Does Oracle's Database Need More Security?
At least two third-party security vendors think so.
Four times a year Oracle releases its Critical Patch Update (CPU), which often reveals database flaws numbering in the double digits. But for users who want to take additional steps to secure their Oracle databases, rather than wait for the quarterly CPU, there are other options.
This week, database security vendor Sentrigo will release an update to Hedgehog, a security solution that defends against unauthenticated attacks launched against Oracle databases.
According to Slavik Markovich, founder and CTO of Sentrigo, many of the SQL injection attacks and other attacks that exploit vulnerabilities in Oracle don't require user authentication.
"Hedgehog comes with a set of predefined rules that address many such vulnerabilities, and provide virtual patching with no need for downtime. The rules can trigger alerts or terminate the suspicious sessions, depending on the type of vulnerability and user preference."
In the latest release of Hedgehog, Sentrigo has added new action scripts that further expand database defenses. Markovich said Hedgehog rules previously triggered one or more of several predefined actions: issue an alert, send e-mail, write to log, or terminate user session.
"We've now added action scripts to those triggered actions, so that customers can use a rule to run their own script that would do whatever they wish to do -- for example send a text message to someone, run a backup, shut down applications, print out a report."
Sentrigo has also added features allowing users to tag rules and databases. Markovich said there are several dimensions along which enterprises may find it useful to categorize databases and rules for security and compliance purposes.
For instance, there may be a set of rules intended to protect against privileged user access. They will have certain characteristics in terms of the types of statements, database objects and access methods they apply to, and may send alerts to a person outside the IT organization or database group.
Some of the same rules may also be applicable to Sarbanes-Oxley compliance or PCI-DSS, the credit-card industry's data-security standard. This is why tagging is more useful than simple categorization. A specific rule may be tagged as "privileged user access," "PCI DSS" and "SOX."
Though the need for database security may seem obvious in light of the number of flaws that Oracle reports in its CPUs, there have been barriers to the adoption for Sentrigo's solution.
Markovich said Sentrigo's approach is host-based, which gives it an advantage in protecting against privileged users and sophisticated attacks using stored procedures.
"Historically, host-based systems used native DBMS (define) auditing capabilities, which hurts database performance and has given this approach a bad name," Markovich said. "While Sentrigo's Hedgehog sensors do not use DBMS audit mechanisms at all, and the impact on performance is negligible, it takes some educating of prospects to convince them."