Published: 01 Oct 2008
| VULNERABILITY MANAGEMENT
Application Security Inc.
AppDetectivePro fills a critical niche that goes beyond conventional vulnerability scanners, performing "deep dive" inspections of database configuration to identify security issues. It's ideal for internal and external auditors, security professionals, consultants and others who need to perform on-the-fly database vulnerability assessments.
AppDetectivePro supports Microsoft SQL Server, Oracle, IBM DB2, Sybase and MySQL. The subscription fee includes a comprehensive collection of predefined security checks for each platform.
The checks are updated only monthly, which could mean a significant lag between discovery of a serious flaw and the ability to detect it.
Users may augment the built-in policies with custom checks written in SQL.
Installation and initial configuration is straightforward. The software uses a standard installation wizard and works best when used with a SQL Server database to store results. AppDetectivePro offers three assessment methodologies: database discovery, penetration testing and auditing.
Database discovery allows you to scan a network for the presence of databases that may then be further assessed. Any AppDetectivePro license includes unlimited discovery scanning. You may purchase additional licenses to perform penetration tests and/or audit scans on any discovered database instances. Scan characteristics are highly customizable, allowing you to specify the ports scanned and technique for live host detection.
Penetration testing attempts to gain information about and access to the database without credentials, simulating the access an outsider might be able to gain to your network. It does not actually attempt to exploit any vulnerabilities; it just uses fingerprinting techniques to determine the database version and patch level.
The true value of the product shines through in the database audit functionality. The audit begins by retrieving a large amount of configuration information from the target database (usernames and password hashes, object/privilege listings, details on linked servers, etc.) and stores it locally on the scanning workstation, where AppDetectivePro performs its analysis.
AppDetectivePro identified a number of vulnerabilities in our database configuration. These included obvious, glaring errors that we intentionally introduced, such as blank administrator passwords, missing service packs and unapplied patches. It also identified more subtle configuration issues, such as improper permissions on registry extended stored procedures; the use of local SQL Server authentication (a non-recommended practice); the presence of sample databases; and failure to implement best practices for database activity auditing.
The descriptions provide detailed information on the vulnerabilities, their source, potential solutions and references for additional information.
AppDetectivePro includes nine canned reports that provide useful information for various levels of management and technical staff. These include an application inventory, summary reporting, high-level and detailed vulnerability reports and information on user accounts. You can also generate differential trend reports to evaluate the status of scanned databases over time. Output is available in Crystal Reports, HTML, XML and text.
AppDetectivePro stores results in an Access database on the local system, but you may also configure it to use SQL Server.
AppDetectivePro is an excellent solution for auditors, security professionals and consultants to capture snapshots of database security status.
Testing methodology: We tested AppDetectivePro in a VMware environment using Windows Server 2003 and SQL Server 2005.