There was a post on my Oracle Security forum a couple of weeks ago that i found very interesting and worthy of a note on this blog. A poster raised a good question "Oracle Security is GOOD enough?" :
please share your point of view about Oracle security at this moment.
In my opinion, I see less Oracle Security vulnerabilites in the newer Oracle version and less persons researching about Oracle Security (because Oracle is good now).
Oracle security getting better by time so no need to care about Oracle Security anymore, it's right ?"
This is an interesting question. Marcel-Jan added this response:
"You have to ask yourself: why do security leaks occur in Oracle databases:
- Because of passwords (on privileged accounts) that lack complexity and which are never changed.
- Because an application with SQL injection leaks connects to the database with an over-privileged account.
- Because the DBA thought it kinda easier to grant every object privilege to PUBLIC.
- Because the database runs an old version that is never updated (nor CPUs are applied), because you should never change a running system.
- etc. etc.
- or: because Oracle has a vulnerability in the dbms_obscurity package that allows to shutdown the database in certain occasions on certain platforms.
I'm betting that most organisations suffer more from problems like the first four (many variations exist). So Oracle isn't per definition secure after applying the latest patch. A lot depends on work done by the DBA and developers.
Try Project Lockdown (http://www.oracle.com/technology/pub/articles/project_lockdown/index.html) for a better start towards Oracle security."
The poster replied with:
"Agree with you that most vulnerabilities listed existing in the Production Database.
We can clasify the Oracle vuls by two type:
1. Oracle Software vuls: weak PL/SQL packages ... (Update lastest patch can solved this; less vuls in Oracle 10.2.0.3 and 11g, and will be near zero in the next release, hope this )
2. Misusing of Oracle Database: weak password, configurations, coding. (GOOD DBA or Developer can solved this partly, not all)
But in my expierience, Customer who using Oracle product just pay attention in Oracle Security when they see more vulnerabilites in Oracle Software, seem they really not care much about Misusing of Oracle Database.
One thing that cause me thinking that Oracle is GOOD enough at this time and future is not see more public vulns or frequently posted news in David, Alex or Pete blog during several months."
Then I had my go with the following:
"Nice post and answer by Marcel-Jan; I think that there are two answers to this point vpv. The first is that the database software itself is getting better with later versions in regards to vulnerabilities etc. Thats fine and is commendable for Oracle.
The second issue for me is that the CPU application doesnt fix security. In my opinion the CPU/Security patch and therefore bugs actually in the software is a smaller part of the overall security of the database, maybe 20% - 30% and at the end of the day we can either patch or not. If someone finds a bug there are enough vendors now in the Oracle security space that many people will know how to exploit the issues so applying CPU's is important.
The other 70% of security and in my experience where most people / customers of Oracle fall down is around the configuration, data leakage, weak passwords, no network security at the Oracle level, excessive privileges.... and much much more. This is compounded by the fact that most people do default installs and install too much increasing the attack surface.
I dont know if there is one root cause but the issue for me is lack of understanding of database security or often lack of effort at all in this area, so most people have badly configured and managed databases.
So whilst you are right and I agree the software is getting better its also getting bigger and open by default and most do not do anything to close off the configuration so the state of most databases is not secure at all.
Its a complex subject and you certainly cannot ignore Oracle security based on better product/less vulns or lack of blog posts.
I think the upsurge in a large number of vendors in this space such as Sentrigo hedgehog shows that there is a major interest in securing data. regulatory issues such as PCI DSS 1.1, SoX, HIPPA and more also underscore this.
I give clues in my sparce blog posts as to why I dont make many, i.e. I am employed heavily in securing databases, I know Alex is the same and I suspect David as well. I think the lack of blog posts doesnt signify better security; it just means we are busy.. "
I think that this is a very interesting question and a good discussion. My views as you can see above is that the database software itself is getting better, people (customers of Oracle) are starting to embrace the need to secure data in the database itself and there is starting to be a recognition that the products are complex and that most of the issues lie in the realms of configuration not with bugs. Of course Oracle could help us a lot by getting to the point of a "secure out of the box" product rather than the open by default product that caters more towards use and developers rather than security mongers like me.
The poster had an interesing conclusion, the fact that the product is getting better and the fact that known Oracle security bloggers post less should be a reason to ignore Oracle security because based on this its getting better. I hope that people take heed of this post and also do not take the same view as the poster otherwise we would have a data security problem. The conclusion would be (from this point of view) that if no one does research or blogs about the subject the database would be secure? - this unfortunately falls under the "ignorance is bliss" category.
What do other people think?, is Oracle security getting better? or is it good enough?