Quick Hits

New Tool Provides 'Virtual' Database Patches

Software buys database administrators time between vulnerability disclosure and patching

Sentrigo today rolled out a stopgap measure of sorts for the treacherously long period between a database vulnerability discovery, patch creation, and deployment. The new Hedgehog vPatch software, which is a spinoff of the database security firm’s existing database monitoring software, detects exploits against newly discovered and known bugs.

This so-called “virtual patch” agent software resides on the database itself and generates alerts, and can shut down or quarantine a user session in Oracle and Microsoft databases. But Slavik Markovich, CTO of Sentrigo, says Hedgehog vPatch is no substitute for actually patching a vulnerability. “We’re not saying don’t deploy patches. We tell our customers to deploy them,” Markovich says. “We recommend that they deploy them as fast as they can.”

But in reality, few organizations patch thoroughly, or at all, notes Markovich. In a survey Sentrigo conducted earlier this year of over 300 Oracle database administrators, consultants, and developers, only ten percent of them say they expediently install Oracle Critical Patch Updates (CPUs) after an Oracle quarterly patch release.

Sentrigo’s virtual patching software is aimed at firms that aren’t able to sufficiently keep up with the patch cycle or must delay patching because they can’t disrupt their business applications at that time, for instance. The software’s announcement coincides with the release of Oracle’s quarterly CPU today .

“It’s [Hedgehog vPatch] either [for] a stopgap, or good for legacy systems you can’t patch," says Rich Mogull, founder of Securosis. "A lot of outdated apps rely on old versions of the database.”

The software watches the database memory and inspects each transaction, says Sentrigo’s Markovich, and includes protection from pervasive SQL injection attacks. Hedgehog vPatch is priced at $750 per CPU for a one-year subscription.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Sentrigo Inc.
  • Oracle Corp. (Nasdaq: ORCL)