Hacking The Big 4 Databases

Josh Shaul

Wed, 30th January 2013


Speaker Bio 1:
As the Chief Technology Officer with Application Security, Inc. (AppSecInc), Josh Shaul is responsible for the overall direction of the organization's technical strategy, which includes responsibility for the product portfolio -- AppDetectivePro for auditors and IT advisors, and its flagship solution, DbProtect for the enterprise.During his tenure at AppSecInc, Josh has held positions in product management, engineering, sales and technical strategy.

Prior to AppSecInc, Josh was Director, Worldwide Systems Engineering with SafeNet, Inc. working on the industry's first complete IPsec accelerator chip. In his five years with SafeNet, he was responsible for the design, development and enhancement of SafeNet's embedded security solutions, covering a wide range of applications.

Josh is the foremost security policy and standards guru at the firm, with additional expertise in U.S. and Canadian Federal governments (both military and civilian), trusted computing and application-level security issues.

He is the author of the acclaimed Practical Oracle Security: Your Unauthorized Guide to Relational Database Security, which received resoundingly positive critical reviews. He's presented at numerous global technology conferences including Microsoft TechEd, McAfee FOCUS, InfoSec World, WhiteHatWorld, Computer Security Institute, GFirst, IOUG COLLABORATE, several Oracle Users Group conferences, Federal Information Assurance Technology Forum, OWASP, Federal Information Security Conference, and FS-ISAC. Josh holds a B.S. in Computer Systems Engineering from the University of Massachusetts.

Questions and answers

Max, Concise Courses:
Are databases becoming more secure with every generation, if so why?

Josh Shaul:
Some databases are moving in that direction and other databases really aren’t. Microsoft in general deserves a lot of credit. If you look at their history, SQL 2000 was a terrible database from a security perspective. 2005 was pretty fantastic and with SQL 2012 they have really done a lot, so they have evolved tremendously and one of the things I have seen them do is embrace the research community. They reached out to the community and asked for help with pre-release to help check for vulnerabilities and report those to get those fixed.

With some of the other vendors it has been different, Oracle for example has had [some security issues] , they have a lot of legacy and a lot of bugs keep getting in there, so they are addressing them and fixing them as we find them for the most part.

Cisco and IBM haven’t been subject to a lot of security research in the past. What we found is that as we look at those databases the vulnerabilities are pretty easy to find. We don’t expect to see a ramp-up in vulnerabilities with those platforms which are used pretty heavily in financial services.


Max, Concise Courses:
Our organization is an SME – what essential steps do you propose IT managers can take to securely configure, maintain databases, and defend against malicious breaches?

Josh Shaul:
If you’re an SME you’re obviously not going to have a dedicated security team that is going to help you out but there are some things that you can do. I recommend that you go out and take a look at the Center for Internet Security and see their benchmarks and see what you need to configure for the main databases out there. They will give you some good basic security guidance.

If you want to take it to the next step you can buy a database vulnerability scanner which are really not expensive, an SME can easily afford it. Go out and scan a couple of your critical databases and look for the issues that you find, and if you find some real issues there [and solutions] then you can replicate them across your other databases.


Max, Concise Courses:
Is hosting a database in the cloud generally more likely to be less safe due to trusting third parties? What is your preference given all your research and findings? We had Steven Fox from the US Treasury Department on the show talk to us about FedRAMP (which is the US government’s cloud solution) so clearly the current administration feels comfortable with hosting sensitive data on the cloud – what are your thoughts? Are you more pro and anti cloud for sensitive data?

Josh Shaul:
I love FedRamp, let’s start there. What FedRamp is doing is going out there and putting real security assessments on cloud service providers and make sure that they have a reasonably secure environment. They are doing databases as well because all of the testers under that program [FedRamp] are using AppSec Inc products to do database assessmentss so I know they are doing a good job out there making sure that Cloud Service providers are [secure]. So, if that’s the way the cloud is going to be run , i.e. the ability for transparency and ability to audit security in the cloud, then I’m all for it, I mean, if they are securing your visibility then that’s great. When you are talking about someone else’s network, that doesn’t want to tell you about their security or transparency I certainly wouldn’t out my sensitive data there, but I am a little more paranoid on the security side! I’ve seen a lot of people losing their information making those kinds of mistakes.


Max, Concise Courses:
What can we expect from Application Security in the future, do you have anything that you would like share with us, any news flashes?

Josh Shaul:
We’re going to jump into the pool with the big database space; we just couldn’t resist all the buzz and excitement out there so you’ll see us there with some security products in the relative near future.


Max, Concise Courses: (from the chat box below):
If the Database vendors won’t fix the vulnerabilities, what can be done to secure the databases?

Josh Shaul:
If your database vendors are not fixing vulnerabilities then more than likely your DBA’s aren’t able to patch the vulnerabilities that are being fixed. You can put some mitigating controls in place [for example] database activity monitoring to see if you have any signature based attacks and what you can do there is really put intrusion prevention in front of your database so you can virtually patch the vulnerabilities that you can’t physically patch. My advice would be that if you have to patch databases out there start off with a good database activity monitoring system, and use it to at least alert if not block any attempts to exploit known vulnerabilities.