It's becoming a recurring theme here that any change you make to your infrastructure opens the potential for additional vulnerabilities in your environment. Even attempts to make your environment more secure by applying security patches, for instance, can have a detrimental impact on your security posture, as we have talked about before.
We cite two more examples here: RSA Authentication Manager and Oracle Audit Vault.
Make no mistake, RSA Authentication Manager with SecurID is a great product. Functionally, it works as advertised, providing two-factor authentication using hardware tokens. But after installing Authentication Manager 7.1 recently, we looked under the covers of its embedded Oracle 10.2.0.4 database and were less than thrilled.
First the good news:
- RSA is using a supported version of the database, which is often not the case with embedded databases.
- The default listener port is changed.
- Strong encryption is configured for the listener.
- Known Oracle accounts are locked and expired.
And the not so good:
- The encryption settings used are not the FIPS 140-1 compliant settings.
- The listener has no password protection.
- There is no invited nodes list in sqlnet.ora.
- Known Oracle accounts have their default passwords (but are locked and expired)
- Demo accounts like SCOTT exist.
- All security-related parameters are defaulted, which in 10g means they are not set securely.
As for Oracle Audit Vault, here its the architecture that's the problem. It has a one-click install that puts all components: web, application server and database on a single server. Of course it is a security best practice (and Oracle's recommendation) to have firewalls between all these components and yet here we have a security-related product violating Oracle's own security architecture.
We have come to expect that developers and software companies give little thought to security. Isn't it about time we expect more from vendors, especially those in the security arena?