With Oracle's purchase last week of open-source embedded software maker SleepyCat Software, at least one security analyst believes that Oracle -- which has come under fire for security vulnerabilities in its core database -- could be adding more potential problems.
SleepyCat's BerkeleyDB database has been deployed more than 200 million times, according to London-based research firm Ovum. Those deployments range from network routers and cell phones to business applications and popular Web sites.
"Embedded databases are completely overlooked, yet they represent a soft underbelly," said Ted Julian, vice president of marketing at New York-based Application Security. "You could have sensitive technical information such as configuration data stored on a router or customer information on a piece of software."
For instance, routers from Alcatel store data using BerkeleyDB, and Amazon.com uses BerkeleyDB "as a fast cache for several critical parts of its customer-facing e-commerce Web site," according to SleepyCat's Web site. The Chicago Mercatile Exchange uses BerkeleyDB for backup and recovery of its trading database. And Google uses BerkeleyDB to process Gmail and Google user accounts.
Such information can be easily compromised if application or Web developers forget to change default user IDs and passwords, which are never encountered by end users of a software or service but remain active and can give administrator privileges to attackers, Julian said.
Both Oracle and SleepyCat declined to comment. But Ben Chelf, chief technology officer at San Francisco-based security firm Coverity, said his firm's analysis of BerkeleyDB software shows it to be "one of the better packages we've analyzed."
Coverity uses software developed at Stanford University by Chelf and others to scan application source code for security problems such as buffer overflows. So far, 100 firms including SleepyCat have paid Coverity to audit their software's source code. In addition, SleepyCat was one of just seven of those companies to fix the 38 to 40 problems that were found and have those fixes certified by Coverity.
Chelf acknowledged that Coverity's scan can't uncover nontechnical problems such as the failure of programmers to change or remove default accounts. Nor can it guarantee that holes in EnterpriseDB won't be created when it is embedded into other software or Web sites.
Noel Yuhanna, a database analyst at Forrester Research, noted that "embedded databases do not have the granular level of security controls built in like the traditional databases," leaving them "more vulnerable to attacks."
But based on Forrester's research, 80 percent of embedded databases do not handle private data. Moreover, "embedded databases sometimes are tightly coupled with an application," Yuhanna said, making it "difficult for hackers to know the underlying technology being used. Overall, we have not come across any major incidents that involved embedded databases."
Julian said he hasn't seen any documented data loss resulting from embedded database flaws, partly because such vulnerabilities tend to result in smaller, harder-to-detect incidents. "But there's no question in my mind that it has happened," he said.