Oracle Security Under Scrutiny - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Feature
News
3/3/2006
05:00 PM
50%
50%

Oracle Security Under Scrutiny

As the number of vulnerabilities in its products grows, Oracle is on the defensive.

Rencken acknowledges that it took time to learn how to best communicate with Oracle, but since figuring that out, interactions have been smooth. Welch has an ace in the hole: a database administrator who used to work for Oracle and understands its patch process. Welch keeps in close contact with the vendor and even has an Oracle employee on its IT steering committee. Support for Oracle products consists of three in-house database administrators and contracted help from an offshore Oracle support center.

Rencken saves his worrying for wireless communications devices placed in the hands of Welch employees. A cell phone left in a taxi creates the opportunity for someone to access Outlook and other important data. Spyware and E-mailed viruses are another general security concern as they threaten to harm the company's network and snatch important information through key-logging programs. Back-end infiltration into databases, while a serious problem if it happens, is less of a priority because it's perceived as less likely as long as Oracle continues to patch vulnerabilities, Rencken says.

strong>Inside Job

Oracle's Edge

Database security technology doesn't protect well against insider threats, particularly when the person looking to steal data or damage a database has access privileges. Administrators and users must be held accountable for their access privileges, says Bob Blakley, IBM Tivoli's chief scientist for security and privacy. "It's conceivable to break into a database from the outside, but why would you do that when you can place an employee inside a company and attack from within?"

Identity management plays a key role in Campus EAI's security strategy by identifying system users and defining the information they're permitted to access. This is a layer above the database but no less important than the technology used to secure the database. In fact, it's more reasonable to expect someone to try to steal or access sensitive data by escalating their access privileges than by forcibly hacking the database. "Generally speaking, databases are very difficult to attack," MacPherson says. "They're the most secure aspects in a network."

Identity management's importance can't be underestimated. "You can secure the heck out of the database, doing table-level auditing and locking down fields," he says, "but how do you secure the data once it leaves the database?"

Managing Identity

A lot of progress in improving the security of applications and data will come from improving the quality of the underlying code. Oracle since December has been using Fortify Software's Source Code Analysis software to analyze Oracle's app server, collaboration suite, database server, and identity management software for potential vulnerabilities as new versions are built. Fortify Software's Source Code Analysis looks for areas of code that would be vulnerable to attack. It sits on a company's application development build server, which developers use to compile their code, scans the code, and alerts developers about potential problems.

Oracle's Davidson would like to see a "revolution" in IT, where software engineers are certified the way structural and other engineers are certified. "Programming needs to grow up as a profession," she says. "If you're going to build a building, you need to certify your plans. Software is an infrastructure just like a building is." It's time to realize that databases and other software are becoming even more important than any structure as information becomes today's most important currency.

Continue to the sidebar:
Locked Up Tight

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
4 of 4
Next
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Slideshows
10 Top Cloud Computing Startups
Cynthia Harvey, Freelance Journalist, InformationWeek,  8/3/2020
Commentary
How Enterprises Can Adopt Video Game Cloud Strategy
Joao-Pierre S. Ruth, Senior Writer,  7/28/2020
Commentary
Conversational AI Comes of Age
Guest Commentary, Guest Commentary,  8/7/2020
Register for InformationWeek Newsletters
Video
Current Issue
Special Report: Why Performance Testing is Crucial Today
This special report will help enterprises determine what they should expect from performance testing solutions and how to put them to work most efficiently. Get it today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll