Improve the Security of your Oracle PL/SQL code

Visual Expert helps improve the security of your Oracle database and PL/SQL code, by working on several levels:

• It detects vulnerabilities in PL/SQL code.
• It helps reduce the potential attack surface by listing dead or obsolete code.
• It identifies bad practices or inefficient code, for example, to optimize performance and make denial-of-service (DoS) attacks more difficult.
• For each issue identified, Visual Expert can propose modifications to fix it.

Below is a list of the most relevant security scanning rules for Oracle environments:

1. SQL Injection
2. Command Injection
3. Cryptographic Failures
4. Security Misconfiguration
5. Vulnerable and Outdated Components
6. Dead or Unused Code
7. Empty Methods or Blocks
8. Improper Exception Handling
9. Insufficient Logging and Monitoring

SQL Injection

Description
Detects dynamically constructed SQL queries that incorporate external input without sanitization, especially within EXECUTE IMMEDIATE statements.

Impact
Unvalidated inputs in SQL queries can be exploited to manipulate the query structure, bypass authentication, or extract unauthorized data.

Recommendation
Use bind variables whenever possible, and sanitize all user input before using it in dynamic SQL.

Visual Expert Rule(s)

• Dynamically executed code is flagged as security-sensitive
• EXECUTE IMMEDIATE should be used instead of DBMS_SQL procedure calls Maintainability- Major
• Blocks containing EXECUTE IMMEDIATE should trap all exceptions

Command Injection

Description
Flags use of dynamic OS command execution where command strings are built from external input.

Impact
Unsanitized inputs may allow an attacker to execute arbitrary commands on the host system.

Recommendation
Avoid constructing shell commands from user data.
Use white-listed commands and validate all parameters.

Visual Expert Rule(s)

• Blocks containing EXECUTE IMMEDIATE should trap all exceptions

Cryptographic Failures

Description
Identifies the use of insecure algorithms or cryptographic packages like DES, 3DES, SHA-1, or outdated Oracle packages.

Impact
Weak algorithms can compromise the confidentiality or integrity of data.

Recommendation
Use modern algorithms (e.g., AES, SHA-256) and avoid deprecated packages such as DBMS_OBFUSCATION_TOOLKIT.

Visual Expert Rule(s)

• DES or 3DES should not be Used
• DBMS_OBFUSCATION_TOOLKIT package should not be used
• SHA-1 and Message-Digest hash algorithms should not be used in secure contexts

Security Misconfiguration

Description
Detects use of potentially risky Oracle features or statements, such as DBMS_OUTPUT.PUT_LINE in production or SYS-owned objects.

Impact
Such usage may expose sensitive data or bypass proper access controls.

Recommendation
Avoid exposing internal output in production and restrict usage of privileged packages.

Visual Expert Rule(s)

• DBMS_OUTPUT.PUT_LINE should not be used
• Sensitive SYS-owned functions should not be used

Vulnerable and Outdated Components

Description
Flags the usage of deprecated or desupported Oracle features and packages.

Impact
Older components may no longer receive security updates and can be incompatible with current best practices.

Recommendation
Refactor code to use supported and secure alternatives.

Visual Expert Rule(s)

• Features deprecated in Oracle 12 should not be used
• Constants and subprograms are desupported from DBMS_XDB package
• DBMS_OBFUSCATION_TOOLKIT package is removed
• Large Object (LOB) DBMS_LOB.LOADFROMFILE and BUFFERING_ENABLED exception desupported and should not be used
• Deprecated functions and procedures DBMS_RESULT_CACHE BLACK_LIST should not be used
• Deprecated function DBMS_SESSION.IS_ROLE_ENABLED should not be used
• Desupported packages/functions INIT_CLEANUP, DEINIT_CLEANUP, IS_CLEANUP_INITIALIZED should not be used
• Deprecated LONG and LONG RAW datatypes should no longer be used
• Deprecated package subprograms and datatypes DBMS_DATA_MINING should not be used
• Deprecated package DBMS_HANG_MANAGER should not be used
• Deprecated procedure DBMS_LOCK.SLEEP should not be used
• Desupported package Streams DBMS_STREAMS_ADM should not be used
• Deprecated package DBMS_XMLGEN should not be used
• Deprecated package DBMS_XMLSTORE should not be used
• Desupported package DBMS_XMLTRANSLATIONS package is desupported
• Deprecated package DBMS_XMLQUERY should not be used
• Deprecated package DBMS_XMLSAVE should not be used
• Subprograms GENERATESCHEMA and GENERATESCHEMAS from DBMS_XMLSCHEMA package are desupported
• Deprecated package and types Oracle Multimedia (ORD*) should not be used
• CONTINUOUS_MINE option is desupported in DBMS_LOGMNR.START_LOGMNR
• Desupported UTL_FILE_DIR initialization parameter from the DBMS_LOGMNR_D package should not be used

Dead or Unused Code

Description
Identifies procedures, functions, and packages that are no longer used or referenced.

Impact
Dead code increases the attack surface and may conceal vulnerabilities.

Recommendation
Remove unused code to simplify maintenance and reduce exposure.

Visual Expert Rule(s)

• Unused objects should be removed
• Unused labels should be removed
• Unused local variables should be removed
• Unused Procedure and Function Parameters should be removed
• Dead stores should be removed
• Jump statements should not be followed by dead code

Empty Methods or Blocks

Description
Flags procedures or functions that are declared but contain no executable code.

Impact
Empty logic may indicate incomplete development or unused functionality that should be removed.

Recommendation
Clean up empty code blocks unless they serve a documented interface purpose.

Visual Expert Rule(s)

• Methods must not be empty

Improper Exception Handling

Description
Detects exception blocks that ignore or inadequately log errors, including generic WHEN OTHERS THEN NULL.

Impact
Suppressing exceptions leads to poor traceability and may conceal functional or security flaws.

Recommendation
Always log or handle exceptions in a meaningful and traceable way.

Visual Expert Rule(s)

• Exceptions should not be ignored
• Blocks containing EXECUTE IMMEDIATE should trap all exceptions
• Overridden Predefined Exceptions
• WHEN OTHERS clauses should be used for exception handling

Insufficient Logging and Monitoring

Description
Detects lack of audit trails or logging in critical code areas, especially in exception flows.

Impact
Insufficient monitoring limits the ability to detect and investigate incidents.

Recommendation
Implement meaningful logging for key operations and exceptions.

Visual Expert Rule(s)

• All exceptions should be properly handled to ensure traceability
• EXCEPTION WHEN ... THEN clauses should do more than RAISE
• DBMS_HANG_MANAGER package desupported

For the full list of Oracle-specific code inspection rules, please refer to the Visual Expert Code Rules.