No. If I can’t hack you, you are not secure.

Ever come up against this issue? You see that something in the IT infrastructure is set up in a less than sanitary way: for example the application has dynamic SQL, or the security of the database relies on the application. One link in the chain seems incredibly weak, but an actual vulnerability has yet to be proven.

So you want to report this issue, because you suspect there might be security vulnerabilities, only to get the response that it sounds very theoretical. Which makes you think if they said the same at all those companies that got hacked recently. You know: Target, Home Depot and Sony.

This sort of makes the burden of proof on you, because if you don’t show the problem, there is no problem. So you want to show how a hack could work on this system. But hacking is hard and takes skill and time. Suppose you don’t have those skills or time?

Hmm. Well, you could try to describe how a hack could work. You say “suppose this field can be used in a SQL injection leak, then I could exploit that feature, and I might read customer data”. But that makes this hypothesis a target: “That field is used in an insert statement, so that hack could never work”.

That’s the annoying thing about this work: the issue at hand is not that you are unable to come up with a hack. The issue is that there are security-related sanitary issues.

I think I will call this the invulnerability fallacy. The invulnerability fallacy says that if one person (you) can’t hack a system, that there is automatically no security issue.

Never forget to bring the focus back to the real issue.


About Marcel-Jan Krijgsman

Ever since I started working with Oracle, I had an interest in Oracle database performance tuning. This led, eventually, to a four day training I made and gave for customers of Transfer Solutions. Since 2012 I work for Rabobank Nederland. A few years ago I also became interested in Oracle database security. All technology aside, it is my experience that security usually plays out on a political level. I'm a Oracle certified professional for the 8i, 9i, 10g and 11g databases and Oracle Database 11g Performance Tuning Certified Expert.
This entry was posted in Oracle security and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s