Open source database firms look to plug security gap

Open source database vendors acknowledge insufficient third-party security tools is a concern but point out that more support from security companies and the open source community are imminent.

According to a "="" class="c-regularLink" rel="noopener nofollow">Dark Reading report last month, lack of security industry support is one of the biggest issues organizations need to consider as they look to deploy open source databases.

Adrian Lane, CTO of security research firm Securosis, observed in the article that MySQL is the only open source database that is supported by database-activity monitoring products.

In the case of Postgres, monitoring, assessment and auditing policies have yet to be established security product vendors. Lane said: "And the open source community does not feel compelled to create them either."

Jeffrey Wheatman, Gartner's research director for security and privacy, told ZDNet Asia in an e-mail that open source, as with commercial tools, can be deployed and managed in a secure manner by a competent administrator. "[However,] commercial products most definitely have better security tools built in and are easier to be deployed more securely," he said.

"The lack of commercial support has made securing the open source tools more challenging to do so in a consistent manner," Wheatman added.

He said the lack of tools is a matter of commercial interests. "The general consensus is that if companies won't pay for databases, why would [they] pay for security tools?"

And while there are some third-party options offered by the open source community, the complexity of developing cross-platform tools is "very high and therefore very expensive" to build, he explained.

In addition, the Gartner analyst noted that open source software developers tend to possess higher skill levels on a smaller number of platforms. "So it's difficult to build comprehensive enterprise class tools to support these heterogeneous platforms typical in enterprise environments," he said.

Support lacking but more to come
Bill Maimone, CTO of open source database vendor Ingres, said the company build its own security features and a "clearly written security guide that discusses both database security and related operating system and network security".

However, he acknowledged that third-party security support is still "lacking" and more tools need to be developed for this segment of the market. An example of a "sensible improvement" is one that is able to scan and ensure file permissions are configured as recommended, or that the designated authenticated mechanism is set securely, Maimone said in an e-mail interview.

But, he noted that there has been some progress in this area. "There has been demand for additional security capabilities, such as pluggable authentication module added by a community contribution last year, and column encryption is now posted in the community edition of Ingres 10."

Josh Berkus, PostgreSQL's core team member, also pointed out that "more higher-level tools for auditing and policy management are certainly needed".

He said in an e-mail interview that, recently, there has been increased focus on security tools within the Postgre community, which culminated in the addition of several features in its upcoming 9.0 release. These included support for RADIUS (Remote Authentication Dial-In User Service) server authentication, improved LDAP (lightweight directory access protocol) support, new permissions for binary large objects and the "passwordcheck" utility to check strength of database passwords.

Berkus noted, however, that the security vendor community has proven difficult to reach. For example, Postgres has been soliciting security professionals to help with the specification for SEPostgres (security-enhanced Postgres). "[But] one of the largest obstacles to completing our work on that feature has been our inability to get detailed and considered feedback from that community", he said.

Regardless, he added that with open source databases starting to dominate database adoption, existing security vendors are likely to extend more of their tools to cover popular open source databases such as PostgreSQL, MySQL and SQLite.

Berkus said: "This may take a couple of years yet, especially since the vendor experience of working with an open source community is fundamentally different from working with another proprietary software vendor." He noted that competitive security startups such as Rapid7 and nCircle already have support for auditing and testing PostgreSQL.