Application Security // Database Security
9/30/2013
10:26 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Only Ho-Hum Security Holes Ahead For In-Memory DB

Oracle's new performance features shouldn't pose any unique risks, experts say

Coming out of its annual conference last week, Oracle made it clear that it's moving to stave off big data vendors' plays for its core database business. Part of that strategy was a visible launch of an in-memory database processing option that Larry Ellison said speeds "query processing by orders of magnitude" and doubles transaction processing rates. But what of security? Often big performance gains can bring with them equally big headaches, but at this point many database security experts say that in-memory functionality won't add too many unique security threats to the enterprise environment.

"I do not foresee any new attack vectors on in-memory databases," says Adrian Lane, analyst and CTO for Securosis. "I believe the motivation is to counter some of the loss of business to customers that are adopting in-memory flavors of big data."

[Your organization's been breached. Now what? See Establishing The New Normal After A Breach.]

In some ways, Oracle's strategy could actually help organizations minimize risk while still reaping comparable performance to big data storage models that may not be as much of a known commodity as the traditional relational database management system. According to an InformationWeek Reports analysis written by Lane earlier this year, big data security is very much different than relational database security due to the "distributed architecture that poses a unique challenge."

According to Josh Shaul, CTO of database security vendor Application Security Inc., the added option of in-memory caching shouldn't change the database model enough to shift any security paradigms.

"I'm speculating that the in-memory 12c database won't have much of a different security profile than your typical disk-based system," Shaul says.

A vocal critic of Oracle's security missteps in the past, Shaul says that Oracle "did a lot of good work" in developing additional security features to Oracle Database 12c.

"Hopefully all of those security features will be present when you run 12c in-memory," he says. "The performance numbers Oracle is touting will be very attractive to many of their clients that struggle to work with massive quantities of data -- it'd be great to see those performance problems solved in a secure environment."

While it is still too early to know where exactly security researchers might set their sights to pick apart the new option, Imperva CTO Amichai Shulman says that beyond the "usual number of bugs" that can be found in complex software like 12c, the new in-memory functionality could potentially pile on additional risk of denial-of-service (DoS).

"I think that from a security perspective, the added risk introduced by such an offering is of DoS due to fast, uncontrolled memory consumption," Shulman says.

But enterprises should remember not to be complacent about those "usual" bugs -- they're probably lurking there in this first iteration of the new feature, says Slavik Markovich, vice president and CTO of database security for McAfee.

"Whenever a company introduces a big new something, they introduce also a lot of security issues with it," says Markovich, explaining that security always comes second to functionality. "Just as recently as the release of Oracle 12c, they introduced a lot of features, and while introducing these great features, they also introduce security issues. I've already personally seen 10 new zero-day vulnerabilities that could really compromise your database that are being reported to Oracle now."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.