It used to be, an Oracle database would ship ready to run on one port. Youd lock that one port down, and youd be reasonably secure. Nowadays, all bets are off, as vendors crank up feature sets and complexity skyrockets.
A recently reported, high-level Oracle security vulnerability underscores this problem. This particular vulnerability, which has to do with SSL (Secure Sockets Layer), affects certain releases of Oracle9i Database Server, Oracle8i Database Server, Oracle9i Application Server and Oracle HTTP Server.
If Oracle9i is vulnerable, 10g is guaranteed to have holes, security experts say. While vendors such as Oracle are balancing increasingly complex iterations with ever more security features in order to manage security more granularly, its still harder to manage security. As you have more and more features, there are more opportunities for more security holes to pop up, as fewer and fewer people in the data center understand what all those moving parts do. "Today, theres a dozen services running on a dozen ports," said Aaron Newman, CTO and co-founder of Application Security Inc. "Most people dont understand what those ports do."
So how will Oracle be addressing the potential for security leaks? I went to Oracle Chief Security Officer Mary Ann Davidson to get the answer. Between addressing the National Cyber Security Summit last week, presenting at the Infosecurity 2003 show in New York this week, and grappling with new Oracle security vulnerabilities announced this week, she managed to squeeze in some time to answer, and heres what she had to say.