Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Open-Source Databases Pose Unique Security Challenges

Most open-source database platforms aren't supported by third-party database activity monitoring and security policy tools

As the growth in Web 2.0 applications spurs adoption of open-source databases within the enterprise, many organizations need to expand their security priorities to include these increasingly important data stores. While the security principles that drive proprietary database protection also apply to open-source databases, there are a few additional challenges to locking down such platforms, which include Postgres, Ingres, and MySQL.

"This is a difficult problem," says Adrian Lane, CTO and analyst at Securosis. "The reason is there is very little effort or research put into security policies for the open-source databases. Comparing Oracle to Postgres, as an example, is a little like comparing Microsoft Windows to Apple's OS: Windows may be the more secure platform now, but only a few people write exploit code for Snow Leopard. Since we don't hear about attacks that often, we assume it's more secure."

The market for open-source databases was at about $850 million in 2008, according to Forrester Research, which predicted that figure to increase to $1.2 billion by the end of this year. Gartner is more conservative in its prediction for the market, expecting open-source databases to be at $1 billion by 2013.

Several converging trends are likely to bear out analysts' expectations of this market growth, including the exponential growth of Web 2.0 and homegrown applications that open-source databases often support, economic trends that continue to spur enterprises to avoid database license costs for new projects, and increased feature sets offered by open-source platforms.

"Open-source databases, such as Ingres, MySQL, and PostgreSQL, continue to expand their features and functionality, providing viable alternatives that can support most small to moderately sized business applications," wrote Noel Yuhanna, an analyst with Forrester, last year.

Of course, as any good security expert will tell you, the viability of any given alternative can be seriously hampered if risks can't be addressed properly. And there are a few challenges unique to open-source databases that organizations need to consider.

One of the biggest is the issue of the security industry's support of these database platforms. True, the biggest open-source databases offer a similar spectrum of native security features that enterprises have come to expect of closed-source vendors. Take Ingres, for example, which Yuhanna said was the best open-source database and whose executives tout its security features.

"Ingres is deployed in many situations where securing data is crucial to national, public, and personal security; as such we include all of the security controls that one would expect to find in an enterprise class database solution," says Emma McGrattan, senior vice president of engineering at Ingres. "Security features, such as role separation, fine-grained security auditing, encryption, and security alarms, enable proactive and preventive security measures."

But Ingres and most other open-source databases aren't supported by third-party database activity monitoring and other security policy tools.

"MySQL is the only open-source database that is covered by database activity monitoring products. Imperva and Guardium both provide monitoring, but I am not sure if they support 100 percent of their capabilities. SIEM vendor Nitro also offers a flexible DAM solution that covers MySQL, as well," Securosis' Lane says. "Monitoring, assessment, and auditing policies for Postgres are not created by the security product vendors, and the open-source community does not feel compelled to create them either. MySQL is widely deployed -- especially backing Web applications -- so we see some security product coverage, but that pales to what we see for Oracle."

Lane suggests a few fill-in techniques to improve databases not covered by database activity monitoring, but reminds users they won't be as effective.

"For the other platforms, use of built-in auditing functions, select use of triggers, network monitoring, and even Syslog capture can help capture activity and provide visibility, but not the real-time analysis of events," he says.

Another consideration is that in combination with the types of applications that use the open-source databases, these platforms could be more prone to SQL injection.

"I would say another consideration about open-source databases is they tend to be used either with homegrown apps or with other open-source apps, and that means those apps are more likely to have SQL injection vulnerabilities," says Phil Neray, vice president of security strategy of Guardium, an IBM company.

In terms of hardening the open-source databases, though, all of the same rules apply as with proprietary databases, Neray says. This includes locking down privileges, managing passwords well, patching regularly, and so on.

Above all else, Lane says administrators should work on a secure configuration. "Don't leave the default settings," he says. "As with every commercial database, open-source databases are nowhere near being secure out of the box."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27394
PUBLISHED: 2021-04-16
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.19), Mendix Applications using Mendix 8 (All versions < V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions < V8.12.5), Mendix Applications using Mendix 8 (V8.6) (All versions <...
CVE-2020-9667
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to to plant custom binaries and execute them with System permissions. Exploitation of this issue requires user interaction.
CVE-2020-9668
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Improper Access control vulnerability when handling symbolic links. An unauthenticated attacker could exploit this to elevate privileges in the context of the current user.
CVE-2020-9681
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to rewrite the file of the administrator, which may lead to elevated permissions. Exploitation of this issue requires user interaction.
CVE-2021-26830
PUBLISHED: 2021-04-16
SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module.