Security researchers Mark and David Litchfield have spent much of the last few years poring over lines of code looking for vulnerabilities in enterprise applications, specifically Oracle Corp.s databases. Now, the brothers, and co-founders of Next Generation Security Software Ltd., are working on a solution to help defend Oracles database products.
NGSS is developing a firewall designed to protect Oracle databases, which are among the most popular and widely deployed in the world. The solution will act as an IPS (intrusion prevention system) capable of blocking attacks against known and unknown vulnerabilities in Oracle servers.
While investigating flaws in Oracle products, the Litchfields found dozens of vulnerabilities, making that work a logical starting point for their database protection efforts.
Indeed, NGSS has submitted more than 30 vulnerability reports to Oracle that the vendor is still patching. But NGSS also plans to release versions of the new product, known as Dbfw, for IBMs DB2 database and Microsoft Corp.s SQL Server.
“Were very excited about this product,” said David Litchfield, managing director of NGSS. “We placed a default install of Oracle9i behind Dbfw and couldnt break it. Without Dbfw, I could use one of about 80 different ways to break into the database server. But with Dbfw in place, not a single attack got through.
“Whats even more exciting is that all of the security bugs were currently waiting on Oracle to fix were stopped by Dbfw, and Dbfw was written before we even knew about the flaws.”
NGSS has not yet specified a release date for the first version of Dbfw. The Litchfields said they are trying to improve the speed of the solution so that it does not affect query times of the protected databases.