That big spike in Web application vulnerabilities is bad news for your database. And apparently, some databases are more of a target than others. Eric Ogren, security analyst for Enterprise Strategy Group, has compiled Common Vulnerabilities and Exposures (CVE) data from Oracle, Microsoft’s SQL Server, and the open source MySQL database, and found some major differences. “Microsoft finds the problems before it gets to the point of using a scanning tool,” he says, whereas Oracle relies on scanning for problems after development is complete, he says. Over 70 percent of the vulnerabilities Symantec saw this year were Web application bugs, which are often the entry point to the database, says Oliver Friedrichs, director of Symantec Security Response.<\/p>\n","protected":false},"excerpt":{"rendered":"
But Ted Julian, vice president of marketing for AppSec, which sells vulnerability scanning tools for databases, says the lopsided vulnerability count may be more a function of where the more valuable corporate data typically lies — in the Oracle database. “I see plenty of companies that have confidential data in SQL Server, Oracle, DB2 and Sybase. It is certainly not as if it all sits on Oracle,” he says.<\/p>\n
But either way you slice it, hacking a database is like striking gold, whether it’s via a Web app or database bug — or both. “If you can break into a Web application, you can get access to the database using the same application,” Friedrichs says.<\/p>\n
And you can’t count on that firewalled DMZ to protect your database anymore: Databases are most at risk to an insider threat, ESG’s Ogren says, and these attacks don’t typically use vulnerabilities at all.<\/p>\n
http:\/\/www.darkreading.com\/document.asp?doc_id=110881&WT.svl=news2_3<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-806","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=806"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/806\/revisions"}],"predecessor-version":[{"id":3293,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/806\/revisions\/3293"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}