Oracle Drives Security Deeper

Oracle readies security tools to help lock down database systems.

Oracle Corp. is developing several security tools to help users of the companys software find vulnerabilities and lock down their systems.

The tools, which will be released over the next several months, are part of an effort by the company to extend its security commitment to customers beyond simply writing secure code and shipping software in a secure configuration, company officials at the Gartner IT Security Summit here said.

The first tools due are scanners of sorts that pore over customer installations and assess which patches have been installed and which still need to be applied, according to Mary Ann Davidson, chief security officer at Oracle, based in Redwood Shores, Calif. The technology will look for all software updates—not just security patches—although it will likely flag missing security fixes differently from other updates.

Oracle officials said they hope to have the technology ready this year. The assessment tool is just one in a series of technologies that Oracle will release as part of its plan to make security simpler and less time-consuming.

"We try to ship our products secure by default, but we should have better wizards for that," Davidson told eWEEK. "Reading five pages of documentation to lock something down is too much."

To address that, Oracle is also at work on an auto-hardening tool that will help administrators identify unneeded services and common configuration mistakes.

While the details of this technology are being worked out, the tool will be able to look for database services that are used by attackers and warn admins that services should be turned off if not used often.

The tool also will be able to find configuration problems that can lead to vulnerabilities that might be exploited. Davidson estimated the tool will be ready in nine months to a year.

The work is an extension of the companys much- publicized campaign to emphasize the security of its products. The effort, which claimed the Oracle database software is "unbreakable," put the spotlight on Davidson and her security team.

Oracle is not the first software maker to see the need for these types of tools. Microsoft Corp. has had similar technologies available for some time. In fact, the Redmond, Wash., company last week released a new version of its Baseline Security Analyzer tool, which scans for common security misconfigurations.

Oracle plans to provide the new tools to users for free. Customers say there is a definite need for the tools the company is developing.

"Oracle has evolved into one of the most flexible databases, and the number of configurations is almost endless," said Don Burleson, CEO of Burleson Oracle Consulting, in Raleigh, N.C., and an Oracle expert. "Oracle has one of the best security models in the world, but the challenge is up to the administrator to make sure the configuration is optimal."