Extend your DevSecOps practices to your Oracle database

Extend your DevSecOps practices to your Oracle database The 2019 State of DevOps report focusses on how to integrate security into the software development cycle. This blog post show you how te extend these practices into Oracle database security.

But why is it so difficult?

For most companies, integrating security into the software delivery lifecycle is an unrealized ideal, and an obstacle to furthering their DevOps evolution. Some people feel that security practices are little more than security theater, just a way to avert blame rather than to improve security. Security is also often seen as a nuisance to deployment, causing only delays and unplanned work for everybody.

Very often, there’s pressure to deliver a new feature. This pressure leads to bypassing the security policies that increased the risks for the business. People responsible for deadlines decide to release, with the security issue unresolved, intending to fix the problem in a subsequent release. At best, this creates a delay period when the code may be quite vulnerable. It’s also not unusual for recognized security issues to slip people’s attention entirely once the product is out the door.

With business demand for DevOps, Agile, and Public Cloud Services, traditional security processes have become a significant roadblock targeted for elimination. And sadly, sometimes the easiest to bypass altogether.

The five practices

So how do we do get a good start at security? The report found that the top five practices that improve security posture are:

  1. Security tools are integrated in the development integration pipeline so engineers can be confident they’re not inadvertently introducing known security problems into their codebases.
  2. Security requirements — both functional and non-functional are prioritized as part of the product backlog.
  3. Security experts evaluate automated tests, and are called upon to review changes in high-risk areas of the code (such as authentication systems, cryptography, etc.).
  4. Infrastructure-related security policies are reviewed before deployment.

These practices are a challenge in itself but even more complicated when it comes to top database security.

Automating database security policy configurations.

One of the key findings of the “State of DevOps 2019” report is that teams have to be able to implement transparent security policies as code. Puppet, in general, allows you to do that. To compare different solutions, let’s make a comparison with a security guard in a building. To make sure the building is safe, he makes his round every hour. For every open door or window, he will not only report it but also close it immediately to ensure the security of the building.

Puppet, in combination with the ora_secured module, works alike. Every half hour, Puppet will inspect the current settings of your database. It will compare the current settings with a secure baseline provided by the Center for Internet Security. Just like the security guard, Puppet will not only report it, but it will also instantly remediate the insecure situation. This way of working ensures that your database is always safe.


Because the ora_secured module integrates with Puppet, this integration means it is simple to extend your current provisioning and deployment practices to include Oracle database security. No extra tools to install no extra

How to get started?

Getting started with automating your security policy for your Oracle database is simple. The ora_secured module allows you a one lined to make sure your database is secured.


Puppet will now automatically enforce all the controls available in the Oracle CIS baseline on your database. Unfortunately, some applications don’t work on secured databases. To accommodate this, you can skip enforcing some controls. Here is an example of this:

ora_secured::apply_cis { 'DBNAME':'
  skip_list   => [


Although one of the key strengths is that Puppet remediates the incorrect security setting immediately, reporting is crucial too. The auditor needs a report confirming that your system is secure now.

The Puppet Enterprise Console and PuppetDB provide you with this report. Puppet Enterprise can not only show you current status but can also show reports on the security state of your systems in the past.


I hope this blog post has shown the possibilities to get started with DevSecOps on your Oracle database. We would love to demonstrate how our solutions can help you increase the speed of our application delivery in the Oracle Database world. Contact us for details.

info@enterprisemodules.com or by phone: +31 (0)653 847 326

About us

Enterprise modules is the leading developer of enterprise-ready puppet modules for Oracle databases and Oracle WebLogic. Our puppet modules help sysadmins and DBAs to automate the installation, configuration, and management of their databases and application server systems. These modules allow them to make managed, consistent, repeatable, and fast changes to their infrastructure and automatically enforce the consistency.