Timing, as they say, is everything. As the furor over Oracle Corp.s new Unbreakable ad campaign grows, Application Security Inc. this week introduced a new version of its AppDetective, a security scanner designed to look for vulnerabilities in Oracle databases.
Oracle, the Redwood Shores, Calif., database software maker, lately has been running a print advertising campaign that boasts its new Oracle9i is impervious to attacks. The “Cant break it. Cant break in” tag line understandably has attracted quite a bit of attention from both crackers and the legitimate security community.
Critics say the claims of impenetrability are not only reckless but also virtually impossible to prove. Attackers, meanwhile, have turned their attention toward Oracles own network as well as others with 9i back ends.
Into this fray comes Application Security and Version 2.0 of its AppDetective for Oracle. The product is billed as an application-security scanner that is designed to perform penetration tests and vulnerability assessments against Oracle software.
AppDetective assesses the databases security posture and reports to the administrator the version number, patches applied, operating system type and other information.
The New York-based company said that even security-ignorant users can perform penetration tests and security audits over the Internet with AppDetective.
“Oracle provides a rich set of security features, but claiming that it is unbreakable gives database administrators a false sense of security,” said Aaron Newman, chief technology officer of Application Security. “Even the most vigilant administrators dont have the time and resources to properly lock down their Oracle databases.”
Oracle officials have defended their security claims by saying that the “Unbreakable” label refers to the numerous independent security certifications the software has achieved.
But that distinction is largely irrelevant to crackers who have plenty of time on their hands and are always looking for new targets. Security mailing lists have been flooded in recent weeks with discussions of Oracle vulnerabilities and potential exploits and attacks.