Oracles Secure, but Rest of World Isnt

 
 
By John Taschek  |  Posted 2002-02-04
 
 
 

"Unbreakable" is the tag line for the newest version of the Oracle9i database. Whether the name is derived from the good but misunderstood movie about a reluctant superhero with a fear of drowning or is just a marketing term conjured up to inspire hackers to beta test Oracles security scheme, Oracle is intensely interested in protecting your data.

In fact, Oracle has three chiefs that are charged with some facet of security—a chief privacy officer, a chief hacking officer and a chief security officer, who said she has "the best job in the world." Im sure Mary Ann Davidson—the chief security officer—would change her mind if she ever got the chance to work at eWeek.

It appears that Oracle takes data security seriously. One way the company does this is through third-party evaluations, a costly and lengthy process in which an organization audits products to ensure they are as secure as the company claims they are. Oracle has had 14 of these evaluations, although none are associated with the "unbreakable" 9i.

No 9i evaluation? Davidson said Oracle mainly submits "terminal" versions of products for review because those tend to be the most popular and because Oracle doesnt want to have to submit each point release update of the product to a process that could cost $500,000 (not including Oracle personnel costs) and a year to do.

Meanwhile, IBMs DB2 apparently has undergone none of these evaluations, and Microsoft has had only one. It appears that IBM treats security mainly as a service enhanced by a few product offerings, notably in the Tivoli camp. Microsoft, meanwhile, treats security as a process, and it delivers procedures for helping customers defend against attacks.

Thats the culture of these companies. But Oracle is using its evaluations to establish a culture of security within the organization. Thats why Oracles chief security officer is part of the development team. However, these evaluations are also helpful and will be necessary for winning government contracts.

On the flip side, Oracle is just one small part of a bigger equation. Does it matter if your database is locked down, impenetrable and unbreakable, if your front-end Web site is wide open?

By the way, 15 times more hack attempts against Oracle have occurred since the "unbreakable" campaign began. I suspect well see soon how Oracles security is holding up.

Is Oracle unbreakable? Write to me at john_taschek@ziffdavis.com.

Rocket Fuel