Re: RE : Firebird DB - What Does Anyone Know?

• From: Robert Freeman <robertgfreeman@xxxxxxxxx>
• To: oracle-l@xxxxxxxxxxxxx
• Date: Tue, 15 Sep 2009 09:41:47 -0700 (PDT)

It's probably dangerous to assert that the availability of source code does not 
make a product more vunerable. I think given an overall picture of what makes a 
product vunerable, the availability of source (and assuming you are running the 
product in an unmodified form) clearly adds an element of risk to the use of 
such a product. I'm not saying that it's the sole reason not to use the 
product, but it should be a serious consideration. 

I agree that all software is subject to security vulnerabilities, but I would 
suggest that it's not the nature of Open source that makes it more secure. 

Instead what makes a product a likely target of penetration testing is the size 
of a given products install base and the target value potential that makes a 
product more or less likely to be target of hack attempts. That's why you will 
see a product such as Oracle or DB2 or SQL Server have larger penetration risk 
footprints than say, something obscure like Firebird. As a result of this 
conjecture, I would expect that an open source database that is in more 
widespread use, like MYSQL, probably has more identified exploites than 
something like Firebird.

Additionally I'd suggest that a product like Oracle, which has a large 
functional footprint, is more likely to have discoverable vunerabilities than a 
smaller functional footprint product (say, MYSQL). 

Just a few thoughts off the top of my head...

RF


 Robert G. Freeman
Oracle ACE
Author:
Oracle Database 11g RMAN Backup and Recovery (Oracle Press) - ON IT'S WAY SOON!
OCP: Oracle Database 11g Administrator Certified Professional Study Guide 
(Sybex)
Oracle Database 11g New Features (Oracle Press)
Portable DBA: Oracle  (Oracle Press)
Oracle Database 10g New Features (Oracle Press)
Oracle9i RMAN Backup and Recovery (Oracle Press)
Oracle9i New Features (Oracle Press)
Other various titles out of print now...
Blog: http://robertgfreeman.blogspot.com 
The LDS Church is looking for DBA's. You do have to be a Church member in
good standing. A lot of kind people write me, concerned I may be breaking
the law by saying you have to be a Church member. It's legal I promise! :-)
http://pages.sssnet.com/messndal/church/parachurch.pdf




________________________________
From: Matthew Zito <mzito@xxxxxxxxxxx>
To: Richard.Goulet@xxxxxxxxxxx; srcdco@xxxxxxx; oracle-l@xxxxxxxxxxxxx
Sent: Tuesday, September 15, 2009 9:58:00 AM
Subject: RE : Firebird DB - What Does Anyone Know?

 
I'd also like to strenuously object to the assertion that Open Source = easier 
to hack into.  All software products are vulnerable to security issues, and 
Oracle's CPUs demonstrate that clearly being closed-source helps them little in 
terms of identifying them.  In fact, there's a long track record in open-source 
software where random savvy users have identified security vulnerabilities and 
supplied patches to the community.  No opportunity for that with Oracle.
 
I think the maintainability of open-source software is a valid concern, 
especially if there's not a large company/robust community behind it.
 
To answer your original question, Firebird is fine.  It's an embedded database, 
very lightweight, very nichey.  I'm not aware of anyone commercial backing it,  
except ISVs who embed it.
 
Matt
 
--
Matthew Zito
Chief Scientist
GridApp Systems
P: 646-452-4090
mzito@xxxxxxxxxxx
http://www.gridapp.com

________________________________
 De: oracle-l-bounce@xxxxxxxxxxxxx de la part de Goulet, Richard
Date: mar. 9/15/2009 11:48
À: srcdco@xxxxxxx; oracle-l@xxxxxxxxxxxxx
Objet : RE: Firebird DB - What Does Anyone Know?


Scott,
 
    OH Boy, been a long time since I looked at Firebird, so this may well be 
dated.  Yes it is open source, not exactly sql compliant, and very poorly 
protected.  A table is a file & the data therein is flat ASCII so very easy to 
read.  Great for small projects with a limited number of users and that is not 
web attached.
 
Dick Goulet 
Senior Oracle DBA/NA Team Lead 
PAREXEL International 
 


________________________________
 From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On 
Behalf Of Scott Canaan
Sent: Tuesday, September 15, 2009 11:41 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: Firebird DB - What Does Anyone Know?


   One of our departments is looking at a product that uses a Firebird 
database.  I’ve done some online research and found out that it is an open 
source database.  I’ve brought this up with the vendor, stating that since its 
open source it’s easy for hackers to get a copy to play with.  Their response 
was to challenge me to break into their system and database, which I thought 
was an interesting response.  It was the only technical question thrown at them 
that they got visibly angry about.  
   My question is:  Is anyone familiar with this database and how secure it is? 
 If so, does it support any kind of encryption?  I’ve not been able to find 
anything about encryption, either the data itself or network, on this product. 
   In the end, if the department purchases this package, we won’t be supporting 
the database, but I’m trying to do my due diligence in advising them of any 
issues, particularly security issues, that I can find.
 
Thank you,
 
Scott Canaan '88 (Scott.Canaan@xxxxxxx)
(585) 475-7886
"Life is like a sewer, what you get out of it depends on what you put into it." 
- Tom Lehrer.

• References:
  • Firebird DB - What Does Anyone Know?
    • From: Scott Canaan
  • RE: Firebird DB - What Does Anyone Know?
    • From: Goulet, Richard
  • RE : Firebird DB - What Does Anyone Know?
    • From: Matthew Zito

Other related posts:

• » Re: RE : Firebird DB - What Does Anyone Know? - Robert Freeman

1. Home
2. oracle-l
3. Archive
4. 09-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---