Database Complexity Poses Greater Security Risks

By Lisa Vaas  |  Posted 2003-12-08 Print this article Print

In an exclusive interview, Oracle security guru Mary Ann Davidson says 10g's richer feature set will be secure by default.

It used to be, an Oracle database would ship ready to run on one port. Youd lock that one port down, and youd be reasonably secure. Nowadays, all bets are off, as vendors crank up feature sets and complexity skyrockets. A recently reported, high-level Oracle security vulnerability underscores this problem. This particular vulnerability, which has to do with SSL (Secure Sockets Layer), affects certain releases of Oracle9i Database Server, Oracle8i Database Server, Oracle9i Application Server and Oracle HTTP Server.
If Oracle9i is vulnerable, 10g is guaranteed to have holes, security experts say. While vendors such as Oracle are balancing increasingly complex iterations with ever more security features in order to manage security more granularly, its still harder to manage security. As you have more and more features, there are more opportunities for more security holes to pop up, as fewer and fewer people in the data center understand what all those moving parts do. "Today, theres a dozen services running on a dozen ports," said Aaron Newman, CTO and co-founder of Application Security Inc. "Most people dont understand what those ports do."
So how will Oracle be addressing the potential for security leaks? I went to Oracle Chief Security Officer Mary Ann Davidson to get the answer. Between addressing the National Cyber Security Summit last week, presenting at the Infosecurity 2003 show in New York this week, and grappling with new Oracle security vulnerabilities announced this week, she managed to squeeze in some time to answer, and heres what she had to say. Next page: Oracles top security guru on securing the database.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel