Application Security // Database Security
9/30/2013
10:26 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Only Ho-Hum Security Holes Ahead For In-Memory DB

Oracle's new performance features shouldn't pose any unique risks, experts say

Coming out of its annual conference last week, Oracle made it clear that it's moving to stave off big data vendors' plays for its core database business. Part of that strategy was a visible launch of an in-memory database processing option that Larry Ellison said speeds "query processing by orders of magnitude" and doubles transaction processing rates. But what of security? Often big performance gains can bring with them equally big headaches, but at this point many database security experts say that in-memory functionality won't add too many unique security threats to the enterprise environment.

"I do not foresee any new attack vectors on in-memory databases," says Adrian Lane, analyst and CTO for Securosis. "I believe the motivation is to counter some of the loss of business to customers that are adopting in-memory flavors of big data."

[Your organization's been breached. Now what? See Establishing The New Normal After A Breach.]

In some ways, Oracle's strategy could actually help organizations minimize risk while still reaping comparable performance to big data storage models that may not be as much of a known commodity as the traditional relational database management system. According to an InformationWeek Reports analysis written by Lane earlier this year, big data security is very much different than relational database security due to the "distributed architecture that poses a unique challenge."

According to Josh Shaul, CTO of database security vendor Application Security Inc., the added option of in-memory caching shouldn't change the database model enough to shift any security paradigms.

"I'm speculating that the in-memory 12c database won't have much of a different security profile than your typical disk-based system," Shaul says.

A vocal critic of Oracle's security missteps in the past, Shaul says that Oracle "did a lot of good work" in developing additional security features to Oracle Database 12c.

"Hopefully all of those security features will be present when you run 12c in-memory," he says. "The performance numbers Oracle is touting will be very attractive to many of their clients that struggle to work with massive quantities of data -- it'd be great to see those performance problems solved in a secure environment."

While it is still too early to know where exactly security researchers might set their sights to pick apart the new option, Imperva CTO Amichai Shulman says that beyond the "usual number of bugs" that can be found in complex software like 12c, the new in-memory functionality could potentially pile on additional risk of denial-of-service (DoS).

"I think that from a security perspective, the added risk introduced by such an offering is of DoS due to fast, uncontrolled memory consumption," Shulman says.

But enterprises should remember not to be complacent about those "usual" bugs -- they're probably lurking there in this first iteration of the new feature, says Slavik Markovich, vice president and CTO of database security for McAfee.

"Whenever a company introduces a big new something, they introduce also a lot of security issues with it," says Markovich, explaining that security always comes second to functionality. "Just as recently as the release of Oracle 12c, they introduced a lot of features, and while introducing these great features, they also introduce security issues. I've already personally seen 10 new zero-day vulnerabilities that could really compromise your database that are being reported to Oracle now."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.