This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners sound off on key information security issues."
Download it now to read this article plus other related content.
Price: $900 per database instance annual subscription fee
AppDetectivePro fills a critical niche that goes beyond conventional vulnerability scanners, performing "deep dive" inspections of database configuration to identify security issues. It's ideal for internal and external auditors, security professionals, consultants and others who need to perform on-the-fly database vulnerability assessments.
AppDetectivePro supports Microsoft SQL Server, Oracle, IBM DB2, Sybase and MySQL. The subscription fee includes a comprehensive collection of predefined security checks for each platform.
The checks are updated only monthly, which could mean a significant lag between discovery of a serious flaw and the ability to detect it.
Users may augment the built-in policies with custom checks written in SQL.
Installation and initial configuration is straightforward. The software uses a standard installation wizard and works best when used with a SQL Server database to store results. AppDetectivePro offers three assessment methodologies: database discovery, penetration testing and auditing.
Database discovery allows you to scan a network for the presence of databases that may then be further assessed. Any AppDetectivePro license includes unlimited discovery scanning. You may purchase additional licenses to perform penetration tests and/or audit scans on any discovered database instances. Scan characteristics are highly customizable, allowing you to specify the ports scanned and technique for live host detection.
Penetration testing attempts to gain information about and access to the database without credentials, simulating the access an outsider might be able to gain to your network. It does not actually attempt to exploit any vulnerabilities; it just uses fingerprinting techniques to determine the database version and patch level.
The true value of the product shines through in the database audit functionality. The audit begins by retrieving a large amount of configuration information from the target database (usernames and password hashes, object/privilege listings, details on linked servers, etc.) and stores it locally on the scanning workstation, where AppDetectivePro performs its analysis.
This was first published in October 2008