Why research vulnerabilities? System owners, system administrators and database administrators should be aware of current and new vulnerabilities because the most important aspect of a database is the protection of data. Data must not be accessible to or modified by unauthorized users. Because database systems are hosted within an information system, a compromise to the information system means the database itself is at risk. Once an malicious actor gains access to the server hosting the database, it then becomes extremely vulnerable to modification, loss of confidentiality or loss of availability.
Exploited Vulnerabilities can occur in varying areas:
- physical access to the server where the database resides
- physical access to the backup media
Note physical access defeats the strongest technical controls meant to protect a system. Short of physical access other vulnerable areas are:
- access to application that calls the database connection
- Access to the servers hosting the database
- ex filtration of source code repositories and proprietary system documentation
When building custom databases or deploying any new application, developers and system administrators should consider new and existing vulnerabilities. Here are some links to resources to help you keep up to date on the latest vulnerabilities to information systems or database systems.
- NIST National Vulnerability Database – among other features, you can can search the database for known vulnerabilities.
- SecLists.Org Security Mailing List Archive – look for the Bugtraq list to see current or past information on vulnerabilities
- Security Focus – another resource to search vulnerabilities
- The Open Web Application Security Project (OWASP) – helps individuals and organizations learn about computer security.
- hackerwatch – a source to report on threats and share information on vulnerabilities