Center For Internet Security Releases Security Benchmark For Sybase ASE

Locks down database server software vulnerabilities with user-driven security configuration standards

October 8, 2009

5 Min Read


HERSHEY, Pa.--(BUSINESS WIRE)--The Center for Internet Security (CIS) today announced the public release of its consensus security benchmark for Sybase Inc.'s Adaptive Server' Enterprise (ASE), its flagship enterprise-level relational database management system (RDBMS). The new benchmark is the only prescriptive controls guide available today for securely configuring Sybase' ASE databases. More than 34,000 enterprise customers and 91 of the Fortune 100 use Sybase for data management, analytics, mobile messaging, and enterprise mobility. The benchmark is available as a free download at

John Heasman, VP of Research at NGSSoftware, a security consultancy with extensive expertise in database security " as well as author of "The Database Hacker's Handbook" and co-author of the second edition "ShellCoders Handbook" " comments that serious data breaches, reported on a near daily basis across all industry sectors, can cripple organizations. There are many causes of data breach, ranging from poor programming practices that permit attacks such as SQL injection to loss or theft of physical media containing unencrypted records.

"The cornerstone of an effective data security policy is ensuring that the databases themselves are configured to be as secure as possible. Modern database systems offer a plethora of security options and configurations including access controls, comprehensive audit facilities and encryption. Security, however, is often wrongly disregarded as a performance hindrance and advanced options are misunderstood, misconfigured or simply not used. The aim of this guide, therefore, is to provide clear best practice advice for making use of all security features within Sybase ASE so that organizations can achieve a solid database security baseline," added Heasman.

The Security Configuration Benchmark for Sybase ASE 15.0 provides best practice configuration settings recommendations covering six security categories:

  • Authentication Mechanisms

    • Network Security Mechanisms

    • Database Resource Permissions

    • Auditing, Logging and Reporting Mechanisms

    • Extensibility Mechanisms

    • Host and Network Deployment

      "Customers in demanding verticals such as Capital Markets, Government, Telecommunications and Healthcare rely on Sybase to balance performance and usability with security requirements that are often non-negotiable," said Peter Thawley, Senior Director, Architect, CTO Group, WMO for Sybase. "Sybase continues to be committed to driving database innovation while maintaining the highest levels of security. We are pleased to collaborate with CIS in its security configuration benchmark and help the Sybase user group community maintain the integrity and privacy of mission critical data."

      The guide was created using a consensus review process comprised of volunteer and contract subject matter experts. Consensus participants provide perspective from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government, and legal. Because they are user-driven, CIS benchmarks are widely accepted and adopted in government, business, industry and academia as the basis for enterprise system and network configuration policies.

      "We are very excited about the benchmark for Sybase ASE as it addresses a significant need in the market and exemplifies the great things a community of users, vendors, and subject matter experts can accomplish through consensus collaboration," said Blake Frantz, Chief Technology Officer, the Center for Internet Security.

      By using the benchmarks, security professionals save tens of thousands of dollars in developing custom policies and avoid reinventing the wheel. Further, they enable compliance with the configuration requirements of standards such as PCI and ISO, and regulations such as FISMA, GLBA, HIPAA and Sarbanes-Oxley.

      CIS Addresses Critical Security Themes in Q4 2009

      CIS now maintains 46 benchmarks for operating systems, middleware, devices and software applications and distributes them free of charge from its web site.

      Additional CIS benchmarks are expected to be released in the fourth quarter of 2009, enhancing security for these important software categories:

    • Virtualization Benchmarks: VMWare ESX Server 3.5

    • UNIX Benchmarks: HP-UX 11i v3 and IBM AIX 5.1-6.3

    • Database Benchmarks: IBM DB2 for Linux/Unix/Windows (LUW)

    • Microsoft Windows Benchmarks: Windows 7, Windows Server 2008

    • Browser Benchmarks: Internet Explorer 7 and 8, Firefox 3.5, Opera 10 and Safari 4

    • CIS Encourages Collaboration Among Subject Matter Experts (SMEs)

      CIS also announced today that it invites Subject Matter Experts (SMEs) to contribute to the consensus standards. A new CIS online collaboration platform streamlines the consensus process, making it easy for SMEs to share their expertise. In turn, SMEs' knowledge and interactions will help expand the reach and relevance of CIS benchmarks. Participating SMEs will become part of the CIS community and gain access to pre-release versions of CIS benchmarks, earn Continuing Professional Education (CPE) credits toward maintaining industry certifications, and learn from other experts in their field.

      Individuals interested in participating in the consensus efforts can contact: [email protected].


      CIS extends its gratitude to John Heasman, author of the Security Configuration Benchmark for Sybase ASE 15.0, as well as to these other key contributors and reviewers: Barbara Banks, Sybase, Inc.; Rajnish K. Chitkara, Sybase, Inc.; Rebecca Heffel, University of Washington; Mike de Libero, MDE Development, LLC; Vivek Kandiyanallur, Sybase, Inc.; Alan Madsen, Sybase, Inc.; Christian Monberg, Hornall Anderson, Inc.; and Chad Thunberg, Leviathan Security Group, Inc.

      About CIS

      The Center for Internet Security (CIS) is a non-profit organization that helps enterprises reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls, and provides enterprises with resources for measuring information security status and making rational security investment decisions. CIS develops and distributes consensus-based benchmarks for secure configuration of operating systems, software applications and network devices. The consensus security configuration benchmarks are downloaded more than one million times a year, and are globally accepted as user-originated, de facto standards. More than 150 leading corporations, government entities, universities and security organizations are CIS members. For more information, visit

      Sybase and Adaptive Server Enterprise are registered trademarks of Sybase, Inc. All other company and product names mentioned may be trademarks of the respective companies with which they are associated.


      Media: Kesselring Communications Leslie Kesselring, 503-358-1012 [email protected]

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights