Selling virtual patching

Markovich said that he completed a straw poll of database administrators at a recent Oracle customer meeting and found that many enterprises were taking months and even years to get security patches in place, which he cited as a serious trend that has not yet received much publicity.

"During the downtime when the patch is out there but not deployed is one of the most dangerous situations you can think of, the hackers have all the information they need to break in and companies store most of their sensitive information in these databases," he said. "We don't see ourselves as an alternative to patching, you have to deploy those whenever possible, but we can provide reliable protection in the meantime." Hedgehog was official released in June 2007 and is already being tested at several hundred firms, according to Sentrigo officials. The company is planning to release an extension to the product to help further protect database applications sometime in Sept. 2007.

At least one industry analyst said that they've been impressed by the additional layer of protection that virtual patching can offer on the database, particularly when toed together with other applications that broaden the technology's footprint.

Eric Ogren, a longtime security analyst and founder of the Ogren Group, said that Blue Lane may struggle to find a market for its standalone virtual patching technology, which is marketed as an appliance, but he believes that the integrated approach being offered by Sentrigo could lure some interest from enterprise customers.

"This is like a database intrusion protection system, someone like Oracle won't likely support its use, but some customers will run it, and with all the compliance demands out there that's a pretty good idea," Ogren said. "Especially when you combine the virtual patching with vulnerability scanning and auditing, it could be a nice differentiator for Sentrigo."

The analyst said that along with Blue Lane, Sentrigo will likely compete with rival database security products offered by Imperva, Guardium, and Symantec, and that its technology remains a "nice to have," rather than a "must have" for most organizations.

However, he said that there likely will be interest from the types of companies that have become traditional early adopters of newer security tools, including those companies under pressure from data security regulations, such as those in the retail, healthcare, and financial services industries.

"You can't put something like this in every office around the world if you're a large enterprise, but it would be nice to have in the data center," Ogren said. "At the end of the day, customers still need to do patching, but this is just one more thing that can help them manage that arduous process."