[ISN] Oracle Drives Security Deeper

From: InfoSec News (isnat_private)
Date: Mon Jun 09 2003 - 22:08:52 PDT

  • Next message: InfoSec News: "[ISN] The Two Faces of Foundstone"

    http://www.eweek.com/article2/0,3959,1120074,00.asp
    
    By Dennis Fisher
    June 9, 2003 
    
    Oracle Corp. is developing several security tools to help users of the 
    company's software find vulnerabilities and lock down their systems.
    
    The tools, which will be released over the next several months, are 
    part of an effort by the company to extend its security commitment to 
    customers beyond simply writing secure code and shipping software in a 
    secure configuration, company officials at the Gartner IT Security 
    Summit here said.
    
    The first tools due are scanners of sorts that pore over customer 
    installations and assess which patches have been installed and which 
    still need to be applied, according to Mary Ann Davidson, chief 
    security officer at Oracle, based in Redwood Shores, Calif. The 
    technology will look for all software updates - not just security 
    patches - although it will likely flag missing security fixes 
    differently from other updates.
    
    Oracle officials said they hope to have the technology ready this 
    year. The assessment tool is just one in a series of technologies that 
    Oracle will release as part of its plan to make security simpler and 
    less time-consuming.
    
    "We try to ship our products secure by default, but we should have 
    better wizards for that," Davidson told eWEEK. "Reading five pages of 
    documentation to lock something down is too much."
    
    To address that, Oracle is also at work on an auto-hardening tool that 
    will help administrators identify unneeded services and common 
    configuration mistakes.
    
    While the details of this technology are being worked out, the tool 
    will be able to look for database services that are used by attackers 
    and warn admins that services should be turned off if not used often.
    
    The tool also will be able to find configuration problems that can 
    lead to vulnerabilities that might be exploited. Davidson estimated 
    the tool will be ready in nine months to a year.
    
    The work is an extension of the company's much- publicized campaign to 
    emphasize the security of its products. The effort, which claimed the 
    Oracle database software is "unbreakable," put the spotlight on 
    Davidson and her security team.
    
    Oracle is not the first software maker to see the need for these types 
    of tools. Microsoft Corp. has had similar technologies available for 
    some time. In fact, the Redmond, Wash., company last week released a 
    new version of its Baseline Security Analyzer tool, which scans for 
    common security misconfigurations.
    
    Oracle plans to provide the new tools to users for free. Customers say 
    there is a definite need for the tools the company is developing.
    
    "Oracle has evolved into one of the most flexible databases, and the 
    number of configurations is almost endless," said Don Burleson, CEO of 
    Burleson Oracle Consulting, in Raleigh, N.C., and an Oracle expert. 
    "Oracle has one of the best security models in the world, but the 
    challenge is up to the administrator to make sure the configuration is 
    optimal."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 23:57:52 PDT