PL/SQL code.
Few Oracle DBAs and developers are aware just how weak the Oracle wrapping method is (although improved in 10g). Sensitive packaged applications (banking, etc.) are usually delivered with wrapped PL/SQL packages and developers often wrap encryption related packages in applications. The protecting and storing of encryption keys for an application can be a difficult challenge, which is usually solved by wrapping the package rather than using Oracle Wallet or some other more secure mechanism.
Pete's presentation provides excellent insight into how Oracle's simplistic wrapping mechanism works and highlights why no one should consider wrapping PL/SQL as a safe method to deliver applications or to protect encryption keys. There is more than enough technical detail in his presentation to provide any motivated Oracle developer enough information to unwrap PL/SQL.