Oracle: Firewalls Against SQL Injection Are a Good Idea After All

ears ago, Oracle's responses to reports of SQL injection attacks against its database servers literally were focused on media damage control - ensuring that not too many customers get scared by them. (To be fair, Microsoft had the same policy.) The basic concept of SQL injection is all too simple: Feed intentionally malformed instructions into the system in such a way that the server responds with clues that could enable you to obtain unprivileged data - or sometimes, with the data itself.

How hard could it be, security engineers and college professors argued for over a decade, for a company like Oracle to deploy a ZoneAlarm-like firewall that could independently analyze incoming SQL instructions, parse them, and only permit those that meet specific criteria? For years, well-minded engineers were told in response that yet another firewall would render networks too slow and inoperative. Then in May 2010, Oracle learned it could just simply acquire Secerno, an emerging database firewall company.

That acquisition became, naturally enough, Oracle Database Firewall. This morning, Oracle announced its latest revision to the tool, which now covers MySQL Enterprise Edition.