By Lisa Vaas  |  Posted 2003-09-19 Print this article Print

The use of PUBLIC is both a feature and a weakness, agreed Nancy Malpass, an Oracle DBA at Interstate Batteries System of America Inc., in Dallas, Texas. "The Public schema, synonyms, and public packages are necessary. Often they are mechanism that software vendors use to deploy their software on an Oracle database platform." she said. Because application vendors dont develop to a specific platform, they have to take advantage, for example in installation scripts, of creating public names for the tables to avoid creating and managing complex database security. Hence, "public" gets used often by software vendors so users of the application can use the database, she said. "Thats one of the features of the database. Its "open". You can create a PL*SQL package, you can then grant access to anybody to run it. ... But if you have 3rd party applications in your Oracle databases, its a problem you have to deal with, and you have to rely on application security built into the 3rd party application."
Davidson admitted, during the panel, that public is a problem that Oracle is dealing with. But the Redwood Shores, Calif., company has been locking default configurations down further and further with each iteration, she said, and continues to look for ways to lock it down further.
Default accounts, used to install schemas and objects and to allow access to certain features, are reasonably easy to eliminate. Default privilege grants, on the other hand, are tough to get rid of, since they grant privileges to "public" users in partner products or custom applications. 9is database creation wizard locks some down but still leaves eight open if the GUI database creation tool is used. Six more default grants have been shut down in 10g, Davidson said, and Oracle is working to pin more down. Why are databases shipped with default accounts in the first place? Because of issues with backwards compatibility, of the complexities of shutting something down without breaking something else, and of yanking rights away from customers who are used to them, Davidson said. "You cant do it instantaneously," she said. "Because of bootstrap and backwards compatibility, as a DBA, you just cant say, Oh, by the way, when you update, the Connect As DBA syntax doesnt work anymore. "Thats the next big area in general for industry—secure by default. Partly its the issue of dependencies, partly its the inability to please all user groups at once, partly not everybody knows how everybody uses their products." Another factor is the number of software vendors who rely on the drug-addict model, she said. In that scenario, software sellers roll out the red carpet to get developers hooked on their software. "They encourage people to have fun with demo scripts, and you have accounts open and sample Java pages to see the cool things you can do on their product," Davidson said. "You get the development community hooked and you want to make it easy on them. Then when people go into production, they want everything locked down. The challenge is that vendors cant have one size fits all." Discuss this in the eWEEK forum.

Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel