via DatabaseJournal contributor Rob Gravelle - a well crafted screed, in which, Oracle Corporation's (NasdaqGS: ORCL) MySQL is targeted and security advice, conveyed. Today's Recommended Reading matière.
Security Bloggers Network
ICANN blog
TeamSHATTER
Cryptography News
Ms. Smith
SANS Internet Storm Center, InfoCON: green
May 2013
Search
2013.05.13
2013.04.29
Monitoring? We Don't Need No Stinkin' Monitoring...
Interesting commentary by Adrian Lane, Analyst and CTO of Securosis, writing at DarkReading, and targeting the truncated utilization of DAM, the acronym for Database Activity Monitoring. In this case, the widespread lack of proper deployment and implementation of the query blocking mechanisms inherent to nearly all DAM products.
Coupled with the apparent lack of core competency in the DAM arena, clients of the software manufacturers flogging theses products are probably also deficient in at least three other fundamental aspects of DBMS security activity monitoring products: [1] Education / Training within the scope of the products, [2] Scrutiny of the Monitoring Log Output, and [3] probably the key to everything - the ability to read SQL statements.
2013.04.11
SQL Injection, The Litany
via the recently released Veracode State of Software Security Volume 5 Report, SQL Injection flaws are rampant on the interwebs [suprised?], which points to fundamental coding failures brought on by both incompetent development staff plus the oft mentioned cruft.
The entire scenario equates to simple leadership failure; this fail condition is indicated by the inability to enforce both secure development practices and a verifiable training regime.
While the company responsible for the report is in the business of software security scanning and code review, there is efficacy to the document's underlying information...
2013.04.08
2013.04.04
2013.04.02
2013.03.19
Oracle OEM Vulnerabilities Detailed
TeamShatter has reported six severe vulnerabilities resident within Oracle Corporation's (NasdaqGS: ORCL) Oracle Enterprise Manager DB Grid Control management facility.
Quite negative news indeed, for the all-encompassing server, daemon, code and database control product, not to mention the huge numbers of deployed bits in both the public and private sectors. Recent Java exploits, piggybacked on these Oracle Enterprise Manager vulns, puts the database leviathan into a tenuous posture of insecure cruft deployment.
Whilst all of the enumerated vulns have been officially patched by the company, a vast ocean of deployments are not being updated, generally due to recalcitrant DBAs and their System Administrator colleagues (thereby displaying misguided rationale, as generally, they're fearful of patchsets targeting Oracle products, due to the severe impact of the crufty bits applied to extant Oracle instances, and the subsequent possibility of significant downtime). - mxh
2013.03.11
2013.03.08
2013.02.21
Tanel Poder Releases Latest Oracle Performance Tooling
Meanwhile, in Oracle Database news, Tanel Poder, perhaps one of the most highly respected, yet quitely competent Oracle professionals has released version 4.2 of his well known [and heavily utilized by DBAs in-the-know] Snapper tool targeting Oracle Database performance metrics.
Whilst not necessarily security related his work is both highly rated, feature rich, yet lightweight in DBMS impact, oh, and did I mention available at no charge? If you are in any way related to Oracle DBMS products, you need Snapper 4.x. Keep a sharp eye out for Tanel's seminars, also highly rated.
2012.08.15
Battle.net Fallout
News, of successful internal network security attacks, targeting Blizzard Entertainment has percolated up through the detritus of the interweb. Bad news for Battle.net players.
2012.04.23
Requiem in Pacem: Mark Townsend
via Oracle Corporation (NasdaqGS: ORCL) comes the sad news of the passing of Mark Townsend, the Redwood Shores, California database, applications and hardware leviathan's Vice President of Product Development for Oracle Database. His technical acumen was legendary, as such, he was known as the company's "Single Source of Truth" for database products. Infosecurity.US extends our sincere condolences to the Townsend family, his friends and colleagues.
