Thoughts about Database Security

From SecurityForest

The spacecraft landed out of space, black thunderclouds dancing slowly around it.
We reached higher, farther. Our blue little ball can be watched from above, while our foot plant in a silver dust of the moon.
It isn’t the space that control our ways but the time that shapes our path in and out of space.
The virtual space gives us the possibility of being everywhere and nowhere at the same time.
It has nothing to do with your abilities; it’s just a state of mind.
We live in a world where science has become the art of making invisible, visible, uncover what isn’t there and make it reality.
We are already allowed to unzip our fairs while we are undercover.
We created hackers in our own hands, now we need to face a new anomy of the daily digital war.
Hacking into systems is like playing bowling without scratching the parquet while hacking into databases is like striking pins of diamonds. Databases are where diamonds live; in a single place and because of that it’s the most desired target in the world.
That’s logical, emotional, that is reality.
Security is all about emotions, we need to feel secured before we need to feel loved.
Securing your network is a necessary part of life in enterprise organizations, part of the organizations new instincts as they were a live biological beast.
CEO invest efforts to secure the business data, governments force new standards that motivate us to close more doors in order to protect the organizations assets and their costumers privacy.
This sensitive data stored in databases and securing a database allows organizations to stay in business and continue birthing.
The competition on the databases market between Oracle and Microsoft have been stormy and interesting in the last few years,
so I decided it’s about time to reduce the marketing volume and ask my own questions; instead of reading many articles that count how many vulnerabilities each database has as stated elegantly in David Litchfield researched that was published last year.
It’s very important that software companies are aware of secure coding in the development life cycle.
While Oracle invested heavily in their leadership statement for delivering unbreakable software, Microsoft took the ground-up approach to reduce the security vulnerabilities that arise from buggy code and birth the SDL (Security Development Lifecycle).
The SDL push showed us how a software company can reduce the number of security-related design and coding bugs to a minimum.
Although, secure coding is very important we should not forget it’s just the first stage we need in order to build a secured environment and vulnerabilities can be solved by deploying software updates and patches.
Does it really matter if a product has one security hole or ten?
For many years we have learned that a chain is only as strong as its weakest link and the numbers of the vulnerabilities has nothing to do with how exploitable the code is.
So one or ten is just a mathematical value you can count.
You may call it philosophy or simple math, but from a security point of view, one security hole is equal to a gigantic open door to our domain.
Sometimes you just need to turn off the radio volume to hear the news that comes up from your own home window.
While Oracle, IBM and Microsoft countdown the vulnerabilities of their own software we should focus on the meaning of having unsecured code in three tier architecture, when usually the remote users don’t have direct access to the database.
In the enterprise world the internal attackers are the main threat and should be the main concern.
Why shouldn’t we discuss advanced security capabilities like the access control we grant the DBAs and how we can prevent the highly privileged users from having access to sensitive data, secure code execution, metadata protection, auditing statements and users requests, strong authentication, and columns/files/DBs level encryption etc.
Until we bare the answers, don’t forget to pick your ways to uncover what’s there, secure your trail before landing the spacecraft on virtual moons, determine how far and where.
But most important, apply your power cause you don’t miss resources. Use the power of imagination and you will find yourself everywhere and nowhere at the same time.
Exactly like your anomy, the super-mind intruders, whoever they are.