Fuzzing tool helps Oracle DBAs defend against SQL injection

By Erin Kelly, Contributor 04 Feb 2009 | SearchSecurity.com

Oracle news and trends Digg This!     StumbleUpon     Del.icio.us

Database security software vendor Sentrigo Inc. released a new open source fuzzing tool, FuzzOr, designed to identify vulnerabilities found in Oracle database software applications.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

With FuzzOr, Sentrigo aimed to create a tool that would allow database administrators and programmers to test PL/SQL applications for security vulnerabilities, said Slavik Markovich, co-founder and chief technology officer of Sentrigo.

While other tools for vulnerability assessment typically fix a list of errors, the FuzzOr is dynamic because it does not have a preconfigured checklist, Markovich said.

"[FuzzOr] is different because I don't think there is any other tool that does fuzzing on the PL/SQL program," Markovich said. "FuzzOr tries to scan a particular code and analyze [the code] for vulnerabilities."

Fuzzing: New wave of SQL injection attacks alarm researchers: Researchers are uncovering a wave of SQL injection attacks, suggesting that attackers are finding it easy to compromise new targets. Should fuzzing be part of the secure software development process? Fuzzing, a common software-testing method, should not be your only vulnerability assessment technique. Can fuzzing identify cross-site scripting (XSS) vulnerabilities effectively? Fuzzing may find weaknesses in software, but the testing process can't find every flaw. Ed Skoudis explains what other tools are necessary when looking for cross-site scripting vulnerabilities.

Oracle security expert Pete Finnigan, director for PeteFinnigan.com, an Oracle security site, said FuzzOr is a useful tool because it is one of the only practical tools that is free and analyzes PL/SQL for vulnerabilities.

"FuzzOr has the advantage because with FuzzOr you're not looking at soft code and analyzing it, instead you're trying to break it and make it do something different," Finnigan said.

FuzzOr is not something a database administrator (DBA) will understand instantly, but it is reasonably easy to use and has simple instructions, Finnigan said.

"You can run FuzzOr against a schema or against an individual piece of code, so it's very easy to run," he said. "[It] tells users which code and parameters are vulnerable so one can go look at the code and see what to fix."

The tool is also ideal for detecting vulnerabilities regarding SQL injection and buffer overload errors, as they are the most common vulnerabilities written in PL/SQL, Finnigan said.

The amount of time FuzzOr takes to detect errors is proportional to the number of procedures it is expected to run, but the tool is "fairly quick and not something you're going to have to run all night," Finnigan said.

It cannot run within production systems because the function of the tool is not read only, Finnigan said. Tools used in production systems should be read only to guard against unwanted changes, therefore making FuzzOr incompatible with them.

SearchSecurity radio:

The tool also does not correct problems, it just tells users where the errors are located, Markovich said. It does not do vulnerability assessment, monitoring or encryption, Markovich said.

FuzzOr is a free, open source tool, meaning the license will be GPL and users are allowed to change or add to the code as long as they uphold the license, Markovich said.

Finnigan said the tool is something all DBAs should try and use internally.

"FuzzOr is free, extendable, and written in scripting language so you can read the soft coding -- nothing's hidden and you can see how it works," Finnigan said.

Tags: Database Security Management,  Software Development Methodology,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management IBM to acquire database security firm Guardium What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Database Security Management Research Software Development Methodology Software piracy group offers cash to whistleblowers Quiz: How to build secure applications How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary