Oracle Apps Track DB Weaknesses

 
 
By Brian Fonseca  |  Posted 2003-12-15
 
 
 

Oracle Corp.s warning of a major vulnerability in its enterprise DBMS has placed database security under the microscope and led some customers to consider the role of third-party developers for database auditing and vulnerability assessment needs.

Less than four months after Microsoft Corp.s SQL Server database management system was slammed by the second worm this year, Oracle early this month alerted its customers to an Open Secure Sockets Layer protocol vulnerability in its database and application server software.

Database experts say database administrators may rely more heavily on third-party developers such as IPLocks Inc. and Lumigent Technologies Inc. to augment database security controls.

IPLocks, of San Jose, Calif., plans to release its IPLocks-DSAS (Database Security Audit System) cross-platform database monitoring tool next month. The product features predefined DBMS rules that help pinpoint data corruption, malicious acts and security policy violations in a database. It then sends alerts, officials said.

IPLocks-DSAS can institute regulatory policy compliance and discover if available patches have been installed.

Lumigent, through its Entegra software, provides auditing capabilities at the database level without using triggers. Entegra works in SQL Server environments now, but the Acton, Mass., company plans to release an Oracle-supported version next year, officials said.

Tim OPry, who uses Entegra for data auditing, said he appreciates outside options that help secure his databases. "Do I think there should be better security monitoring and integration within a product like SQL Server?" asked OPry, chief technology officer at GW Henssler & Associates Ltd., in Marietta, Ga. "Sure, but [theres] not, so thats the great thing about third-party products ... to fill the gaps."

Oracle issued a patch for the OpenSSL vulnerability, which could allow a remote hacker to gain access privileges or launch a denial-of-service attack from Oracle data management software. Some DBAs voiced concern that two months passed between the original OpenSSL disclosure and Oracles warning. Mary Ann Davidson, chief security officer for Oracle, in Redwood Shores, Calif., called the flaw "the worst case in terms of affecting everything," including multiple product versions, and said patching required intensive regression testing. Oracle is working with unnamed third-party vendors to harden its products upon installation, in areas such as automating checks on best practices and better tools for root-cause analysis, she said.

Rocket Fuel