I was interested to read about the latest assault on Oracle security by database security expert David Litchfield of NGSS. It comes as no surprise to me, as the focus of attacks and security controls are progressively and inevitably migrating from the infrastructure layer to the application space. Databases are the new target, because today's attacks are criminally motivated and that’s where the money is. So you can expect database vendors to come under increasing fire to tighten up their coding standards and product testing.
Of course the vendors already know this. I am regularly asked by application and database vendors what I think of their security. It often leads to a brief flurry of activity. But too often the response is a marketing initiative, rather than an attempt to transform their business processes. I guess that’s to be expected. Most software companies are run by commercial people, not technology gurus or security visionaries. Microsoft eventually saw the light and transformed their priorities, training, product development processes. It cost them a lot of time and money. Now other software vendors must bite the same bullet. It’s essential to meet today’s business expectations. You can’t avoid it. Even if the hackers don’t get you first, the regulators will sooner or later put a gun to your customer’s head.
Not that I'm pointing the finger at Oracle, because they do seem to have been raising their security game in recent years, and in fairness you should also check out Eric Maurice's response on his Oracle blog.
All of these legacy weaknesses in our databases and applications will all take a long time to fix. So what can an organisation do to compensate for security inadequacies in their database applications? Well I’m afraid the answer lies in more add-on point solutions. The latest must-have security product is the database firewall. It would be nice if such technology was incorporated into leading application and database software products, but that’s some time away. In the meantime, if you’re concerned about your database security - and you should be – then you should check out Secerno, a new technology start up out of Oxford University, based on some very interesting intelligent monitoring software designed by Dr Steve Moyle, one of the leading UK experts on database security.