However, the fact that were talking about an open-source database gives a sneaky twist to what should be a simple issue of password policy-setting or vulnerability scanning. As pointed out to me in a recent conversation with AppSecs Ted Julian, vice president of marketing, open-source software such as MySQL has the potential to get into an enterprise casually, since its free and can be readily downloaded. Many MySQL instances tend to be local, organic ones. As such, IT departments have little to no awareness they exist, Julian said. Click here to read about how third-party developers are picking up the slack in database security.Not that every MySQL downloader is oblivious to the need for strong passwords. Jason Bailey, a network engineer and Web developer who works at a small-town newspaper in Utah, uses MySQL to house data that powers the papers Web sitea typical use for MySQL. Baileys employer uses a Windows 2003 server running MySQL, but its a slave server, used as backup, as opposed to being always active. Bailey hasnt had issues with MySQL on Windows security, but he uses the database almost exclusively for Web applications. Over 80 percent of connections to the MySQL daemon are from the local host, he told me. When it comes to organic adoption of MySQL within networks, a small outfit such as Baileys newspaper employer doesnt have much of an issue, but he and other users Ive spoken with can certainly see the potential. "I can easily see that being the case in some of the large networks in our area (ISPs, college networks, etc.), who are barely opening up to the idea of open-source database technology," he wrote in an e-mail exchange. "Large networks, at least in our area, are slower to embrace open-source databases. The lack of high licensing and usage fees is alluring, but many are afraid the open-source equivalents wont hold up or arent robust enough." Thus, because theyre too timid to open the front door to open-source databases, enterprises find databases slip in through the back door. Because of casual download, its very likely that there are more inexperienced MySQL users than users of expensive, heavily IT-regulated commercial databases. Next Page: ABCs of password security.
"There could be shops that are very well hardened on the SQL Server front that could have been surprised just because of the database they targeted," Julian said.