Database vulnerability scanners are tools you can use to assess the configuration of your database servers for security weaknesses that expose them to known threats. These scanners can be a critical tool in avoiding the financial and legal costs companies of all sizes could sustain from a single incident of compromised data. Here, I review two products: Application Security's AppDetectivePro (ADP) 5.4.6 and AuditPro Enterprise (APE) 4.0 from Network Intelligence (India). These products install with predefined tests and sets of tests called policies, which can be part of an ongoing program to minimize the risk of your systems and data being compromised. As you'll see, there are some major differences between these two products. Microsoft's Baseline Security Analyzer v2.1 is another choice for SQL Server security, but both of the products reviewed here include more comprehensive sets of assessment tests for SQL Server.

AppDetectivePro 5.4.6
ADP is a vulnerability-assessment tool that probes your application servers from another system on the network. It tests SQL Server 2005, 2000, and 7.0, including x64, Microsoft Data Engine, and Express editions. The company plans to implement support for SQL Server 2008 in second quarter 2009. ADP also tests several other platforms, including IBM DB2, Lotus Domino, Oracle databases, Sybase ASE, and MySQL. Application Security licenses ADP by the database instance.

ADP installs on systems running Windows Server 2003, Windows XP, or Windows 2000, including x64 editions. By default, ADP stores results in a Microsoft Access database that's created when the product is installed. If you're planning to monitor a large number of databases, you can instead configure a SQL Server database for better scanning performance.

ADP uses a framework of jobs and tasks to perform vulnerability assessments. Session tasks define the applications and IP ports you want ADP to test. Discovery tasks locate systems with active ports on the network. Policy tasks define the set of tests ADP will perform, which can include both predefined and user-written tests. Audit and penetration (aka pen) tests probe the target systems for vulnerabilities: Audit tests assess from within the system, and pen tests simulate malicious hacker attacks from outside the system.

ADP includes a job scheduler that lets you automate audit and pen test runs for ongoing assessment. It also includes a vulnerability manager to track the status of ADP's findings. ADP will generate scripts to correct common configuration problems.

When installed, ADP launches the Discovery Wizard, which prompts you for host names, IP addresses, and database systems to scan. The result of running the Discovery Wizard is a named session that includes each server instance ADP found during the scan. I created a session that included one Win2K system hosting SQL Server 2000 and one Windows 2003 system hosting SQL Server 2005.

The ADP GUI is your primary interface for configuring sessions, running audits and pen tests, and managing reports. As you can see in the screen below, the top of the GUI provides access to a set of menus. A hierarchical view of the currently loaded session is displayed on the left, and a details pane is to its right. By default, ADP places all systems in the session in a folder called Network. You can create a multilevel hierarchy of folders to organize the IP addresses in a session. When you've highlighted a test in the session pane, the Details tab at the bottom of the right pane shows which policy defined the test, a brief summary of testing, and other information. The bottom pane lists the vulnerabilities discovered by the test. Clicking a vulnerability displays its description and suggests remedial action in the details pane's Vulnerability Description tab. You can find similar information in the Vulnerability Details report, which I discuss later.

Figure 1: AppDetectivePro GUI. Click to expand.

Once you've created and loaded a session, you can run an audit or pen test using a custom policy or one of ADP's built-in policies. I ran several of each test, most of which took just a few minutes. A test against an old SQL Server 2000 system reported 16 high-risk, 10 medium-risk, 37 low-risk and 10 informational vulnerabilities. Tests against a SQL Server 2005 system reported only three high-risk vulnerabilities (two weak passwords and missing updates) and one low-risk vulnerability (failure to use Windows-only authentication mode). Pen tests run without supplied authentication and can, depending on the particular tests you include in the policy, attempt to crack security and gain access to the system. When you run a pen test, ADP warns you that the testing activity may be logged on the target system.

ADP supports an extensive list of pen and audit tests. Pen tests available when you create a custom pen test policy include Denial of Service attacks, attacks for common user IDs and easily guessed passwords, system configuration problems, and known vulnerabilities. The application divides audit tests into access control, application integrity, identification and password control, and OS integrity categories.