Oracle Security Under Scrutiny - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

05:00 PM

Oracle Security Under Scrutiny

As the number of vulnerabilities in its products grows, Oracle is on the defensive.

Rencken acknowledges that it took time to learn how to best communicate with Oracle, but since figuring that out, interactions have been smooth. Welch has an ace in the hole: a database administrator who used to work for Oracle and understands its patch process. Welch keeps in close contact with the vendor and even has an Oracle employee on its IT steering committee. Support for Oracle products consists of three in-house database administrators and contracted help from an offshore Oracle support center.

Rencken saves his worrying for wireless communications devices placed in the hands of Welch employees. A cell phone left in a taxi creates the opportunity for someone to access Outlook and other important data. Spyware and E-mailed viruses are another general security concern as they threaten to harm the company's network and snatch important information through key-logging programs. Back-end infiltration into databases, while a serious problem if it happens, is less of a priority because it's perceived as less likely as long as Oracle continues to patch vulnerabilities, Rencken says.

strong>Inside Job

Oracle's Edge

Database security technology doesn't protect well against insider threats, particularly when the person looking to steal data or damage a database has access privileges. Administrators and users must be held accountable for their access privileges, says Bob Blakley, IBM Tivoli's chief scientist for security and privacy. "It's conceivable to break into a database from the outside, but why would you do that when you can place an employee inside a company and attack from within?"

Identity management plays a key role in Campus EAI's security strategy by identifying system users and defining the information they're permitted to access. This is a layer above the database but no less important than the technology used to secure the database. In fact, it's more reasonable to expect someone to try to steal or access sensitive data by escalating their access privileges than by forcibly hacking the database. "Generally speaking, databases are very difficult to attack," MacPherson says. "They're the most secure aspects in a network."

Identity management's importance can't be underestimated. "You can secure the heck out of the database, doing table-level auditing and locking down fields," he says, "but how do you secure the data once it leaves the database?"

Managing Identity

A lot of progress in improving the security of applications and data will come from improving the quality of the underlying code. Oracle since December has been using Fortify Software's Source Code Analysis software to analyze Oracle's app server, collaboration suite, database server, and identity management software for potential vulnerabilities as new versions are built. Fortify Software's Source Code Analysis looks for areas of code that would be vulnerable to attack. It sits on a company's application development build server, which developers use to compile their code, scans the code, and alerts developers about potential problems.

Oracle's Davidson would like to see a "revolution" in IT, where software engineers are certified the way structural and other engineers are certified. "Programming needs to grow up as a profession," she says. "If you're going to build a building, you need to certify your plans. Software is an infrastructure just like a building is." It's time to realize that databases and other software are becoming even more important than any structure as information becomes today's most important currency.

Continue to the sidebar:
Locked Up Tight

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
4 of 4
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Tech Spending Climbs as Digital Business Initiatives Grow
Jessica Davis, Senior Editor, Enterprise Apps,  4/22/2021
Optimizing the CIO and CFO Relationship
Mary E. Shacklett, Mary E. Shacklett,  4/13/2021
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll