{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2022,3,31]],"date-time":"2022-03-31T12:46:48Z","timestamp":1648730808257},"reference-count":25,"publisher":"IGI Global","issue":"3","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2011,7]]},"abstract":"<jats:p>When deploying database-centric web applications, administrators should pay special attention to database security requirements. Acknowledging this, Database Management Systems (DBMS) implement several security mechanisms that help Database Administrators (DBAs) making their installations secure. However, different software products offer different sets of mechanisms, making the task of selecting the adequate package for a given installation quite hard. This paper proposes a methodology for detecting database security gaps. This methodology is based on a comprehensive list of security mechanisms (derived from widely accepted security best practices), which was used to perform a gap analysis of the security features of seven software packages composed by widely used products, including four DBMS engines and two Operating Systems (OS). The goal is to understand how much each software package helps developers and administrators to actually accomplish the security tasks that are expected from them. Results show that while there is a common set of security mechanisms that is implemented by most packages, there is another set of security tasks that have no support at all in any of the packages.<\/jats:p>","DOI":"10.4018\/jsse.2011070103","type":"journal-article","created":{"date-parts":[[2011,10,19]],"date-time":"2011-10-19T16:46:28Z","timestamp":1319042788000},"page":"42-62","source":"Crossref","is-referenced-by-count":0,"title":["Security Gaps in Databases"],"prefix":"10.4018","volume":"2","author":[{"given":"Afonso Ara\u00fajo","family":"Neto","sequence":"first","affiliation":[{"name":"University of Coimbra, Portugal"}]},{"given":"Marco","family":"Vieira","sequence":"additional","affiliation":[{"name":"University of Coimbra, Portugal"}]}],"member":"2432","reference":[{"key":"jsse.2011070103-0","unstructured":"Ara\u00fajo Neto, A., & Vieira, M. (2008). Towards assessing the security of DBMS configurations. In Proceedings of the International Conference on Dependable Systems and Networks (pp. 90-95)."},{"key":"jsse.2011070103-1","unstructured":"Ara\u00fajo Neto, A., Vieira, M., & Madeira, H. (2009). An appraisal to assess the security of database configurations. In Proceedings of the 2nd International Conference on Dependability (pp. 73-80)."},{"key":"jsse.2011070103-2","unstructured":"Baumhardt, F. (2006). Common criteria - It security certification, or shiny sales sticker? (IN)Security architecture. Retrieved from http:\/\/blogs.technet.com\/fred\/archive\/2006\/03\/02\/421014.aspx"},{"issue":"7","key":"jsse.2011070103-3","article-title":"Database security: Research and practice.","volume":"20","author":"E.Bertino","year":"1995","journal-title":"Information Systems Journal"},{"key":"jsse.2011070103-4","unstructured":"Cachin, C., Camenisch, J., Dacier, M., Deswarte, Y., Dobson, J., Horne, D., et al. (2000). Reference model and use cases (Tech. Rep. No. IST-1999-11583). Retrieved from http:\/\/spiderman-2.laas.fr\/TSF\/cabernet\/maftia\/deliverables\/D1.pdf"},{"key":"jsse.2011070103-5","author":"S.Castano","year":"1994","journal-title":"Database security"},{"key":"jsse.2011070103-6","unstructured":"Center for Internet Security. (2008). CIS benchmarks\/scoring tools. Retrieved from http:\/\/www.cisecurity.org"},{"key":"jsse.2011070103-7","year":"1993","journal-title":"Information technology security evaluation manual (ITSEM)"},{"key":"jsse.2011070103-8","unstructured":"Common Criteria. (1999). Common criteria for information technology security evaluation: User guide. Retrieved from http:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART2V3.1R2.pdf"},{"key":"jsse.2011070103-9","year":"2007","journal-title":"Database - Security technical implementation guide, version 8, release 1"},{"key":"jsse.2011070103-10","year":"1985","journal-title":"Trusted computer system evaluation criteria"},{"key":"jsse.2011070103-11","author":"M.Howard","year":"2002","journal-title":"Writing secure code"},{"key":"jsse.2011070103-12","unstructured":"Jackson, W. (2007). Under attack: Common Criteria has loads of critics, but is it getting a bum rap? Retrieved from http:\/\/www.gcn.com\/print\/26_21\/44857-1.html"},{"key":"jsse.2011070103-13","doi-asserted-by":"publisher","DOI":"10.1002\/9780470370506"},{"key":"jsse.2011070103-14","unstructured":"Microsoft Corporation. (2011a). Microsoft SQL server 2005. Retrieved from http:\/\/www.microsoft.com\/sqlserver\/en\/us\/default.aspx"},{"key":"jsse.2011070103-15","unstructured":"Microsoft Corporation. (2011b). Microsoft Windows XP. Retrieved from http:\/\/windows.microsoft.com\/en-US\/windows\/products\/windows-xp"},{"key":"jsse.2011070103-16","unstructured":"Oracle Corporation. (2011a). MySQL community edition 5. Retrieved from http:\/\/www.oracle.com\/technetwork\/database\/express-edition\/overview\/index.html"},{"key":"jsse.2011070103-17","unstructured":"Oracle Corporation. (2011b). Oracle 10g express edition. Retrieved from http:\/\/www.oracle.com\/technetwork\/database\/express-edition\/overview\/index.html"},{"key":"jsse.2011070103-18","doi-asserted-by":"publisher","DOI":"10.1145\/130868.130884"},{"key":"jsse.2011070103-19","unstructured":"PostgreSQL Global Development Group. (2011). PostgreSQL 8. Retrieved from http:\/\/www.postgresql.org"},{"key":"jsse.2011070103-20","unstructured":"Red Hat. (2011). Enterprise Linux 5. Retrieved from http:\/\/www.redhat.com\/rhel\/"},{"key":"jsse.2011070103-21","unstructured":"Sandia National Laboratories. (2011). The information design assurance red team. Retrieved from http:\/\/www.idart.sandia.gov\/"},{"issue":"2","key":"jsse.2011070103-22","article-title":"Views for multilevel database security.","volume":"13","author":"R.Schell","year":"1987","journal-title":"IEEE Transactions on Software Engineering"},{"key":"jsse.2011070103-23","doi-asserted-by":"crossref","unstructured":"Vieira, M., & Madeira, H. (2002). Recovery and performance balance of a COTS DBMS in the presence of operator faults. In Proceedings of the International Conference on Dependable Systems and Networks (pp. 615-624).","DOI":"10.1109\/DSN.2002.1029007"},{"key":"jsse.2011070103-24","doi-asserted-by":"crossref","unstructured":"Vieira, M., & Madeira, H. (2005). Towards a security benchmark for database management systems. In Proceedings of the International Conference on Dependable Systems and Networks, Yokohama, Japan (pp. 592-601).","DOI":"10.1109\/DSN.2005.93"}],"container-title":["International Journal of Secure Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=58507","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,2,8]],"date-time":"2019-02-08T06:40:18Z","timestamp":1549608018000},"score":1,"resource":{"primary":{"URL":"http:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/jsse.2011070103"}},"subtitle":["A Comparison of Alternative Software Products for Web Applications Support"],"short-title":[],"issued":{"date-parts":[[2011,7]]},"references-count":25,"journal-issue":{"issue":"3"},"URL":"https:\/\/doi.org\/10.4018\/jsse.2011070103","relation":{},"ISSN":["1947-3036","1947-3044"],"issn-type":[{"value":"1947-3036","type":"print"},{"value":"1947-3044","type":"electronic"}],"subject":[],"published":{"date-parts":[[2011,7]]}}}