SAN FRANCISCO -- Carl Willis-Ford, a director of database engineering at Arlington, Va.-based SRA International...
Inc., has an Oracle security problem that is painfully familiar to users and executives alike.
No one -- not the expert authors he has consulted, nor Oracle Corp.'s chief security officer, Mary Ann Davidson -- has been able to provide him with a simple way to shut down the countless public privilege grants that are posing vulnerabilities to his system.
"Most of the vulnerabilities that the programmers are complaining about have to do with the grants," Willis-Ford told Davidson during an OracleWorld panel discussion of general security issues and Oracle-specific security efforts.
"Even for an experienced DBA, negotiating that maze would be tough."
Willis-Ford stumped the panel of security experts assembled for a technical session at this week's OracleWorld conference. It's not that Oracle's Davidson didn't have a response to his complaint, she said. However, she didn't have an immediate solution to his problem.
Davidson told the crowd of developers, DBAs and project planners that there is an "unconscionable number of grants to the public" available through Oracle. "I know this is a real problem, and I apologize for that," Davidson said. "It's not a great answer, but I'm committed to fixing it."
The 60-minute session offered practical tips for avoiding security trouble, as well as assessments of trends in security threats and responses. Davidson was joined by John Pescatore, a research analyst for Gartner Inc., and Aaron Newman, co-founder and chief technology officer at New York-based Application Security Inc.
In many cases, such as the one presented by Willis-Ford, there are no easy answers to security questions. In many others, the panelists said, there are simple steps that Oracle users can take to avoid disaster.
For example, Davidson urged users not to ignore security basics, such as boundary checks. "If you check 20 out of 21 boundaries, and you miss one of them," you're headed for trouble, she said.
"You say the enemy of security is complexity," Davidson said. "I would say the enemy of security is also manual processes."
Grid computing, Davidson said, does not pose a greater security risk to users than prior architectures do. This has been a major worry among many users at the conference. "In certain respects, the security issues don't change," she said.
There is more concern than ever before about security at the database and application server level, Newman said. The first thing for DBAs and developers to know is that they should not rely on their firewalls as a last line of defense.
"Perimeter security is not your last line of defense," Newman said. "You need to go deeper than that. We need to start concentrating on securing the database at its source."
With OracleWorld coinciding with the two-year anniversary of the September 11 attacks, many users were looking for opinions about the vulnerability of computer systems to terrorist threats.
In general, the panelists agreed that the focus should remain on developers, many of whom are making mistakes and leaving their systems vulnerable to attacks.
Gartner's Pescatore also told attendees to boycott products from vendors that use the possibility of a terrorist attack to hawk their wares.
"Instead of counting attacks," Pescatore said, "users should be asking themselves when they last scanned for vulnerabilities and determining how many of those vulnerabilities can affect them."
FOR MORE INFORMATION
Do you know how to shut down public privilege grants? Submit a tip to SearchOracle.com and you could win a Digitalway MP3 player.
Read more of SearchOracle.com's special coverage of OracleWorld '03.
To provide your feedback on this article, contact SearchOracle.com News Editor Ellen O'Brien.