Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> Oracle Security is GOOD enough?
(Message started by: Pete Finnigan on Jul 7th, 2008, 7:14am)

Title: Oracle Security is GOOD enough?
Post by Pete Finnigan on Jul 7th, 2008, 7:14am
Hi All,

please share your point of view about Oracle security at this moment.

In my opinion, I see less Oracle Security vulnerabilites in the newer Oracle version and less persons researching about Oracle Security (because Oracle is good now).

Oracle security getting better by time so no need to care about Oracle Security anymore, it's right ?


Regards.

Title: Re: Oracle Security is GOOD enough?
Post by Pete Finnigan on Jul 7th, 2008, 9:35am
Hi vpv,

You have to ask yourself: why do security leaks occur in Oracle databases:
- Because of passwords (on privileged accounts) that lack complexity and which are never changed.
- Because an application with SQL injection leaks connects to the database with an over-privileged account.
- Because the DBA thought it kinda easier to grant every object privilege to PUBLIC.
- Because the database runs an old version that is never updated (nor CPUs are applied), because you should never change a running system.
- etc. etc.
- or: because Oracle has a vulnerability in the dbms_obscurity package that allows to shutdown the database in certain occasions on certain platforms.

I'm betting that most organisations suffer more from  problems like the first four (many variations exist). So Oracle isn't per definition secure after applying the latest patch. A lot depends on work done by the DBA and developers.

Try Project Lockdown (http://www.oracle.com/technology/pub/articles/project_lockdown/index.html) for a better start towards Oracle security.

Title: Re: Oracle Security is GOOD enough?
Post by Pete Finnigan on Jul 8th, 2008, 4:56am
Hi Marcel-Jan,

Agree with you that most vulnerabilities listed existing in the Production Database.

We can clasify the Oracle vuls by two type:
1. Oracle Software vuls: weak PL/SQL packages ... (Update lastest patch can solved this; less vuls in Oracle 10.2.0.3 and 11g, and will be near zero in the next release, hope this :-) )

2. Misusing of Oracle Database: weak  password, configurations, coding. (GOOD DBA or Developer can solved this partly, not all)

But in my expierience, Customer who using Oracle product just pay attention in Oracle Security when they see more vulnerabilites in Oracle Software, seem they really not care much about Misusing of Oracle Database.

One thing that cause me thinking that Oracle is GOOD enough at this time and future is not see more public vulns or frequently posted news in David, Alex or Pete blog during several months.

Regards.

Title: Re: Oracle Security is GOOD enough?
Post by Pete Finnigan on Jul 12th, 2008, 7:47pm
Hi Vpv and Marcel-Jan,

Nice post and answer by Marcel-Jan; I think that there are two answers to this point vpv. The first is that the database software itself is getting better with later versions in regards to vulnerabilities etc. Thats fine and is commendable for Oracle.

The second issue for me is that the CPU application doesnt fix security. In my opinion the CPU/Security patch and therefore bugs actually in the software is a smaller part of the overall security of the database, maybe 20% - 30% and at the end of the day we can either patch or not. If someone finds a bug there are enough vendors now in the Oracle security space that many people will know how to exploit the issues so applying CPU's is important.

The other 70% of security and in my experience where most people / customers of Oracle fall down is around the configuration, data leakage, weak passwords, no network security at the Oracle level, excessive privileges.... and much much more. This is compounded by the fact that most people do default installs and install too much increasing the attack surface.

I dont know if there is one root cause but the issue for me is lack of understanding of database security or often lack of effort at all in this area, so most people have badly configured and managed databases.

So whilst you are right and I agree the software is getting better its also getting bigger and open by default and most do not do anything to close off the configuration so the state of most databases is not secure at all.

Its a complex subject and you certainly cannot ignore Oracle security based on better product/less vulns or lack of blog posts.

I think the upsurge in a large number of vendors in this space such as Sentrigo hedgehog shows that there is a major interest in securing data. regulatory issues such as PCI DSS 1.1, SoX, HIPPA and more also underscore this.

I give clues in my sparce blog posts as to why I dont make many, i.e. I am employed heavily in securing databases, I know Alex is the same and I suspect David as well. I think the lack of blog posts doesnt signify better security; it just means we are busy..:-)

nice post though and good comments

cheers

Pete



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board