Wednesday, July 16, 2008

Sentrigo Offers Help for Database Patching Woes

Sentrigo Inc. released its new Hedgehog vPatch database security software product on Tuesday. The product addresses patching inconsistencies that seem to affect busy Oracle database administrators (DBAs), who don't always have time to test and patch. However, users of Microsoft SQL Server database in the enterprise can take a lesson here too.

Massachusetts-based Sentrigo found grist for the mill on the Oracle side after a survey found that most Oracle administrators were failing to patch their systems. Two-thirds of the 305 DBAs, consultants and developers surveyed had never installed Oracle's Critical Patch Updates. The survey also found patching delays associated with Microsoft SQL Server users.

Microsoft released a July patch for SQL Server earlier this month, fixing four vulnerabilities -- a significant number. SQL Server has a reputation for ease of use compared with the more complex Oracle ERP and Oracle database stacks. Still, while ease of use can be a good thing, it can also be good motivation for hackers to apply their trade.


Sentrigo's view is that the more widely Microsoft SQL Server databases get used in enterprise deployments, the more attention they'll receive from hackers. The current trend is a rash of SQL injection attacks launched through insecure Web sites. The company's Hedgehog product is designed to help in the interim before database patches are applied by adding another security layer to the mix.

"Product release aside, where SQL injections are concerned, we might be seeing the beginning of a trend, said Sentrigo's Vice President Rani Osnat "What we're coming to the table with is an additional security layer that doesn't require restarts or application testing."

Guess Who?
Whether IT pros find Hedgehog or similar products useful, there are many solid reasons to patch databases. One lesson is the SQL Server injection attack suffered by apparel maker Guess Inc., as described by a Federal Trade Commission document.

The first successful attack on Guess happened in February of 2002 when a visitor to the company's Web site, using an SQL injection vector, was able to read credit card numbers stored in the company's databases, something that a security patch could have prevented. There have been subsequent attempts since then, but Guess now uses a secure layer, which has helped stave off further damage.

A Simple Solution to a Complex Problem?
Many DBAs don't and still might not install all patches on databases because many databases, even of the SQL Server variety, are examples of closed architectures. Authentication is required in these systems, and IT pros can narrow down who has access internally to some of the encrypted and hidden tables in the database.

However, this scenario represents exactly why DBAs should be encouraged to employ a patch of some kind, experts say. Hackers who use SQL injection attacks often count on developer inattention to security. Developers may not have the time to mess with custom application code that may connect with multiple applications where SQL is concerned.

Sentrigo's security layer buys them some time, according to company officials.

"What this offers is a sort of fail safe window between the release of the patch and its installation and deployment," said Slavik Markovich, Sentrigo's chief technology officer. "What you have to remember is that patch analysis is not only done by IT pros in a given enterprise but it's done -- and perhaps even more thoroughly -- by hackers around the world."


Microsoft Advisory Targets SQL Injection Attacks
July Patch Cycle Elicits Some ‘Critical’ Opinions
Researcher slams Adobe for ‘epidemic’ of JavaScript bugs