Does Oracle’s Database Need More Security?

Four times a year Oracle releases its Critical Patch Update (CPU), which often reveals database flaws numbering in the double digits. But for users who want to take additional steps to secure their Oracle databases, rather than wait for the quarterly CPU, there are other options.

This week, database security vendor Sentrigo will release an update to Hedgehog, a security solution that defends against unauthenticated attacks launched against Oracle databases.

According to Slavik Markovich, founder and CTO of Sentrigo, many of the SQL injection attacks and other attacks that exploit vulnerabilities in Oracle don’t require user authentication.

“Some of the vulnerabilities that were recently patched in the latest Oracle CPU belong to that group, and since many enterprises do not immediately
apply those CPUs and sometimes never apply them for various reasons, they
remain vulnerable,” Markovich told

“Hedgehog comes
with a set of predefined rules that address many such vulnerabilities, and
provide virtual patching with no need for downtime. The rules can trigger
alerts or terminate the suspicious sessions, depending on the type of
vulnerability and user preference.”

In the latest release of Hedgehog, Sentrigo has added new action scripts
that further expand database defenses. Markovich said
Hedgehog rules previously triggered one or more of several predefined actions: issue an alert, send e-mail, write to log, or terminate user session.

“We’ve now added action scripts to those triggered actions, so that
customers can use a rule to run their own script that would do whatever they
wish to do — for example send a text message to someone, run a backup, shut
down applications, print out a report.”

Sentrigo has also added features allowing users to tag rules and databases. Markovich said there are several dimensions along which enterprises may find it useful to categorize databases and rules for security and compliance purposes.

For instance, there may be a set of rules intended to protect against privileged user access. They will have certain characteristics in terms of the types of statements, database objects and access methods they apply to, and may send alerts to a person outside the IT organization or database group.

Some of
the same rules may also be applicable to Sarbanes-Oxley compliance or
PCI-DSS, the credit-card industry’s data-security standard. This is why
tagging is more useful than simple categorization. A specific rule may be
tagged as “privileged user access,” “PCI DSS” and “SOX.”

Though the need for database security may seem obvious in light of the
number of flaws that Oracle reports in its CPUs, there have been barriers to
the adoption for Sentrigo’s solution.

Markovich said Sentrigo’s approach is host-based, which gives it an advantage in protecting against privileged users and sophisticated attacks using stored procedures.

“Historically, host-based systems used native DBMS auditing
capabilities, which hurts database performance and has given this approach a
bad name,” Markovich said. “While Sentrigo’s Hedgehog sensors do not use
DBMS audit mechanisms at all, and the impact on performance is negligible,
it takes some educating of prospects to convince them.”

Sentrigo counts AppSec, Guardium and Imperva as competitors in the database security market. But Mark Kraynak, senior director of strategic marketing for Imperva, said the competition might not be so stiff.

Sentrigo is limited to support for a single database platform — Oracle — and
lacks the ability to address the needs of customers with heterogeneous
environments, he said. “In Imperva’s experience, nearly every enterprise customer has more than one database platform to address for security and compliance,” Kraynak told

Kraynak also argued that the Imperva SecureSphere technology takes a hybrid
approach that monitors database activity in the network and only uses a
light agent on the database server to monitor privileged activity that
happens on the database server itself.

Though using a technology solution may help to secure databases, there are
some basic items that can trigger database insecurity. An example, Markovich said, is the use of default usernames and passwords.

“Suffice it to say that there are still many options within Oracle that, if not
configured properly, present serious gaps in security.”

News Around the Web