March 2008 Archives

http://www.networkworld.com/news/2008/031308-database-expert-oracle-behind-microsoft.html?fsrc=rss-security

Interesting to see someone have a shot a putting numbers on how far Oracle are behind Microsoft in the database security arena (well secure features as opposed to security features anyway). The number that they come up with is 5 years...

Assuming that nothing turns up soon it actually looks like SQL Server 2005 will go through it's whole product lifecycle without a published vulnerability. Secunia are currently showing it affected by 0 vulnerabilities.

There's a new portal over at www.infosec-scotland.com thats been started up to provide information about upcoming security events in Scotland (and the wider UK). There's a calendar of events available and some links to relevant sites.

If you've got any events you'd like to get added to the calendar, just send an email over to Events@Infosec-Scotland.com

The February meeting of the scottish OWASP chapter went pretty well on the 28th.

We had Steve Moyle doing a presentation on Database security (slides can be found here )

I picked up some interesting ideas from his presentation. Firstly the idea that relational databases have a fundamental flaw when it comes to security, which is that the channel used to control them and the channel used to access the information they contain, are the same. This allows for someone who should only have access to information in the system to easily attack it as well.

The other thought which occurred to me when I was listening to the presentation was that any IDS/IPS style device which wants to block "malicious" traffic going to a system needs to parse the information it's seeing in the same way as the protected system otherwise there's a risk that quirks of rendering will introduce false positives or negatives.

It's something I was talking to a WAF vendor about recently, as I was asking them whether their product rendered JavaScript when looking for malicious traffic, as there's a specific problem with the idea of self-modifying JavaScript, looking innocuous in transit but then being malicious when executed