Blog

The Open Source Database Security Project

By Adrian Lane

I am thinking about writing a guide to secure open source databases, including verification queries. Do you all think that would be useful?

For the most part, when I write about database security, I write about generic approaches that apply to all database platforms. I think this is helpful for database managers, as well as security and IT professionals who have projects that span multiple database types. When writing the Database Security Fundamentals series, my goal was to provide a universal checklist of the database security basics that anyone with basic DBA skills could accomplish in a week. DBAs who work in large enterprise may have established guidelines, but small and medium sized firms generally don’t, and I wanted the series to provide an awareness on what to look for and what to do. I also find that mainstream Oracle DBAs tune out because I don’t provide specific queries or discuss native features.

The downside is that the series covers what to do, but not how to do it. By taking a more abstract look at the problems to be solved across security and compliance, I cannot provide specific details that will help with Oracle, Sybase, Teradata, PostgreSQL, or others – there are simply too many policies for too many platforms for me to sufficiently cover. Most DBAs know how to write the queries to fulfill the policies I outlined. For the non-DBA security or IT professional, I recognize that what I wrote leaves a gap between what you should do and how to do it. To close this gap you have a couple of options:

  1. Acquire tools like DAM, encryption, and assessment from commercial vendors
  2. Participate on database chat boards and ask questions
  3. RTFM
  4. Make friends with a good DBA

Yes, there are free tools out there for assessment, auditing, and monitoring. They provide limited value, and that may be sufficient for you. I find that the free assessment tools are pretty bad because they usually only work for one database, and their policies are miserably out of date. Further, if you try to get assessment from a commercial vendor, they don’t cover open source databases like Derby, PostgreSQL, MySQL, and Open Ingres. These platforms are totally underserved by the security community but most have very large installed user bases. But you have to dig for information, and cobble together stuff for anything that is not a large commercial platform.

So here is what I am thinking: through the remainder of the year I am going to write a security guide to open source databases. I will create an overview for each of the platforms (PostgreSQL, Derby, Ingres and MySQL), and cover the basics for passwords, communications security, encryption options, and so forth, including specific assessment polices and rules for baselining the databases. Every week I’ll provide a couple new rules for one platform, and I will write some specific assessment policies as well. This is going to take a little resourcefulness on my part, as I am not even sure my test server boots at this point, and I have never used Derby, but what the heck – I think it will be fun. We will post the assessment rules much like Rich and Chris did for the ipfw Firewall Rule Set.

So what do you think? Should I include other databases? Should I include under-served but non-open-source such as MS Access and Teradata? Anyone out there want to volunteer to test scripts (because frankly I suck at query execution plans and optimization nowdays)?

Let me know because I have been kicking this idea around for a while, but it’s not fully fleshed out, and I would appreciate your input.

No Related Posts
Comments

Adrian - thanks for the reply.  Maybe risk assessment wasn’t the right word - I was thinking of some sort of market analysis to determine which open source databases to focus on.  I was using selection criteria like “total number of installations” and “total size in bytes”, etc, but user groups is indeed a good criterion to use, since you are targeting an audience of actual ordinary users, not mega companies like facebook and twitter that should be managing the security themselves. 

Maybe these types of distributed databases (bigtable, Cassandra) should be the focus of separate project?  A quick search of Securosis shows one mention of bigtable, so while I don’t want to expand the scope of the current project, these “storage systems” do offer some interesting security problems. 

For example here Peter Fleischer from Google discusses the difficulty in complying with the EU Data Protection Directive:
http://peterfleischer.blogspot.com/2009/04/cloud-policy-consequences-for-privacy.html

By Michael O'Keefe


@Michael - Thanks for the comment. I was hoping for more feedback on this topic, but I have only gotten two emails and your comment. I am thinking that it would be best to focus on assessment policies, and then provide general guidance on encryption, access controls, DAM (if available) and auditing. Almost like a resources guide. Conceptually as simple as assessment is, it’s hard work, and it is usually the first security step DBA’s perform after access controls.

I picked Ingres, MySQL and Postgres as each has very large user groups. Derby, not so much, but I threw it in because I thought it would be interesting. I am not even sure what the right order would be.

-Adrian

By Adrian Lane


This does seem to be an under-served area.  Quite a “niche”, although, obviously, niche isn’t the right word to describe DMBSes used by the likes of twitter, for example.  They use mysql currently, but are looking at new systems, such as Cassandra according to the link below.

http://nosql.mypopescu.com/post/407159447/cassandra-twitter-an-interview-with-ryan-king

Maybe some sort of “risk assessment” is in order to determine the appropriate open source databases to cover?  I do agree that the generic approach is good, but also, judging by the lack of security controls even at a company like twitter (see below), any way to simplify the work of the DBA out there would be helpful.

http://darkreading.com/securityservices/security/privacy/showArticle.jhtml?articleID=225701520

By Michael O'Keefe


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.