Which Database Is the Most Secure?

All of the databases we cover in this volume have had serious security flaws at some point. Oracle has published 69 security alerts on its "critical patch updates and security alerts" page—though some of these alerts relate to a large number of vulnerabilities, with patch 68 alone accounting for somewhere between 50 and 100 individual bugs. Depending on which repository you search, Microsoft SQL Server and its associated components have been subject to something like 36 serious security issues—though again, some of these patches relate to multiple bugs. According to the ICAT metabase, DB2 has had around 20 published security issues—although the authors of this book have recently worked with IBM to fix a further 13 issues. MySQL has had around 25 issues; Sybase ASE is something of a dark horse with a mere 2 published vulnerabilities. PostgreSQL has had about a dozen. Informix has had about half a dozen, depending on whose count you use.

The problem is that comparing these figures is almost entirely pointless. Different databases receive different levels of scrutiny from security researchers. To date, Microsoft SQL Server and Oracle have probably received the most, which accounts for the large number of issues documented for each of those databases. Some databases have been around for many years, and others are relatively recent. Different databases have different kinds of flaws; some databases are not vulnerable to whole classes of problems that might plague others. Even defining "database" is problematic. Oracle bundles an entire application environment with its database server, with many samples and pre-built applications. Should these applications be considered a part of the database? Is Microsoft's MSDE a different database than SQL Server? They are certainly used in different ways and have a number of differing components, but they were both subject to the UDP Resolution Service bug that was the basis for the "Slammer" worm.

Even if we were able to determine some weighted metric that accounted for age, stability, scrutiny, scope, and severity of published vulnerabilities, we would still be considering only "patchable" issues, rather than the inherent security features provided by the database. Is it fair to directly compare the comprehensive audit capabilities of Oracle with the rather more limited capabilities of MySQL, for instance? Should a database that supports securable views be considered "more secure" than a database that doesn't implement that abstraction? By default, PostgreSQL is possibly the most security-aware database available—but you can't connect to it over the network unless you explicitly enable that functionality. Should we take default configurations into account? The list of criteria is almost endless, and drawing any firm conclusions from it is extremely dangerous.

Ultimately, the more you know about a system, the better you will be able to secure it—up to a limit imposed by the features of that system. It isn't true to say, however, that the system with the most features is the most secure because the more functionality a system has, the more target surface there is for an attacker to abuse. The point of this book is to demonstrate the strengths and weaknesses of the various database systems we're discussing, not—most emphatically not—to determine which is the "most secure."

In the end, the most secure database is the one that you know the most about.

source :

The Database Hacker's Handbook: Defending Database Servers

by David Litchfield et al.

John Wiley & Sons © 2005

Why Care About Database Security?

Overview

In the introduction, we discussed the reasons why we consider database security to be important. In this chapter, we provide a brief overview of several broad categories of security issues, with a few specific details and some discussion of general defenses. We also briefly discuss how to go about finding security flaws in database systems. Before we do so, we should discuss some emerging trends in database security.

In recent years, with the explosion in web-based commerce and information systems, databases have been drawing ever closer to the network perimeter. This is a necessary consequence of doing business on the Web—you need your customers to have access to your information via your web servers, so your web servers need to have access to your databases. Databases that were previously accessible only via several insulating layers of complex business logic are now directly accessible from the much more fluid—and much less secure—web application environment. The result of this is that the databases are closer to the attackers. With the constant march toward a paperless business environment, database systems are increasingly being used to hold more and more sensitive information, so they present an increasingly valuable target. In recent years, database vendors have been competing with each other to provide the most feature-rich environment they can, with most major systems supporting XML, web services, distributed replication, operating system integration, and a host of other useful features. To cap all of this, the legislative burden in terms of corporate security is increasing, with HIPAA, SOX, GLBA, and California Senate Bill No. 1386 imposing an ever-increasing pressure on companies to ensure that their networks are compliant.

So why care about database security? Because your databases are closer to the attacker, present a more valuable target, have more features to configure, and are more closely regulated than they have ever been before.

source :

The Database Hacker's Handbook: Defending Database Servers

by David Litchfield et al.

John Wiley & Sons © 2005

Introduction

Why do we care about database security?

If money could be said to exist anywhere in a network, it exists on a database server. When we say that modern economies are reliant on computers, what we really mean is that modern economies are reliant on database systems. Databases are behind the systems that affect almost every aspect of our lives — our bank accounts, medical records, pensions, employment records, phone records, tax records, car registration details, supermarket purchases, our children's school grades — almost every piece of information of significance in our lives is stored in a modern relational database management system. Since this volume covers seven of the most popular relational database systems, chances are that your personal information is currently being stored in the very systems that are the subject of this book.

We (the authors of this volume) consider database security to be the single most important information security issue there is. If database systems — the systems we all implicitly trust to hold our most sensitive data — are not secure, the potential impact on our lives, and even on our broader society, could be devastating.

Why then do we want to publish a book that describes methods for attacking databases? Simply put, we want to put this information into the hands of database administrators, security professionals, and network auditors so that the people whose job it is to defend these systems understand more fully how others attack them. The people we are all defending against already fully understand how to attack databases and networks; their continued liberty depends on that fact. This volume is likely to teach them little they didn't already know. Contrary to what most software vendors would have you believe, finding security bugs isn't very hard. For every bug that an independent researcher reports to a vendor, there are likely to be several bugs that are known to people who don't inform the vendor. We believe that the best way to defend your network — and your databases — against these unknown bugs is to understand in detail the mechanics of the bugs we know about and attempt to create configurations that thwart whole classes of bugs, rather than simply patching and hoping that no one attacks you with a 0-day exploit.

More often than not, securing a database is a matter of applying the tried-and-tested principles that have been used in network security for decades — enforce minimal privilege, reduce "attack surface" by removing unnecessary functionality, be strict about authentication and access controls, separate blocks of functionality into distinct areas, enforce encryption . . . the only real difference is that in a database, all of these mechanisms operate within the miniature world of the database itself.

It's tempting to read vendor literature pertaining to security and be reassured by the plethora of security measures that modern databases implement. Almost all database systems have some notion of privilege, access controls, comprehensive audit facilities, and controlled access to system components. Database vendors vie with each other to obtain security certifications that prove that they have appropriately implemented these mechanisms. The problem is that although these certifications are important, they are only a part of the story, and by no means the most important part.

All of the databases discussed in this volume have been subject to buffer overflows that violate almost all of these security mechanisms. Placing our faith in security standards, evaluations, and accreditations isn't working. It's time to get practical, and that's what this book is all about.

source :

The Database Hacker's Handbook: Defending Database Servers

by David Litchfield et al.

John Wiley & Sons