Overview
When we compare database servers with Web servers, we find that Web servers are amazingly more secure than database servers. This isn't simply a question of more functionality; Web servers hang out there on the Internet and database servers are buried deep behind firewalls in the core of the network. Consumers generally demand that their Web servers be secure and are, bizarrely, more forgiving when it comes to their databases. After reading this chapter, we hope you will share the opinion that database administrators (DBAs) should care a little less about speed and a little more about protecting their vital assets: data. Our vendors will provide us with more secure database server software only when we demand it.
No one vendor is any better than another. That said, in the very recent past we have seen some extremely positive moves made by the larger players in the RDBMS arena with a more proactive stance being taken as far as security is concerned . More needs to be done, but we're finally moving in the right direction. So, stepping down from the soapbox, let's examine the ways in which attackers can currently gain control over database servers; knowledge of how this is done will allow DBAs to design and implement a more holistic defensive strategy.
Database servers store data in a structured manner, using tables to group common or related chunks of data in columns . This data is queried, updated, and deleted using Structured Query Language (SQL). In addition, database vendors add their own blend of extra features, such as extensions to standard SQL (Transact-SQL, or T-SQL, on Microsoft SQL Server and Procedural Language/SQL, or PL/SQL, on Oracle) functions, and extended stored procedures. The weak points of most database server software lie in these areas. There's an inverse relationship between functionality and security: As software gets more functional, it becomes easier to break.
Attacks against database server software can be leveled at the network layer or the application layer. In the network layer you typically deal with low-level issues, and in the application level you usually deal with SQL. In this chapter, we'll look at some problems in Microsoft's SQL Server, Oracle's RDBMS, and IBM's DB2.
