There's no such thing as a set-and-forget security configuration. You have to stay on top of your applications and databases to ensure that your policies are being enforced and that they're still valid in the face of new vulnerabilities.
Enter Application Security's AppDetective 5.0, a very powerful audit tool capable of performing both authenticated audit tests and brute-force attacks against your apps and databases. The solution accurately pinpoints any databases that need patches or that are misconfigured. Moreover, it empowers admins to create their own audit policies, making its application limitless.
Although mainly a client utility, AppDetective has an enterprise console that allows for role-based security. It is very easy to install and run, but some simple planning is necessary as it requires a database -- either an MSDB installation or SQL Server -- to act as the reporting repository.
AppDetective performs two types of standard tests: pen (or penetration) tests and audit tests. You may also use the powerful Policy Editor to create your own.
The Pen Test examines your system from a hacker's point of view. It doesn't need any internal permissions; rather, the test queries the server and attempts to glean information about the database it's running, such as its version. From there, it launches several brute-force attacks against your various database accounts.
One significant drawback to the Pen Test is that it relies heavily on a dictionary file. Not only is this approach inefficient; it can lead to false results. During testing, it was incapable of discovering new accounts with blank passwords.
The Audit Test is much more useful. It uses an authenticated connection to the server and queries the database itself for the information it needs. Using the Audit Test, AppDetective can detect any number of security violations on your server, from missing passwords and easily guessed user accounts to missing service packs and security patches.
AppDetective's true power lies in its Policy Editor, which gives you the ability to create your own tests. Test criteria can be any SQL query you like, and you can assign a title, risk level, summary, fix information, and many other elements.
Given the power to create your own policies, you don't have to use it merely for security auditing. You can use it to alert managers that SLAs are falling behind or that inventory has fallen below a certain level. Its usage is limited only by your imagination.
AppDetective allows you to manage the vulnerabilities discovered during a scan. You can delete vulnerabilities and even filter them, allowing you to focus on a particular risk level.
AppDetective also keeps up with the latest patches posted to various vendor sites. Moreover, Application Security tests to ensure that the fix is valid. If a fix exists, AppDetective can provide you a script to run.
AppDetective isn't without its shortcomings. The Audit Test, for example, lacks some base-level intelligence. In one of my authentication tests, it flagged a guest account in one of the databases as a security risk, failing to recognize that the account didn't reside in the master database and was thus unusable to begin with.
The Discovery Wizard isn't as smart as it should be, either. When testing system passwords, AppDetective performs brute-force attacks against the Probe account on SQL Server 2000. The Probe account hasn't existed since SQL Server 6.5.
AppDetective is an excellent security tool that goes far beyond just attacking your systems and reporting the results: It provides detailed descriptions of each vulnerability and how to fix them. But its real power lies in its framework for creating your own specialized scenarios.
Application Security AppDetective
Application Security, appsecinc.com
Cost: Starts at $US900 per year
Platforms: Target OSes: Windows 2003 and later; target databases: MySQL, Oracle, Sybase, IBM DB2, and Lotus Domino
Bottom line: AppDetective is a serious tool for testing application security. It comes with plenty of pre-configured tests, plus its extensible framework lets you easily create your own. Viewing and fixing vulnerabilities is very easy, and jobs can be scheduled. It isn't as smart as I'd like it to be out of the box, but it can be quickly configured to suit anyone's needs. - Sean McCown