Oracle Drives Security Deeper

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,1120074,00.asp

By Dennis Fisher
June 9, 2003 

Oracle Corp. is developing several security tools to help users of the 
company's software find vulnerabilities and lock down their systems.

The tools, which will be released over the next several months, are 
part of an effort by the company to extend its security commitment to 
customers beyond simply writing secure code and shipping software in a 
secure configuration, company officials at the Gartner IT Security 
Summit here said.

The first tools due are scanners of sorts that pore over customer 
installations and assess which patches have been installed and which 
still need to be applied, according to Mary Ann Davidson, chief 
security officer at Oracle, based in Redwood Shores, Calif. The 
technology will look for all software updates - not just security 
patches - although it will likely flag missing security fixes 
differently from other updates.

Oracle officials said they hope to have the technology ready this 
year. The assessment tool is just one in a series of technologies that 
Oracle will release as part of its plan to make security simpler and 
less time-consuming.

"We try to ship our products secure by default, but we should have 
better wizards for that," Davidson told eWEEK. "Reading five pages of 
documentation to lock something down is too much."

To address that, Oracle is also at work on an auto-hardening tool that 
will help administrators identify unneeded services and common 
configuration mistakes.

While the details of this technology are being worked out, the tool 
will be able to look for database services that are used by attackers 
and warn admins that services should be turned off if not used often.

The tool also will be able to find configuration problems that can 
lead to vulnerabilities that might be exploited. Davidson estimated 
the tool will be ready in nine months to a year.

The work is an extension of the company's much- publicized campaign to 
emphasize the security of its products. The effort, which claimed the 
Oracle database software is "unbreakable," put the spotlight on 
Davidson and her security team.

Oracle is not the first software maker to see the need for these types 
of tools. Microsoft Corp. has had similar technologies available for 
some time. In fact, the Redmond, Wash., company last week released a 
new version of its Baseline Security Analyzer tool, which scans for 
common security misconfigurations.

Oracle plans to provide the new tools to users for free. Customers say 
there is a definite need for the tools the company is developing.

"Oracle has evolved into one of the most flexible databases, and the 
number of configurations is almost endless," said Don Burleson, CEO of 
Burleson Oracle Consulting, in Raleigh, N.C., and an Oracle expert. 
"Oracle has one of the best security models in the world, but the 
challenge is up to the administrator to make sure the configuration is 
optimal."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.