Re: Back and a Question
- From: "John Kanagaraj" <john.kanagaraj@xxxxxxxxx>
- To: anjo.kolk@xxxxxxxxxxx
- Date: Tue, 15 Aug 2006 11:21:55 -0700
Anjo,
Welcome back!! (For those of you who don't know, Anjo is "The Man" who
introduced the Wait Interface to the world via the YAPP paper! (I think that
was way back in 95?)
I believe this flurry is because of two issues: One - SOX (for the US based
publicly held companies) and related scrambling to become and stay "security
compliant"; Two - the steady increase in attacks against Database
enabled/front-ended systems and widely publicized loss/theft of information.
The former requires meeting rather stringent controls and periodically test
and report that they have been met which needs some "auditor-acceptable"
tools. In the latter case as well, you need to have tools that can test
end-to-end security and not just at the database layer. As for the talk,
both consulting and end user organizations need to talk about DB security,
normally as a precursor to finding something workable.
BUT... the issue is this: Implementing security was (and still is!)
generally an after-thought. (Aka - "First to Market - security and good
design be d***ed"). Once an application is rolled out, there are a bunch of
hackers out there whose job it is to break in. Up until a few years ago,
hacking was mostly for bragging rights practised among computer nerds.
However, when hackers realized that there is $$ involved, it quickly
escalated and now attracts all the criminal elements. Hence, organizations
are caught between needing to secure both new apps being rolled out as well
as existing ones that have already been implemented versus being "first to
market" and "easy to use/develop".... This is why you are seeing a lot of
talk (to keep auditors/shareholders happy) and less action (unable to change
existing apps/procedures without breaking them or building in security right
from inception).
As well, there are lots of specific areas within the broader "DB Security" -
there is auditing / reporting, penetration testing, log mining, etc., and
specific tools out there for each of these areas. You might want to look at
the SANS Institure website for starters.
Hope this helps!
John Kanagaraj
On 8/15/06, Anjo Kolk <anjo.kolk@xxxxxxxxxxx> wrote:
So I made it back on the list, I have a question for you all about DB
security. There seems to be a lot of talk about DB security, but not a lot
of action. Is that true, and if it is true why don't customers act? There
are products out there to check for DB security, how are they doing? Does
any body on this list use them?
Please share your thoughts and comments,
--
Anjo Kolk
Owner and Founder OraPerf Projects
tel: +31-577-712000
mob: +31-6-55340888
Other related posts:
