[VIDEO] Where Are Database Threats Today?
Amichai Shulman, CTO of Imperva, explains why SQL injection is not a database threat and discusses the current state of Oracle database patching.
Database attacks that take many different forms are among the toughest threats facing IT security organizations. Security vendor Imperva has multiple technologies to help databases. CTO Amichai Shulman, who helps lead Imperva's efforts, is no stranger to the world of database security -- and in particular, Oracle database security.
In a video interview with eSecurityPlanet, Shulman discusses his role at Imperva and the technologies his firm develops. "Web application firewall is a big part of [our business] and database activity monitoring is another big part of it," he said.
One of the most commonly cited types of database attacks is SQL injection. In a SQL injection attack, the attacker injects a SQL query into a given application in an attempt to get unauthorized access to data.
"I don't think that SQL injection is a database threat. I think that SQL injection is an application layer threat," Shulman said, adding that organizations should block SQL injection at the application layer.
Shulman advocates that a Web application firewall (WAF) is the right layer of protection for SQL injection. He also believes database activity monitoring software must be in place to mitigate potential security risks, including malicious and compromised insider attackers.
Oracle Database Security
Oracle database security is a particular area of expertise for Shulman, who has been tracking and exposing Oracle database vulnerabilities for over a decade. Those vulnerabilities, however, are not necessarily big risks for enterprises and data centers.
"I don't think I've seen a single breach that is making use of those vulnerabilities," Shulman said. "We have seen many database breaches and they were all using existing privileges."
Oracle patches its database on a regular basis with its quarterly Critical Patch Update (CPU) cycle. In Shulman's view, Oracle is doing a great job at improving its security patching process, though there is still some room for improvement.
"I still think that they (Oracle) can disclose more information about vulnerabilities to their customers in order to allow for proper risk assessment," he said, adding that the current Oracle threat metrics do not provide enough detail.
"What does it tell you? It (the vulnerability) is critical," Shulman said. "Why? because we said so."
In Shulman's view, it's not known whether the total number of patched Oracle database vulnerabilities is in fact the total number of vulnerabilities that need to be patched.
"Does the number of patched vulnerabilities reflect the actual number of vulnerabilities in the product? I don't know, who knows?," Shulman said.
Watch the full video with Imperva CTO, Amichai Shulman, below:
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.