A security analyst has warned that embedded databases, such as SleepyCat's, could cause users future problems.

Ted Julian, vice president of marketing at New York-based Application Security, Oracle's recent purchase of SleepyCat said, “Embedded databases are completely overlooked, yet they represent a soft underbelly. You could have sensitive technical information such as configuration data stored on a router or customer information on a piece of software.”

SleepyCat’s BerkeleyDB database has been deployed more than 200 million times, according to research firm Ovum. Those deployments range from network routers and cell phones to business applications and popular websites.

For instance, routers from Alcatel store data using BerkeleyDB, and Amazon uses BerkeleyDB for several critical parts of its website. The Chicago Mercatile Exchange uses BerkeleyDB for backup and recovery of its trading database. And Google uses BerkeleyDB to process Gmail and Google user accounts.

Information held on these sites could be compromised if developers forget to change default user IDs and passwords. These are never encountered by end users of a software but remain active and can give administrator privileges to attackers, Julian said.

Both Oracle and SleepyCat declined to comment. But Ben Chelf, chief technology officer at San Francisco-based security firm Coverity, said his firm’s analysis of BerkeleyDB software shows it to be “one of the better packages we’ve analysed.”

Coverity uses software developed at Stanford University by Chelf and others to scan application source code for security problems such as buffer overflows. So far, 100 firms including SleepyCat have paid Coverity to audit their software’s source code. In addition, SleepyCat was one of just seven of those companies to fix the 38 to 40 problems that were found and have those fixes certified by Coverity.

Chelf acknowledged that Coverity’s scan can't uncover non-technical problems such as the failure of programmers to change or remove default accounts. Nor can it guarantee that holes in EnterpriseDB won’t be created when it is embedded into other software or websites.

Noel Yuhanna, a database analyst at Forrester Research, noted that “embedded databases do not have the granular level of security controls built in like the traditional databases,” leaving them “more vulnerable to attacks.”

But based on Forrester’s research, 80 percent of embedded databases do not handle private data. Moreover, “embedded databases sometimes are tightly coupled with an application,” Yuhanna said, making it “difficult for hackers to know the underlying technology being used. Overall, we have not come across any major incidents that involved embedded databases.”

Julian said he hasn’t seen any documented data loss resulting from embedded database flaws, partly because such vulnerabilities tend to result in smaller, harder-to-detect incidents. “But there’s no question in my mind that it has happened,” he said.