News

Sentrigo Offers Help for Database Patching Woes

Sentrigo Inc. released its new Hedgehog vPatch database security software product on Tuesday. The product addresses patching inconsistencies that seem to affect busy Oracle database administrators (DBAs), who don't always have time to test and patch. However, users of Microsoft SQL Server database in the enterprise can take a lesson here too.

Massachusetts-based Sentrigo found grist for the mill on the Oracle side after a survey found that most Oracle administrators were failing to patch their systems. Two-thirds of the 305 DBAs, consultants and developers surveyed had never installed Oracle's Critical Patch Updates. The survey also found patching delays associated with Microsoft SQL Server users.

Microsoft released a July patch for SQL Server earlier this month, fixing four vulnerabilities -- a significant number. SQL Server has a reputation for ease of use compared with the more complex Oracle ERP and Oracle database stacks. Still, while ease of use can be a good thing, it can also be good motivation for hackers to apply their trade.

Sentrigo's view is that the more widely Microsoft SQL Server databases get used in enterprise deployments, the more attention they'll receive from hackers. The current trend is a rash of SQL injection attacks launched through insecure Web sites. The company's Hedgehog product is designed to help in the interim before database patches are applied by adding another security layer to the mix.

"Product release aside, where SQL injections are concerned, we might be seeing the beginning of a trend, said Sentrigo's Vice President Rani Osnat "What we're coming to the table with is an additional security layer that doesn't require restarts or application testing."

Guess Who?
Whether IT pros find Hedgehog or similar products useful, there are many solid reasons to patch databases. One lesson is the SQL Server injection attack suffered by apparel maker Guess Inc., as described by a Federal Trade Commission document.

The first successful attack on Guess happened in February of 2002 when a visitor to the company's Web site, using an SQL injection vector, was able to read credit card numbers stored in the company's databases, something that a security patch could have prevented. There have been subsequent attempts since then, but Guess now uses a secure layer, which has helped stave off further damage.

A Simple Solution to a Complex Problem?
Many DBAs don't and still might not install all patches on databases because many databases, even of the SQL Server variety, are examples of closed architectures. Authentication is required in these systems, and IT pros can narrow down who has access internally to some of the encrypted and hidden tables in the database.

However, this scenario represents exactly why DBAs should be encouraged to employ a patch of some kind, experts say. Hackers who use SQL injection attacks often count on developer inattention to security. Developers may not have the time to mess with custom application code that may connect with multiple applications where SQL is concerned.

Sentrigo's security layer buys them some time, according to company officials.

"What this offers is a sort of fail safe window between the release of the patch and its installation and deployment," said Slavik Markovich, Sentrigo's chief technology officer. "What you have to remember is that patch analysis is not only done by IT pros in a given enterprise but it's done -- and perhaps even more thoroughly -- by hackers around the world."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • After High-Profile Attacks, Biden Calls for Better Software Security

    Recent high-profile security attacks have prompted the Biden administration to issue an executive order aiming to tighten software security practices across the board.

  • With Hybrid Networks on Rise, Microsoft Touts Zero Trust Security

    Hybrid networks, which combine use of cloud services with on-premises software, require a "zero trust" security approach, Microsoft said this week.

  • Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack

    A recent ransomware attack on a U.S. fuel pipeline company has put a spotlight on how "critical infrastructure" organizations can prevent similar attacks.