Oracles Secure, but Rest of World Isnt

By John Taschek  |  Posted 2002-02-04 Print this article Print

"Unbreakable" is the tag line for the newest version of the Oracle9i database.

"Unbreakable" is the tag line for the newest version of the Oracle9i database. Whether the name is derived from the good but misunderstood movie about a reluctant superhero with a fear of drowning or is just a marketing term conjured up to inspire hackers to beta test Oracles security scheme, Oracle is intensely interested in protecting your data.

In fact, Oracle has three chiefs that are charged with some facet of security—a chief privacy officer, a chief hacking officer and a chief security officer, who said she has "the best job in the world." Im sure Mary Ann Davidson—the chief security officer—would change her mind if she ever got the chance to work at eWeek.

It appears that Oracle takes data security seriously. One way the company does this is through third-party evaluations, a costly and lengthy process in which an organization audits products to ensure they are as secure as the company claims they are. Oracle has had 14 of these evaluations, although none are associated with the "unbreakable" 9i.

No 9i evaluation? Davidson said Oracle mainly submits "terminal" versions of products for review because those tend to be the most popular and because Oracle doesnt want to have to submit each point release update of the product to a process that could cost $500,000 (not including Oracle personnel costs) and a year to do.

Meanwhile, IBMs DB2 apparently has undergone none of these evaluations, and Microsoft has had only one. It appears that IBM treats security mainly as a service enhanced by a few product offerings, notably in the Tivoli camp. Microsoft, meanwhile, treats security as a process, and it delivers procedures for helping customers defend against attacks.

Thats the culture of these companies. But Oracle is using its evaluations to establish a culture of security within the organization. Thats why Oracles chief security officer is part of the development team. However, these evaluations are also helpful and will be necessary for winning government contracts.

On the flip side, Oracle is just one small part of a bigger equation. Does it matter if your database is locked down, impenetrable and unbreakable, if your front-end Web site is wide open?

By the way, 15 times more hack attempts against Oracle have occurred since the "unbreakable" campaign began. I suspect well see soon how Oracles security is holding up.

Is Oracle unbreakable? Write to me at

As the director of eWEEK Labs, John manages a staff that tests and analyzes a wide range of corporate technology products. He has been instrumental in expanding eWEEK Labs' analyses into actual user environments, and has continually engineered the Labs for accurate portrayal of true enterprise infrastructures. John also writes eWEEK's 'Wide Angle' column, which challenges readers interested in enterprise products and strategies to reconsider old assumptions and think about existing IT problems in new ways. Prior to his tenure at eWEEK, which started in 1994, Taschek headed up the performance testing lab at PC/Computing magazine (now called Smart Business). Taschek got his start in IT in Washington D.C., holding various technical positions at the National Alliance of Business and the Department of Housing and Urban Development. There, he and his colleagues assisted the government office with integrating the Windows desktop operating system with HUD's legacy mainframe and mid-range servers.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel