I've been looking at Oracle database security recently and one of the things I've come across has really surprised me.
Oracle release a free (as in beer) version of their database product Oracle 10g XE
To quote their product page
...Oracle Database XE is a great starter database for:
* Developers working on PHP, Java, .NET, XML, and Open Source applications
* DBAs who need a free, starter database for training and deployment
* Independent Software Vendors (ISVs) and hardware vendors who want a starter database to distribute free of charge
* Educational institutions and students who need a free database for their curriculum
Yeah apart from one small problem. There are No security patches available for this product !
So if you download and use this product in your open source application as described you're going to be left with a seriously insecure database given the number of vulnerabilities in Oracle 10GR2 which have been patched in the main product and not in this one.
Now according to Pete Finnigan Oracle are meant to be releasing updated versions of the database with security patches applied, but that doesn't seem to be happening on a regular basis (really it should be quarterly to keep up to date with the main product)
So if you're looking for a database for your new open source app. I'd think very carefully before using this one free or not!
Ethical hackers face new test - 22 Mar 2007 - Computing.co.uk
Article covering the launch of CREST, a uk based scheme to certify ethical hackers, and comparing it to the current CHECK scheme run by the UK government.
I think that a system like this is definitely a good idea, although it needs to go further than the CHECK scheme did in certain areas.
Personally I don't think that the CHECK system was especially relevant to non-government organisations apart from to give that comfort factor around trustworthiness (although even that had little practical effect as most clients would want contracts/NDAs signed regardless)
Where I'd hope CREST will develop is to provide more specialism in where the individual will be certified. For example someone who's a great web application tester would be certified specifically for web application testing and wouldn't necessarily be certified for database security testing or Firewall security testing. this would give clients a much better level of assurance that the people doing the work have a good level of knowledge in that specific area.
I can tell this won't be the first or last rant I post about data leak protection if it turns out to be "The next Big Thing(tm)"
Ultimately I think that a lot of magic bullets are going to be sold in this field, and a lot of companies are going to end up disappointed.
Lets look at this article though. it lays out some ways to stop data leaks.
Point 1. - Get a Handle on the data. Yep the idea that if you don't know where you're critical information is you can't protect it. Fair point, although in reality it's a lot harder than it sounds in a large environment.
Point 2 - Monitor Content in motion. Now here's where I start getting a bit cynical. the idea that you can monitor all your content as it leaves your company is frankly silly. Here's a couple of examples of ways that data might leave your company that most of these solutions aren't likely to address.
to be fair to them points 3, 4 and 5 are pretty reasonable, IT Security best practice.
point 6 Centralize your intellectual property data - Just not practical for most companies. Companies at the moment are looking to make working more and more flexible and information easier to access. The idea of putting it in one big vault so it can be protected just ain't gonna fly.
Lots of interesting chat on the reasons to Pen Test, or not from various blogs starting over here at techtarget then rapidly spreading out over the blogosphere (hate that word but it's the only one going) to Matasano mcwresearch, Security Incite and in a bit of a divergence from topic layer 8
And what does all this tell us.... Well there's a lot of confusion around what a penetration test is and at lot of divergence over the value they provide.
So anyway here's my 0.02 on the subject. Penetration tests are not a good way to prove the security of a system, if possible and the application is under your control go for developing good secure coding standards and develop a good Security Development lifecycle including elements like threat modeling.
However in the real world, life doesn't work like that all the time, you'll get applications which are legacy and may not have been securely developed, you'll get 3rd party applications that you've no idea how they've been developed, and at times like that a penetration test is a reasonable way of getting some level of assurance that they're reasonably secure, and there probably aren't any glaring holes there.
A couple of other points that emerged from all this reading is
1 Raindrop: Understand Web 2.0 Security Issues - As Easy as 2, 1, 3
Very good points made in this post. At the moment the probablw saviour for a lot of transactional sites is that they've been really slow on the bandwagon, so are still running web 1.0 style sites!
That said, the more information that comes out from researchers like Jeremiah Grossman and RSnake the less faith people can really have in the browser security model that most E-Commerce sites rely on.
What's been missing to date is the Slammer or Nimda of the web application hacking world. Without a wide-ranging attack like that, it will continue to be very difficult to convince a lot of businesses to take these threats seriously...
Security Scanners Comparison Test Results | SecGuru
Why do organisations persist in comparing tools that aren't in the same market...
Lets look at this little list
We've got O/S Vulnerabilty scanners, Port scanners and Website Vulnerability scanners... how can you compare a network portscanner to a tool that looks for SQL unjection vulns in websites...
When disgruntled employees get clever - Network World
This was definitely one of those articles that I read in the sure and certain knowledge that the person writing it would be selling the solution to the problem they were laying out... Now a lot of the time people who work for vendors have some of the most valuable insight as they're fully focused on a particular technology area, but you also get a number of articles like this one that create an artificial scenario, avoid any mention of related problems that the technology they sell won't solve and then seem to think that because they don't mention their product by name, you wont twig..
In this case the author sets out that simple e-mail filtering won't catch intellectual property theft, but that "fingerprinting" intellectual property and looking for those fingerprints will allow companies to catch that leakage...
I've not thought too long on this but it seems there's a couple of holes in this as an idea... firstly E-mail encryption... you'd expect users to be encrypting sensitive documents that they send externally so unless the software has the right position in the network and the company has the right kind of encryption setup, it's not going to see much in the way of fingerprints.
Secondly and perhaps more seriously, I'd have thought most employees might be a bit smarter than to try and e-mail themselves intellectual property that they want to take. Instead why not just put in on a data key, or put it on your laptop and take it home, or go really low tech and ... print it out and put it in your briefcase...
Oh one other slight problem with this article .. on the first page there's a throw away line "First, you have to be able to identify the data you want to protect when it is at rest, before it leaves the network." !. Companies spend a huge amount of resource trying to classify data just to the server or perhaps the share/directory level and then keep that classification reasonably up to date in the very fast moving business environment that most operate in these days. The idea of a large company that knows where all it's valuable data is exactly is to me, not very likely.