Database security firm Sentrigo has made a free code analysis tool available for Oracle databases. The software, called FuzzOr, runs on Oracle database versions 8i and above and can be used to identify and remediate code vulnerable to SQL injection attacks.
Database security vendor Sentrigo wants to help programmers,
database administrators and security pros pinpoint vulnerabilities in
code before hackers get their hands on them.
To do this, the company has released a free fuzzing utility for
Oracle databases to help identify vulnerabilities in PL/SQL code.
Dubbed FuzzOr, the open-source tool is now available for download and
allows PL/SQL programmers and others to catch and remediate security issues that may be exploited through SQL injection and buffer overflows attacks.
"There are thousands of applications in use today, some from Oracle
and many others from third parties, that may contain vulnerabilities
that make the database subject to attack," said Slavik Markovich, CTO
of Sentrigo, in a statement. "With hackers using increasingly
sophisticated techniques to attack databases, proactive testing
conducted on a regular basis can help flag potential vulnerabilities
that may otherwise go unnoticed."
Sentrigo's FuzzOr runs on Oracle database versions 8i and above. A
dynamic scanning tool, FuzzOr enables users to test PL/SQL code inside
Oracle-stored program units, Sentrigo officials said. Once
vulnerabilities are detected by FuzzOr, a programmer can fix the PL/SQL
code. In cases of legacy or complex applications where code changes and
repairs are more difficult to implement, FuzzOr integrates into
Sentrigo's Hedgehog products and automatically generates virtual
patching to prevent or alert users of attempts to exploit the
"FuzzOr is a useful tool in helping unearth exploitable
vulnerabilities and plugging database security holes against malicious
activities," Oracle security expert Pete Finnigan said in a statement.
"Traditional source code analysis tools are lacking in their
availability for Oracle PL/SQL and this tool nicely fills the gap for
testing your own PL/SQL or that of your application vendor."