Database Journal
MS SQL Oracle DB2 Access MySQL PostgreSQL Sybase PHP SQL Etc SQL Scripts & Samples Links Database Forum

» Database Journal Home
» Database Articles
» Database Tutorials
MS SQL
Oracle
DB2
MS Access
MySQL
» RESOURCES
Database Tools
SQL Scripts & Samples
Links
» Database Forum
» Sitemap
Free Newsletters:
DatabaseDaily  
News Via RSS Feed


follow us on Twitter
Database Journal |DBA Support |SQLCourse |SQLCourse2
 

Featured Database Articles

Database News

Posted April 28, 2014

[VIDEO] Where Are Database Threats Today?

By Sean Michael Kerner

Database attacks that take many different forms are among the toughest threats facing IT security organizations. Security vendor Imperva has multiple technologies to help databases. CTO Amichai Shulman, who helps lead Imperva's efforts, is no stranger to the world of database security -- and in particular, Oracle database security.

In a video interview with eSecurityPlanet, Shulman discusses his role at Imperva and the technologies his firm develops. "Web application firewall is a big part of [our business] and database activity monitoring is another big part of it," he said.

One of the most commonly cited types of database attacks is SQL injection. In a SQL injection attack, the attacker injects a SQL query into a given application in an attempt to get unauthorized access to data.

"I don't think that SQL injection is a database threat. I think that SQL injection is an application layer threat," Shulman said, adding that organizations should block SQL injection at the application layer.

Shulman advocates that a Web application firewall (WAF) is the right layer of protection for SQL injection. He also believes database activity monitoring software must be in place to mitigate potential security risks, including malicious and compromised insider attackers.

Oracle Database Security

Oracle database security is a particular area of expertise for Shulman, who has been tracking and exposing Oracle database vulnerabilities for over a decade. Those vulnerabilities, however, are not necessarily big risks for enterprises and data centers.

"I don't think I've seen a single breach that is making use of those vulnerabilities," Shulman said. "We have seen many database breaches and they were all using existing privileges."

Oracle patches its database on a regular basis with its quarterly Critical Patch Update (CPU) cycle. In Shulman's view, Oracle is doing a great job at improving its security patching process, though there is still some room for improvement.

"I still think that they (Oracle) can disclose more information about vulnerabilities to their customers in order to allow for proper risk assessment," he said, adding that the current Oracle threat metrics do not provide enough detail.

"What does it tell you? It (the vulnerability) is critical," Shulman said. "Why? because we said so."

In Shulman's view, it's not known whether the total number of patched Oracle database vulnerabilities is in fact the total number of vulnerabilities that need to be patched.

"Does the number of patched vulnerabilities reflect the actual number of vulnerabilities in the product? I don't know, who knows?," Shulman said.

Watch the full video with Imperva CTO, Amichai Shulman, below:

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.


Originally published on eSecurityPlanet.

Database News Archives

Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 




Latest Forum Threads
Database News Forum
Topic By Replies Updated
Efficient SQL Server Indexing by Design lcole 0 April 30th, 12:38 PM
Mine Oracle Database, SQL Server and Other Databases with Monarch Data Pump Pro V10.5 lcole 0 April 30th, 12:37 PM
Oracle Database and Oracle Fusion Middleware for Private Social Network Application lcole 0 April 30th, 12:31 PM
Oracle Database Maintains a Stronghold in the DBMS Market lcole 0 April 30th, 12:30 PM


















Thanks for your registration, follow us on our social networks to keep up-to-date