FEATURE
Security Hot Issue for Open-Source Database Developers

Open-source database deployments rose dramatically in the last half of 2005, and as one might expect, as more IT pros get acquainted with these non-proprietary systems, security is a chief concern. Open-source database makers like MySQL and PostgreSQL simply must answer some of the most prevalent security-related questions in order to win more market share.

One of those questions is, with recent headlines suggesting customer data stored on organizational databases is at risk, should those who opt for open-source database applications be worried? Not according to data suggesting proprietary database software is breached more often. But data alone is not enough. What IT executives really want to know is what specific technological security precautions open-source DB developers need to take.

The Big Open Picture

"We continue to see the maturation of open-source databases reflected by the continually increasing levels of adoption," said John Andrews, President, Evans Data. "In a number of our ratings categories, we're seeing open-source databases meeting or exceeding proprietary databases."

Let's start with what we do know.

According to Evans Data's Fall Database Development Survey, open-source database deployments were up more than 20 percent in the last six months. MySQL use, for example, increased by more than 25 percent in six months and is approaching majority status in the database space. Currently, forty-four percent of developers use the open-source MySQL system.

Evans Data also found that proprietary database servers are almost twice as likely to have suffered a security breach in the last year compared to their open-source database counterparts. The most likely security breach for a proprietary database was a network intrusion. For open-source databases the most likely breach was a user authentication breach.

Same Old Debate

In essence, this is the same old fiery security debate made popular by Linux and Windows, or open-source versus commercial software. Both sides have their proponents. If you were to ask 100 people whether Linux or Windows is more secure, you would get a mixed bag of responses.

The database security question, then, is no easier to answer than the traditional debate. Open-source and commercial software makers use different models to approach security. Open-source developers have advantages that commercial developers do not and vice versa.

But the question gets even more interesting in the database space where the population of deployments is weighted heavily toward the enterprise. In the enterprise world the issue of security is critical. And just like the open-source versus commercial operating system debate, there are a few very different models for how to approach the topic.

Release Early and Often?

Ed Moyle, a manager with CTG's Information Security Practice, told LinuxInsider that probably the most divergent aspect of security within the database world is the approach to patches and patch management. "Release early, release often" is the mantra of the open-source community.

"What this means in practice is that new features tend to be introduced rapidly, bug fixes tend to be published immediately after a bug is located, and there is seldom a fixed schedule for incremental releases. Almost the complete opposite is true in the commercial space," Moyle said.

Moyle said both the impromptu release model (more patches) and the schedule patch cycle (less patches) are perceived by different advocates to have a security benefit.

Having a scheduled patch cycle is based on the premise that administrators need a chance to intelligently plan patch deployment. A schedule ensures that patches get applied frequently, quickly, and in a manner transparent to users.

The "release early and often" mentality is perceived to have a security benefit because there is frequently very little time between the discovery of a given vulnerability and the release of a patch by the maintainer.

Of course, Moyle said both approaches have drawbacks as well: patches for open-source software may appear more numerous because they are released individually. However, some of the commercial patch methodologies have suffered criticism in recent months. Oracle's (Nasdaq: ORCL) methodology in particular has come under heavy fire.

Exploring Certification Issues

The issue of certification also comes into play. A number of government entities and some enterprises require that critical enterprise components like databases go through a formal certification process.

Moyle said this type of security certification is harder to make a reality in the open-source world for two reasons: there are more updates to open-source products and the certification process can be very expensive.

"We need better metrics in order to make a direct comparison between open-source and commercial software. Enterprises are still not quite as aggressive at deploying open-source database software as they are commercial software," Moyle said.

"Additionally, many commercial software deployments have legacy constraints that we don't see in newer applications. Time will tell, but I'm not sure that we can say anything yet with certainty."

Is This Really an Open-Source Issue?

David Handelman, senior Web programmer at Align Communications, told LinuxInsider that the general availability of open-source code or an open-source development model are red herrings when it comes to predicting the security of a mature software platform -- whether that's MySQL, Oracle or Microsoft (Nasdaq: MSFT).

"Security tends to come down to fundamental architectural decisions, effort given to bug fixing and code audits, and, very often, a trade-off between developer or end-user functionality and security in designing a platform's APIs," Handleman said.

The irrelevance of open versus closed source is probably even more true when considering software like a relational database management system (RDBMS), he said, which presents a relatively well-defined interface to the outside world as compared to an operating system kernel, a Web browser, or even a Web server.

Open and Instant Fix

What is true is that open-source projects tend to be more exposed to the Internet, so problems are discovered quicker, according to Peter Houppermans, principal consultant with PA Consulting Group's IT Infrastructure practice.

"[Open-source] deployment is spread over low- and high-value applications," Houppermans told LinuxInsider. "This is not to say that commercial software lags that much, but with open source there is also the ability of a near-instant fix for a vulnerability discovered."

Handelman, though, is still having trouble imagining many database compromises are the result of exploiting a security vulnerability in the database software itself. He said security breaches are far more likely to be the fault of poor application-level coding or poor security at the network level.

"If data in commercial databases are in fact compromised more often, it is more likely the result of the applications built around those databases, the environments where they are deployed, or, perhaps most likely of all, the value of that data to attackers," Handleman said.