Database security software vendor Sentrigo Inc. released a new open source fuzzing tool, FuzzOr, designed to identify vulnerabilities found in Oracle database software applications.
To get security news and tips delivered to your inbox,
With FuzzOr, Sentrigo aimed to create a tool that would allow database administrators and programmers to test PL/SQL applications for security vulnerabilities, said Slavik Markovich, co-founder and chief technology officer of Sentrigo.
While other tools for vulnerability assessment typically fix a list of errors, the FuzzOr is dynamic because it does not have a preconfigured checklist, Markovich said.
"[FuzzOr] is different because I don't think there is any other tool that does fuzzing on the PL/SQL program," Markovich said. "FuzzOr tries to scan a particular code and analyze [the code] for vulnerabilities."
Should fuzzing be part of the secure software development process? Fuzzing, a common software-testing method, should not be your only vulnerability assessment technique.
Can fuzzing identify cross-site scripting (XSS) vulnerabilities effectively? Fuzzing may find weaknesses in software, but the testing process can't find every flaw. Ed Skoudis explains what other tools are necessary when looking for cross-site scripting vulnerabilities.
Oracle security expert Pete Finnigan, director for PeteFinnigan.com, an Oracle security site, said FuzzOr is a useful tool because it is one of the only practical tools that is free and analyzes PL/SQL for vulnerabilities.
"FuzzOr has the advantage because with FuzzOr you're not looking at soft code and analyzing it, instead you're trying to break it and make it do something different," Finnigan said.
FuzzOr is not something a database administrator (DBA) will understand instantly, but it is reasonably easy to use and has simple instructions, Finnigan said.
"You can run FuzzOr against a schema or against an individual piece of code, so it's very easy to run," he said. "[It] tells users which code and parameters are vulnerable so one can go look at the code and see what to fix."
The tool is also ideal for detecting vulnerabilities regarding SQL injection and buffer overload errors, as they are the most common vulnerabilities written in PL/SQL, Finnigan said.
The amount of time FuzzOr takes to detect errors is proportional to the number of procedures it is expected to run, but the tool is "fairly quick and not something you're going to have to run all night," Finnigan said.
It cannot run within production systems because the function of the tool is not read only, Finnigan said. Tools used in production systems should be read only to guard against unwanted changes, therefore making FuzzOr incompatible with them.
The tool also does not correct problems, it just tells users where the errors are located, Markovich said. It does not do vulnerability assessment, monitoring or encryption, Markovich said.
FuzzOr is a free, open source tool, meaning the license will be GPL and users are allowed to change or add to the code as long as they uphold the license, Markovich said.
Finnigan said the tool is something all DBAs should try and use internally.
"FuzzOr is free, extendable, and written in scripting language so you can read the soft coding -- nothing's hidden and you can see how it works," Finnigan said.