Login  |  Register  |  Contact

Project Quant -  Project Comments

We have three Project Quant for Database Security topics to discuss. The answers to Open Question to the Database Security Community (should we include query analysis as part of the project?), are in. I had exactly three 'Yes' responses and three 'No' responses. The 'Yes' group was consistent, saying this would be helpful. The 'No' group was equally consistent, saying "That's application security and does not belong here." Which is exactly the internal struggle we had. As the tie breakers, Rich and I are voting to put code review in. It will be brief and we will focus on those tasks in the database realm.

Throughout the series I have differentiated between policies and rules, but it is worth clarifying the distinction, as it may not be obvious.

  • Policy: What you want to accomplish, and the outline of a plan for how to go about it. A policy may be comprised of one of more rules.
  • Rule: In this context I am talking about the technical component that gets the work done. This is the code, script, or query that performs the task.

As an example, let's say you want to block SQL injection. That policy might state that you will block queries with specific patterns. If you are aware of a half dozen specific patterns, you might have six specific rules to check against to inbound queries. Or you might have a policy to check databases for buffer overflow attacks. You could have a single rule that checks to see if the database is patched to fix the exploit, or you could use two or three scripts that attempt to exploit the buffer overflow. Tools and platforms such as DAM, VA, or auditing provide a layer of abstraction for you; so you create a policy and the tool builds the rule for you.

Finally, we are looking for input, comments, and suggestions on both the process and metrics we are creating. There is no "industry standard" for database security, and what companies spend varies radically. We could ask "What do you spend today on database security?" but frankly we doubt you know. That's not intended to be insulting, it's just that from the enterprise to small single-DBA IT organizations, this spending is rarely tracked. Or the responsibility is shared across multiple people with other duties. If we asked how much time you spend on database security in any given month, would you have an answer? Would it be a guess?

—Adrian Lane

Posted at Tuesday 26th January 2010 9:45 am Filed under:

Previous entry: Project Quant: Database Security - Protect through Monitoring | | Next entry: Project Quant: Database Security - Encryption

Comments:

Name:

Email:

Location:

URL:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: