Part 3. With the rise of cyber security threats, application security is certainly getting more attention. CIOs, CISOs and other executives, responsible for implementing data protection strategies in their company, need to make sure they are protecting their corporate data, comply with the appropriate data privacy regulations such as GDPR, HIPAA, PCI and others and prevent breaches, fines and reputational damage that could seriously impact their business.

Part 3. With the rise of cyber security threats, application security is certainly getting more attention.

Some industry sectors, such as financial services, are increasingly being mandated to apply security patches to operating systems and desktop software to minimize any vulnerabilities.

In Part 1 of this three-part blog series, I introduced the need for tighter application security and why it’s incumbent on software vendors like Quest® to ensure their applications are as secure as they can be.

In Part 2 of this 3-part blog series, I outlined some further security controls that Quest performs on Toad to ensure it’s as secure as it can be.

In this final part, I’ll walk you through the final group of security controls that Toad is subject to ensure it adheres to current software security standards for continually testing and delivering new versions that you can safely install and run.

You’ll also see a compelling argument for staying up to date with the frequent releases of Toad products so you can avoid vulnerabilities and security threats in the future.

 

Update your Toad for free, with a current license

If you want an update/install from Quest for any Quest product, you need three things:

  • A license for the product (in this case Toad for Oracle)
  • To be current on your maintenance contract (automatically included for 1 year at time of purchase)
  • A login at Quest Support

Your login will be tied to your Toad license.  If it’s current, it will let you login to ask questions and get downloads.  If you’re denied these because of maintenance issues, you’ll be contacted very soon by a Quest rep who can make sure your account information is correct or offer to update your maintenance agreement.

 

Security controls for preventing supply chain attacks

Most IT administrators are occupied with plugging security gaps among different applications installed on different platforms. That’s why Quest believes in making security practical by releasing products that are secure in the first place.

The table below shows the security controls which every release of Toad undergoes.

Security_Controls_Part3_7-9-1

In this blog, we’re going to look at the final 3 controls (outlined in red above) and how Quest Software implements each of these controls for Toad products.

Does your provider use security controls? Quest does. See Toad pricing.

Security controls #7, #8: Code signing and software integrity

An application bearing Quest’s code signing certificate is a customer’s assurance that Quest created the application and that the software can be trusted. The code signing process serves the goal of ensuring authenticity by verifying the author of the software. It also ensures the integrity of the software by demonstrating that the code has not been altered since it was signed.

Code signing also plays a role in releasing updates and patches. When Quest signs an update to a Toad product with the same key used in the original application, it means that the update can be trusted; it couldn’t have come from any source other than Quest. Finally, the checksums generated in code signing assure users that they have received the correct file, rather than a file that has been signed with a stolen key.

All major operating systems and web browsers support code signing to prevent the distribution of malicious code.

Quest signs all releases of Toad products using a trusted Quest key. During the build process, Quest signs every .exe and .dll file included in the installer, along with any binaries packaged with the application and the installer files themselves. Applications available for download include a SHA-256 checksum hash so that customers can verify the integrity of the file upon receipt.

 

Security control #9: Protecting sensitive data through FIPS compliance

The presence of sensitive data in your applications and databases imposes a burden of protection. Sensitive data extends to almost any kind of data you would want to prevent from falling into the wrong hands, including things like credit card information, Social Security numbers, personal health information and financial information.

Toad products protect sensitive data through cryptographic algorithms that conform to the Federal Information Processing Standards (FIPS) of the United States government. Furthermore, they apply that protection to sensitive data both in transit and at rest.

The FIPS standards specify the best practices and requirements for cryptography-based security systems, including specific methods for encryption and for generating encryption keys. FIPS compliance is mandatory for all computers used for U.S. government work and extends to testing outside applications (like Toad) that will run on U.S. government computers.

All Quest products comply with FIPS-approved algorithms for encryption and hashing. The current status of FIPS compliance (currently FIPS 140-2) is validated prior to each release.

 

As a result of FIPS 140-2 compliance testing, Quest identified and addressed a vulnerability in Toad for Oracle v13.2. Quest has since implemented strong encryption, patched this vulnerability and released a non-vulnerable version of the software.

 

Conclusion

All of the security controls described above, and in the previous two blogs, are designed and applied to mitigate the risk of supply chain security in Toad. 

Toad products are valued and trusted, and they have unlocked millions of hours of productivity gains for database professionals.

Make sure you upgrade your Toad to ensure a continual flow of new features and adherence to the latest software security standards. You also receive full technical support and keep your organization’s security profile tight.

 

Next Steps

For more detailed information on how Toad addresses desktop security through SSDLC, read this Technical Brief.

Watch the free webinar, "Why do you need to update your Toad for Oracle today?"

 

Try Toad for Oracle now

Try Toad for Oracle free for 30 days.

Already in a trial? Talk to sales or buy now online.

Already a loyal fan of Toad for Oracle? Renew now.

 

About the Author

John Pocknell

John Pocknell is a senior market strategist at Quest Software and part of the Information Management business unit. Based at the European headquarters in the U.K., John is responsible for synthesising analyst data and customer interviews in order to create and evangelise solutions-based stories and messaging which relate to major IT initiatives for our extensive portfolio of database products, worldwide. He has been with Quest Software since 2000, working in the database design, development and deployment product areas and spent over 10 years as product manager for the Toad product line. John has been successfully evangelising Toad and other database solutions at various conferences and user groups around the world for the last 19 years as well as writing blogs and technical papers both internally and for the media. John has worked in IT for more than 30 years, most of that time in Oracle application design and development. He is a qualified aeronautical engineer with more than 10 years of experience in provisioning IT consultancy services and implementing quality assurance systems to ISO 9001.

Start the discussion at forums.toadworld.com