First Open Source-Based Database Completes U.S. Security Review

← Back to Stories (view on slashdot.org)

First Open Source-Based Database Completes U.S. Security Review

Posted by EditorDavid on Sunday July 17, 2016 @01:35AM from the red-tape-dispenser dept.

RaDag writes: The U.S. government has published a DoD-validated implementation guide, known as a STIG, for EDB Postgres Advanced Server from EnterpriseDB (EDB). This is a first. No other open source database, or open source-based database, has been through the US government's security review process and gotten a STIG published. Having this guide will help agencies seeking an open source-based alternative to costly traditional vendors like Oracle [and] will speed and ease deployment of EDB Postgres, which has database compatibility for Oracle.
They're now working with the U.S. Army, Navy, Marine Corps, and Air Force, according to a company statement. It also says that the Department of Defense and other U.S. government agencies "seek open source alternatives to traditional proprietary software," and see their database solution as "an opportunity to quickly reduce costs and shift away from expensive proprietary vendors, particularly as public policy initiatives around the world mandate adoption of more open source."

49 comments

Min score:

Reason:

Sort:

Certificate to Field by Anonymous Coward · 2016-07-17 01:41 · Score: 5, Informative

Not really a big deal.
Having a STIG benchmark is nice and all but "Certificate to Field" has been available for Postgres and MySQL for years. Many instances already fielded in critical gov't systems.
1. Re:Certificate to Field by Bert64 · 2016-07-17 02:57 · Score: 4, Insightful
  
  Not having STIG is just one extra excuse used by proprietary vendors to try and exclude open source from contracts...
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
2. Re:Certificate to Field by Nivag064 · 2016-07-17 03:31 · Score: 3, Insightful
  
  MySQL is controlled by Oracle, what about MariaDB?
  Either way, if your data is important then you should choose PostgreSQL over either!
3. Re:Certificate to Field by Anonymous Coward · 2016-07-17 03:40 · Score: 1
  
  Why?
4. Re:Certificate to Field by Anonymous Coward · 2016-07-17 05:38 · Score: 0
  
  Exactly. Also I've worked with organizations that don't give a shit about CTFs and insist on having a STIG implementation or not ATO.
5. Re:Certificate to Field by Anonymous Coward · 2016-07-17 08:02 · Score: 0
  
  Supporters of open source solutions need to be honest about the amount of process disruptions, time, and money it takes to switch from an exiting enterprise proprietary application. The main argument used by open source supporters is that using open source will save money. That may eventually be true but there are significant costs when moving from a proprietary enterprise to an open source replacement. Moving to a different database would require importing all the existing data into the new system. This would also include all the existing stored procedures or other database functionality will need to tested. This then leads to determining what changes will be needed on all the existing front end applications currently using that data. Then you have to train the existing IT staff on the new system and most likely pay for 3rd party contractors who are proficient in the new system. For the government the move would also lead to both the current system and the new system running in parallel while everything gets tested and moved into the new system. They will have added costs on top of what they already pay because they will still be using the proprietary licensing and support contracts from the proprietary vendor. Then you have to realize that there is no centralized development for the majority of the open source solutions. You either add to your staff to keep the open source solution updated or pay for 3rd party support. If you work in an organization and would like to switch to open source solutions you will need to convince the powers that be that the change is actually necessary and what it would cost. You need to provide both the pros and cons of switching to open source if you expect to win your arguments. If you are not totally honest upfront then when problems occur and the cost increases the change over could be abandoned. and open source solutions are viewed on the failures and no the successes. And claiming Oracle or MS is evil will not help you win your arguments.
6. Re:Certificate to Field by twistedcubic · 2016-07-17 08:21 · Score: 2
  
  I agree, My company regular ignores HXU's and simply gets minimal WUD's for running our PFG's.
7. Re:Certificate to Field by twistedcubic · 2016-07-17 08:23 · Score: 1
  
  Realizing that switching from a proprietary solution is not just hard, but it is in fact by design (and you're wasting money) provides an incentive to switch.
8. Re:Certificate to Field by Anonymous Coward · 2016-07-17 11:35 · Score: 1
  
  Because of Oracle's track record. See here: http://arstechnica.com/information-technology/2016/07/how-oracles-business-as-usual-is-threatening-to-kill-java
  If you're just looking to skim, then skip to the timeline labeled "A brief history of Oracle and open source". However, I recommend reading the entire thing.
  Captcha: reviled (no joke)
9. Re:Certificate to Field by Anonymous Coward · 2016-07-17 13:18 · Score: 0
  
  I am aware of Oracle's way of doing business. The reason I asked "why?" was because it is silly to present something as The One True Solution. MySQL, MariaDB and Microsoft SQL Server are hardly broken, useless, data-trashing software, and neither is Oracle RDBMS.
  This kind of cheap propaganda hardly presents Postgres in a positive light.
10. Re:Certificate to Field by Nivag064 · 2016-07-17 15:30 · Score: 2
  
  Why?
  Since about 2004, I've at least 4 times searched for PostgreSQL vs MySQL. Each time PostgreSQL came ahead in most areas, including referential integrity, fewer gotcha's in the use of NOT NULL and other SQL features.
  I've worked with both, and find PostgreSQL easier to setup, manage, and to query.
  Have a look at:
  https://wiki.postgresql.org/wi...
  http://insights.dice.com/2015/...
  MySQL vs PostgreSQL - Why you shouldn't use MySQL: https://www.youtube.com/watch?...
  Best to think about what is important in YOUR project given YOUR situation, and do YOUR own search. Note that the pros & cons forever change!
  What is applicable in one situation, may not apply to another. However, I would expect PostgreSQL to be the better choice in most situations.
11. Re: Certificate to Field by Anonymous Coward · 2016-07-17 23:17 · Score: 0
  
  EDB Postgres has Oracle compatibility. Stored procedures, functions, triggers etc are the same. Moving is easy. Cost for licensing and support is 80-90% less than even Oracle maintenance fees (regardless of sunk license costs). There are thousands of developers around the world. In other words, there's no excuse not to move.
12. Re: Certificate to Field by Anonymous Coward · 2016-07-17 23:20 · Score: 0
  
  More specifically, MySQL or MariaDB were not built to be highly transactional data stores. They don't have the same performance, security, or robustness of enterprise features that Postgres has. Even SQL Server pales. Remember, Postgres was derived from the same System R white paper used to create Oracle back in the day.
13. Re:Certificate to Field by Anonymous Coward · 2016-07-18 02:39 · Score: 0
  
  A STIG review is much easier to complete than the generic database SRG, which will be the requirement for any system without a specific STIG.
  People have passed on other RDBMS options in favor of Oracle or MS SQL simply to avoid the SRG.
  STIGs are a lot of work, in most cases, but SRGs are easily twice the effort.
First OS Database? by pr0t0 · 2016-07-17 02:26 · Score: 1

I don't believe EDB Postgres is the the first open source-based database. Better possible headlines might be:
1. First! An open source-based database completes U.S. security review
2. An open source-based database completes U.S. security review for the first time ever
3. First! U.S. security review completed for an open source-based database
4. U.S. security review completed for an open source-based database; a first!
I think #3 would have been a much better choice. Than the current one.

--
I'm sorry, but your opinion seems to be wrong.
1. Re:First OS Database? by merky1 · 2016-07-17 02:37 · Score: 1
  
  Do grammar standards apply to headlines? Haven't they always been a little obtuse on purpose? I'd much prefer the grammar nazi's edit the somewhat unintelligible summaries than the headlines.
  
  --
  --WooooHoooo--
2. Re:First OS Database? by TechyImmigrant · 2016-07-17 02:42 · Score: 1
  
  Do grammar standards apply to headlines?
  Yes
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
3. Re:First OS Database? by Anonymous Coward · 2016-07-17 02:57 · Score: 0
  
  You must be new here...
4. Re:First OS Database? by Desler · 2016-07-17 04:20 · Score: 1
  
  That isn't what the headline is saying and you know it. Stop being intentionally obtuse. There are plenty of better criticisms of the "editors" than this one.
5. Re:First OS Database? by TechyImmigrant · 2016-07-17 05:35 · Score: 1
  
  Age is judged by one's Slashdot ID.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
6. Re:First OS Database? by Dutch+Gun · 2016-07-17 06:54 · Score: 1
  
  grammar nazi's
  You threw that in there on purpose just to draw them out, didn't you... Clever.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
7. Re:First OS Database? by Anonymous Coward · 2016-07-18 02:29 · Score: 0
  
  anonymous coward has been here since before there where ID's
  AC for the win!
8. Re:First OS Database? by TechyImmigrant · 2016-07-18 03:56 · Score: 1
  
  anonymous coward has been here since before there where ID's
  AC for the win!
  "there where" rhymes with "hair bear".
  Automatic disqualification.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Just so you know, the Coast Guard by Anonymous Coward · 2016-07-17 02:29 · Score: 0

did not make the cut. They use XP and Server 2003 still due to budget constraints and the testing cannot be done on those.
Not Open Source by Anonymous Coward · 2016-07-17 03:54 · Score: 5, Informative

While Postgres is open source, and EDB Postgres Advanced Server is based on Postgres, it has several closed source additions. What this means is that the open source database still does not have a STIG. So no, this is not a big win for open source databases, but it is a win for EDB.
1. Re:Not Open Source by Lennie · 2016-07-17 09:41 · Score: 2
  
  Well, indirectly it is going to be a win for PostgreSQL of course: EnterpriseDB spends money/developer time on PostgreSQL. The more contracts EnterpriseDB has, the more money they can spent on PostgreSQL developers.
  
  --
  New things are always on the horizon
Re:In plain English by sumdumass · 2016-07-17 04:57 · Score: 2

What makes you think that? Nothing with this setup and administration guide to comply with security standards hints to it. And if it did, it would easily be discovered but I'm not sure it matters seeing how this is primarily intended to be used by government contractors working for the government. The NSA technically already has access to it.
MongoDB DoD STIG by Anonymous Coward · 2016-07-17 05:54 · Score: 0

"The Security Technical Implementation Guide (STIG) contains security guidelines for deployments within the United States Department of Defense. MongoDB Inc. provides its STIG, upon request, for situations where it is required."
I guess the new Slashdot editors are as lazy and PR-pushing as Dice was.
1. Re: MongoDB DoD STIG by Anonymous Coward · 2016-07-17 07:09 · Score: 0
  
  But MongoDB doesn't qualify as a "database".
2. Re: MongoDB DoD STIG by laird · 2016-07-17 11:23 · Score: 2
  
  MongoDB is clearly a database. It's not an SQL database, but that's kinda the point, in that not being SQL-based makes it much more efficient for developers, and more performant and flexible in accommodating semi-structured data.
  
  --
  Enable 3D printed prosthetics!
3. Re: MongoDB DoD STIG by Anonymous Coward · 2016-07-17 18:24 · Score: 0
  
  No, it's clearly a bit bucket.
4. Re: MongoDB DoD STIG by Anonymous Coward · 2016-07-18 01:33 · Score: 0
  
  A bit bucket full of holes.
you are confused by Anonymous Coward · 2016-07-17 05:54 · Score: 0

by "here" he meant America
go back to where you belong sand nigger !
1. Re:you are confused by TechyImmigrant · 2016-07-17 06:08 · Score: 1
  
  by "here" he meant America
  go back to where you belong sand nigger !
  Oh look! A trump supporter.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
2. Re: you are confused by Anonymous Coward · 2016-07-17 21:26 · Score: 0
  
  You are apparently ignorant of Hillary's activities.
3. Re: you are confused by TechyImmigrant · 2016-07-18 02:16 · Score: 1
  
  You are apparently ignorant of Hillary's activities.
  As are you, unless you hang with her in her office.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
This is NOT an open-source database. by emil · 2016-07-17 06:19 · Score: 3, Informative

EnterpriseDB bundles a PL/SQL implementation that is advertised as compatible with Oracle's procedural SQL language (similar to ADA). This component is NOT open-source.
http://www.enterprisedb.com/compatibility-explained
IBM bundles the same PL/SQL emulation code in DB2.
It isn't open source. by Anonymous Coward · 2016-07-17 08:53 · Score: 0

You can't get the source code to the modifications made to the actual Postgres used.
This is not exactly true. by Anonymous Coward · 2016-07-17 11:40 · Score: 0

salesforce.com uses Apex with a Linux back-end. They have very much to do with military / u.s. security.
Nice title, bro by Anonymous Coward · 2016-07-17 11:53 · Score: 0

The title "Frst Open Source-Based Database Completes U.S. Security Review 31" is very unclear.
1. Re:Nice title, bro by Anonymous Coward · 2016-07-17 11:54 · Score: 0
  
  And the poster's name is EditorDave!
Some Say ... by Anonymous Coward · 2016-07-17 13:32 · Score: 0

Some say "Having a STIG benchmark is nice and all but ... " and "Not having STIG is just one extra excuse used by proprietary vendors to try and exclude open source from contracts..."
All we know is it's called the STIG!
Hmmmm by dcw3 · 2016-07-17 23:21 · Score: 1

Okay, but how's the handling and 0-60 time?
https://en.wikipedia.org/wiki/...

--
Just another day in Paradise
Still Surprising by ausekilis · 2016-07-18 00:43 · Score: 1

Considering how in bed the Gov't is with proprietary vendors, it's surprising how there is now this about-face regarding OSS. If you could see each services "Approved Software List", you won't see much by way of OSS. You'll see iTunes, which is funny considering there are laws against personally owned mp3's on gov't computers and remote update sites are disabled, but you won't see MySQL, MariaDB or PostGRES. If you do, then they are typically relegated to "enclaves", and not the big DoD enterprise network.

Considering there are hundreds of thousands of DoD employees with 1 or more computers each, I'm hoping this is the sign of change toward OSS alternatives. $90 for an OS and $75 for an office suite multiplied by a hundred thousand a year (guesstimating hardware/software turnaround) adds up fast.
MariaDB? by Anonymous Coward · 2016-07-18 16:14 · Score: 0

Any chance of getting MariaDB certified?