Application Security // Database Security
9/30/2013
10:26 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%
Repost This

Only Ho-Hum Security Holes Ahead For In-Memory DB

Oracle's new performance features shouldn't pose any unique risks, experts say

Coming out of its annual conference last week, Oracle made it clear that it's moving to stave off big data vendors' plays for its core database business. Part of that strategy was a visible launch of an in-memory database processing option that Larry Ellison said speeds "query processing by orders of magnitude" and doubles transaction processing rates. But what of security? Often big performance gains can bring with them equally big headaches, but at this point many database security experts say that in-memory functionality won't add too many unique security threats to the enterprise environment.

"I do not foresee any new attack vectors on in-memory databases," says Adrian Lane, analyst and CTO for Securosis. "I believe the motivation is to counter some of the loss of business to customers that are adopting in-memory flavors of big data."

[Your organization's been breached. Now what? See Establishing The New Normal After A Breach.]

In some ways, Oracle's strategy could actually help organizations minimize risk while still reaping comparable performance to big data storage models that may not be as much of a known commodity as the traditional relational database management system. According to an InformationWeek Reports analysis written by Lane earlier this year, big data security is very much different than relational database security due to the "distributed architecture that poses a unique challenge."

According to Josh Shaul, CTO of database security vendor Application Security Inc., the added option of in-memory caching shouldn't change the database model enough to shift any security paradigms.

"I'm speculating that the in-memory 12c database won't have much of a different security profile than your typical disk-based system," Shaul says.

A vocal critic of Oracle's security missteps in the past, Shaul says that Oracle "did a lot of good work" in developing additional security features to Oracle Database 12c.

"Hopefully all of those security features will be present when you run 12c in-memory," he says. "The performance numbers Oracle is touting will be very attractive to many of their clients that struggle to work with massive quantities of data -- it'd be great to see those performance problems solved in a secure environment."

While it is still too early to know where exactly security researchers might set their sights to pick apart the new option, Imperva CTO Amichai Shulman says that beyond the "usual number of bugs" that can be found in complex software like 12c, the new in-memory functionality could potentially pile on additional risk of denial-of-service (DoS).

"I think that from a security perspective, the added risk introduced by such an offering is of DoS due to fast, uncontrolled memory consumption," Shulman says.

But enterprises should remember not to be complacent about those "usual" bugs -- they're probably lurking there in this first iteration of the new feature, says Slavik Markovich, vice president and CTO of database security for McAfee.

"Whenever a company introduces a big new something, they introduce also a lot of security issues with it," says Markovich, explaining that security always comes second to functionality. "Just as recently as the release of Oracle 12c, they introduced a lot of features, and while introducing these great features, they also introduce security issues. I've already personally seen 10 new zero-day vulnerabilities that could really compromise your database that are being reported to Oracle now."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web