Databases hold much of the most sensitive and valuable data -information about customers, transactions, financial performance and human resources. Despite this, databases remain one of the least-protected areas in a company. While perimeter and network security measures create a barrier against some type of attacks, they are inadequate against attack vectors that take advantage of database-specific vulnerabilities. Also, they offer little or no protection from insider abuse, especially when dealing with privileged users who are not only inside the perimeter but are also capable of circumventing application-level security.
SQL injection, buffer overflow attacks and other 'zero-day' hacks can cut right through web firewalls, application firewalls and intrusion detection systems (IDS), and create opportunities for data theft, unauthorised modification or destruction of data, or breaches of privacy and personally identifiable information.
Database management systems are complex, supporting an ever-growing set of requirements and platforms, with the addition of new features. Subsequently, they develop gaps in security -vulnerabilities -that are constantly being discovered by users, ethical hackers and non-ethical hackers too. Such vulnerabilities are reported to DBMS vendors who do their best to patch them, but this is a process that currently takes several months on average, years in some cases. This time lag is an open invitation to exploit the vulnerability and breach the database.