Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Open Oracle security standard
        
(Message started by: Pete Finnigan on Sep 24th, 2005, 11:11pm)
Title: Open Oracle security standard
Post by Pete Finnigan on Sep 24th, 2005, 11:11pm
Hi everyone,

I have just been talking about Mary Ann's comment from Oracle open world that she is working with NIST to see if an acceptable Oracle security standard can be designed / defined.

1 - Is this a good idea? - I think so.
2 - Has it already been done? - yes the CIS benchmark attempted to do this.
3 - Should it be done again and defined by the community? - yes i believe so.

I throw it to the floor for comments. Is it a good idea, should it be defined by NIST? - what about the CIS? - I am willing to be involved where ever it is defined. I am also willing to host some effort here if anyone else is interested in joining in.

This site would be a good place to discuss and build an Open Standard for securing Oracle.

I have installed mediawiki here (the link is not open yet) as it would be a good tool to use to develop a standard such as this.

what does everyone think?

cheers

Pete
Title: Re: Open Oracle security standard
Post by Pete Finnigan on Sep 26th, 2005, 1:42pm
Pete,

I think it's a good idea to have an Oracle security standard defined. I would find it extremely useful if you have the option to choose a security standard when installing Oracle. Something like this:

Would you like to install Oracle with:
1)very secure definitions
2)secure definitions
3)normal secure definitions
4)limited secure definitions

1 being for (e.g.) Bank's and for everyone who thinks he needs the highest secure definitions. 4 being for play databases.
Now you try to implement security after installing Oracle. An ad-hoc process prone to errors and lacking a 'formal' basis.
With a standard that you could refer to some document (the Oracle Security standard) to show customers, auditor, boss which threats  you are addressing with your choice.  It would make life so much easier for dba's.
I don't know NIST so I can't comment on their capacity to define such a standard. I've played with the CIS benchmark but found it lacking of argumentation: why do they choose/recommend some actions? no argumentation. If you tell people to do a thing without explaining them why then in my opinion it can't work. It's advices are here and there security-by-obscurity and  the general opinion in security land is that s-b-o doesn't work. Nonetheless there are very good things in the CIS benchmark.
Involvement of the Oracle community is very important. Acceptance of and standard is greater if everyone has the opportunity to be involved in the making of it. Or at least be able  to follow the process , discussions, arguments leading to the standard. If the standard is left to Oracle and the NIST only then I suppose that in short time we will have an American standard, a British standard, a French one, etc.

I've no experience with designing standards but would like to collaborate  as much as possible.

regards,

Ivan
Title: Re: Open Oracle security standard
Post by Pete Finnigan on Sep 26th, 2005, 6:30pm
Hi Ivan,

Thanks for your great comments. I had a long discussion also last night with Alex about this. I hope he has time to enumerate some of his ideas here as well.

I beleive that an open (open source/creative commons) Oracle security standard is needed by everyone and that for it to be useful and valuable to the community then the community needs to help develop it.

The CIS benchmark was mostly created by a small committee so does not have the benefit of community review. Also I am not certain but i think you need to be a member to use it on other peoples databases,

I think there are number of levels to an Oracle security standard as you have described. Some users need eminantly more secure databases than others. Also there are a couple of classes of issues, bugs (and patch fixes) and configuration issues (e.g. installation of features and configuration, access controls and privileges etc.

What would be useful is a standard based on securing known configuration issues and access control and privikege issues. What I think would not be useful is the constant chasing of new bugs and vulnerabilities (not in the case of a standard) as these inevitably get fixed by a patch.

The danger for the rest of us with a NIST/Oracle created standard is that it is closed (in creation) and is designed to suit the wishes of Oracle and NIST not the wishes of the community or maybe NIST would ensure that would be the case.

I think an open standard is a great idea though!

cheers

Pete


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board