Newman, who is also the co-founder and chief technology officer of Application Security Inc., spends his days helping
clients lock down their databases so that sensitive customer data doesn't get stolen. He says that new security features are certainly nice, but getting security holes fixed faster and porting those fixes back to older versions of the Oracle Database should be Oracle's top priority.
SearchOracle.com spoke with Newman about what he thinks Oracle can do to improve its patching policies. He also had some advice for database administrators (DBAs) who want to avoid being hacked, and for DBAs who have already been hacked and need to put on their detective hats. Here are some excerpts from that conversation:
What can you tell me about the new security features in Oracle's soon-to-be-released Database 11g?
Aaron Newman: What we really focus on is not necessarily the new security features because the real way that people break into or attack a database really isn't around the new Oracle security features. They have lots of new security features [such as the Oracle patching process has continued to really struggle and putting all of these new security features in doesn't help the situation.
Do you think that Oracle's patching policies are inefficient?
Newman: I think there are some real inefficiencies there. Look at it this way: A patch typically takes three to six months if you want to install it across your enterprise. So, today I get a patch, a bunch of hackers and security researchers put out the information about these vulnerabilities, and you're vulnerable today. Then you have three months to patch it. You get it patched on let's say the third month, and immediately another [critical patch update] is released and you're immediately vulnerable to a new set of attacks. So, really, no matter how diligent you are with applying the patches, you're always in a state of being vulnerable. It still isn't very efficient and there still isn't a lot of information from Oracle about what you need to install and how you need to install it. They're definitely getting better but there is still a lack of information there.
Newman: You really need to refocus efforts away from new security features and onto how we fix these holes that have been around for years and years and port them to Oracle 8i or Oracle 9i or some of the other platforms that aren't as critical. That's what their problem is: They can patch problems quickly on 10g on Linux, but they take very, very long to back port that to Oracle 8i on the AIX platform and things like that. You have to support those people and that's really the most critical thing I think they really need to address, rather than figuring out how to do a better auditing system. [Auditing] is good for compliance, for putting a check mark next to an audit compliance list, but it's not important for keeping hackers out of my database and keeping credit cards and personal information from getting stolen.
Newman: The attacks are always evolving. So the critical piece is for DBAs to understand and keep up to date with the attacks that are happening each quarter. I do the same session every year, yet the material is entirely different. I think the important thing is to adjust your mindset from just being a DBA to being a detective. Every quarter you ought to spend half a day researching what are the latest attacks and how do they go on, and then look at your own system and say, "how do I prevent this?" Even if you do it one quarter, the next quarter a whole new set of attacks came out. You have to keep up to date with those or you're just going to end up being behind the times and you're going to become an easy target.
Newman: That's the position you don't want to be in but sometimes you have to be. From the forensics perspective the biggest challenge is going be [putting] lots of data together from different points. You're going to have to take your Oracle logs, which are going to be in five separate files, and combine that with maybe your Apache logs or your [Web server] logs and combine that with some kind of firewall logs. Forensics is about finding a needle in a haystack -- correlating everything together and then presenting it in a unified picture -- and that's where you're going to see how the attack is occurring.