Securing the back end

AppDetective does wonders, but database security doesn't come cheap

DATABASES ARE THE backbone of today's applications, containing a wide variety of data that ranges from price lists and inventory information to social security numbers, credit card numbers, and customer lists. Having any of this data released to the public would be a nightmare for any company, but many organizations do not know how vulnerable this data may be.

Database vulnerability falls into two main categories. The first area is data associated with Web-based applications. Many organizations have spent a lot of money creating a hardened perimeter for their networks, but they often forget that allowing access to a Web application provides an easy entry for many attackers. If the Web application is not properly developed, the internal database may be vulnerable to attacks. ( KaVaDo's ScanDo , helps organizations identify weaknesses in their Web applications in order to prevent attacks such as these.)

The second area of vulnerability is the essential security of the database itself. Many packages are installed with default administrator accounts or demo databases with default accounts that are never changed or removed after installation. This provides easy access to the database system for an attacker. Additionally, database servers are not immune to exploits, and many exploits exist for the major database platforms. As with any OS, database servers need to be properly hardened and patched. A combination of penetration testing and security audits will help identify weaknesses and risks and provide recommendations about the steps that can be taken to mitigate those risks.

However, ensuring database security has not always been the easiest task, often requiring an experienced (and expensive) database administrator. Application Security is trying to change this with its AppDetective solution, a product that provides a very easy-to-use database security scanner and auditor. An excellent tool to help organizations identify database security issues, AppDetective earned a Deploy rating in our tests.

AppDetective is a stand-alone application that installs on a Windows NT or 2000 system and remotely scans and tests database servers. AppDetective performs three main functions: scan, penetration test, and security audit. A scan is a simple, nonintrusive action that searches a network for databases and database components. AppDetective can scan the network or data imported from an NMAP (Network Mapper) scan. Overall, this step scans IP addresses for known database ports and attempts to gather as much information about the server as possible.

A penetration test, or PenTest, tries a comprehensive set of attacks -- including brute force -- to attempt gaining access to the database just as an attacker would. Brute force attacks that may lock out accounts are disabled by default. A PenTest requires nothing special to work successfully other than a network connection.

AppDetective's security audit is an exhaustive examination of the internal configurations of the database server, and it requires a valid database account to complete the test. Many times, this test can be run with one of the default accounts discovered during the PenTest.

AppDetective at work

We installed AppDetective on a Windows 2000 (SP2) system and were up and running in minutes. We began testing by scanning our entire network where we had default installations of Oracle 8, 8i, 9i, and SQL Server 7 and SQL Server 2000 running. The scan found all of our servers, plus a few instances of SQL Server desktop edition we did not know were running, as well as our MySQL installation on a Linux machine. (AppDetective will support PenTest and Security Audit on MySQL databases very shortly.)

Next we ran a PenTest on the identified database servers. The PenTest, which runs very quickly, identified a number of default accounts, "sa" accounts without passwords, missing patches, and best-practice configurations that should be implemented. All of this data is displayed in a vulnerability report that details the issues identified and what actions should be taken to fix each problem.

AppDetective provides the URLs for downloading missing patches and the commands to execute. According to Application Security, auto-fix technology, and the ability to update security checks with a click of the mouse, will be included in a future release.

Finally, we ran a security audit against all of our identified database servers. The security audit takes an inside-out approach, and it found problems with our auditing configuration, registry files, table permissions, access rights, and more.

With both penetration tests and security audits, administrators can select which tests to run. Out of the box, AppDetective includes some default policy configurations, but new policies can also be created to fit any environment. AppDetective is also clear about which tests may cause an account or server to lock up. We did not run into any problems in our testing, but some users could be locked out after a brute force password crack is attempted.

After testing database servers, AppDetective can create several reports, including an application inventory, vulnerability summary, vulnerability details, and a policy report, which details the tests that are checked in a given policy. We had a few minor issues with the reports, including the inability to combine all options into one single report. We also disliked AppDetective's use of blue text, which prints in a light, hard-to-read shade of gray on grayscale printers.

Nevertheless, AppDetective is a much-needed tool for network administrators. Its ease of use, speed, and high level of accuracy make it a must-have for any organization that relies on a database server.

Copyright © 2002 IDG Communications, Inc.

How to choose a low-code development platform