The latest version of IBM's DB2 Universal Database received a security certification from the International Common Criteria for Information Technology Security Evaluation.
The criteria is a standard required by the U.S. and Canadian governments before IT products can be considered for purchase by government offices, departments and federally funded organizations. Governments worldwide also recognize the security evaluation.
The certification for version 8.2 of DB2 validates that IBM has a procedure in place to identify, report and take action when flaws are discovered, said Gene Kligerman, product manager of IBM's DB2 UDB.
Big Blue released the certification details, following a succession of more than 20 flaws found in versions 7, 8 and 8.1 of DB2 running on AIX, HP-UX, Solaris, Linux and Windows platforms.
Every flaw is evaluated separately, according to Kligerman.
Once a flaw is discovered, IBM researchers target it to develop a fix. If the flaw is minor, IBM will release the fix in the next available fix pack, Kligerman said. If the flaw is severe, as in the most recent holes, a patch is released out of cycle, he added.
"If the general public becomes impacted and has concerns about it, we will begin a crash effort to release fixes of out of cycle," Kligerman said.
David Litchfield, a well-known vulnerability-finder and cofounder of U.K.-based Next Generation Security Software, said IBM's response to his discoveries has been better than other DBMS vendors.
Litchfield was the researcher responsible for finding IBM's latest flaws during a routine scan of the database server software for several government agencies.
"IBM has responded well," Litchfield said. "They're more responsive than others and generally keep their customers informed."
Earlier this year, Litchfield released a general announcement about flaws he found in Oracle Corp.'s DBMS, after he said he waited for more than six months for Oracle to respond with patches. Oracle said it needed time to address the flaws, issuing a complete set of fixes and revised a program to give customers a monthly patch release schedule.
Most commercial customers have become accustomed to a particular database vendor and a patch cycle to address security concerns, said Noel Yuhanna, a senior analyst at Cambridge, Mass.-based Forrester Research Inc. Most companies need to look internally to boost security, he said.
"The most important security measures for customers is having firm security practices in-house rather than looking for features and certifications," Yuhanna said. "Most enterprises are still struggling with defining their own set of procedures and policies for security."
Though the number of commercial customers who require the security certification is small, several financial and banking firms have requested the certification, Kligerman said. The certification awarded to the latest version of DB2 includes an evaluation that is conducted under the management of the National Institute of Standards and Technology and the National Security Agency.
The certificate, together with its associated validation report, confirms that the security functions of DB2 have been evaluated and shows that it conforms with industry standards.
DB2 is the latest IBM software product to be Common Criteria Certified. Products already certified include IBM Directory Server, Tivoli Access Manager, WebSphere MQ, and WebSphere Portal.