In 2007, database professionals need to be vigilant in monitoring their database communication protocols for potential security vulnerabilities. In a recent conversation with our editors, Amichai Shulman, CTO at Imperva (http://www.imperva.com) and Alan Norquist, Imperva’s vice president of marketing, offered their insights about the new kinds of vulnerability exploits that database professionals might see in upcoming months. Shulman, who is the head of the Imperva Application Defense Center (ADC), a research and security services center, explained, “Until a year ago, most vulnerabilities were related to built-in stored procedures and packages that are supplied with database solutions. But in the past year, we’ve seen a new type of vulnerability related to communication protocols between clients and servers. These protocols aren’t exposed to a variety of traffic, but if you dig into their implementation, you can find vulnerabilities.” Shulman notes that Imperva’s researchers have seen a lot more exploits related to these protocol vulnerabilities, and he predicts more in the coming year.
Shulman stressed, “No real workarounds exist yet for these kinds of exploits—you can’t fix them within the database server.” To help database pros locate these hard-to-track vulnerabilities, Imperva released Scuba, a free database-vulnerability scanner for SQL Server, Oracle, Sybase, and IBM DB2. The Scuba product scans your database, identifies known vulnerabilities and misconfigurations, and tells you the overall security status of your database. Then, you can decide what to do about plugging the holes. The tool is a simple download that’s easy to run, and because it doesn’t use attack techniques to determine whether vulnerabilities exist, it’s safe.
It’s important to do periodic security scans of your database simply because the database is an ever-changing environment. “Microsoft has done a great job lately locking down the default security settings in SQL Server,” says Shulman. “But after deployment, things change—settings get changed, data needs change, people leave the company. This tool lets you do continuing assessments of the database environment so that you can stay on top of those changes.”
The new offering is freeware, Norquist says, because it’s intended to be a starting point that helps you see what your next step needs to be. According to Norquist, after you identify a vulnerability, you have several ways to address it. Imperva will provide ongoing updates to the Scuba freeware product, which you can download at http://www.imperva.com/scuba.