Oracle Security Under Scrutiny

As the number of vulnerabilities in its products grows, Oracle is on the defensive.

Larry Greenemeier, Contributor

March 4, 2006

3 Min Read
InformationWeek logo in a gray background | InformationWeek

Rencken acknowledges that it took time to learn how to best communicate with Oracle, but since figuring that out, interactions have been smooth. Welch has an ace in the hole: a database administrator who used to work for Oracle and understands its patch process. Welch keeps in close contact with the vendor and even has an Oracle employee on its IT steering committee. Support for Oracle products consists of three in-house database administrators and contracted help from an offshore Oracle support center.

Rencken saves his worrying for wireless communications devices placed in the hands of Welch employees. A cell phone left in a taxi creates the opportunity for someone to access Outlook and other important data. Spyware and E-mailed viruses are another general security concern as they threaten to harm the company's network and snatch important information through key-logging programs. Back-end infiltration into databases, while a serious problem if it happens, is less of a priority because it's perceived as less likely as long as Oracle continues to patch vulnerabilities, Rencken says.

strong>Inside Job

Oracle's Edge Database security technology doesn't protect well against insider threats, particularly when the person looking to steal data or damage a database has access privileges. Administrators and users must be held accountable for their access privileges, says Bob Blakley, IBM Tivoli's chief scientist for security and privacy. "It's conceivable to break into a database from the outside, but why would you do that when you can place an employee inside a company and attack from within?" Identity management plays a key role in Campus EAI's security strategy by identifying system users and defining the information they're permitted to access. This is a layer above the database but no less important than the technology used to secure the database. In fact, it's more reasonable to expect someone to try to steal or access sensitive data by escalating their access privileges than by forcibly hacking the database. "Generally speaking, databases are very difficult to attack," MacPherson says. "They're the most secure aspects in a network." Identity management's importance can't be underestimated. "You can secure the heck out of the database, doing table-level auditing and locking down fields," he says, "but how do you secure the data once it leaves the database?" Managing Identity A lot of progress in improving the security of applications and data will come from improving the quality of the underlying code. Oracle since December has been using Fortify Software's Source Code Analysis software to analyze Oracle's app server, collaboration suite, database server, and identity management software for potential vulnerabilities as new versions are built. Fortify Software's Source Code Analysis looks for areas of code that would be vulnerable to attack. It sits on a company's application development build server, which developers use to compile their code, scans the code, and alerts developers about potential problems. Oracle's Davidson would like to see a "revolution" in IT, where software engineers are certified the way structural and other engineers are certified. "Programming needs to grow up as a profession," she says. "If you're going to build a building, you need to certify your plans. Software is an infrastructure just like a building is." It's time to realize that databases and other software are becoming even more important than any structure as information becomes today's most important currency. Continue to the sidebar:
Locked Up Tight

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights