The reporting, based on Crystal Reports and accessed via a test's right-click menu, is thorough and easy to use. After ADP runs an audit or pen test, the results are available for viewing on screen. You can export reports in 16 formats, including PDF, HTML, XML, Excel, and comma-separated value files. After running an audit or pen test, ADP presents four report options. A vulnerability summary is a brief description of the test and a count of vulnerabilities found. A vulnerability detail report lists much more information. For example, the vulnerability detail report for the test permission on registry extended proc listed two extended stored procedures with Execute permissions granted to the Public role, a description of the vulnerability, and sample syntax for aREVOKE T-SQL statement to remove Execute permissions from the procedures. A check-status report includes a two-line summary of each test in the policy with results. A user information report lists all accounts and the passwords the audit or pen test discovered. The report-viewing window has a typical table of contents panel along the right that, by default, displays only the highest level sections preceded by plus (+) signs. I wished for "expand all" and continuous scrolling options here but didn't find them.
The previously described reports all relate to a single audit or pen test run, but the Reports button at the top of the GUI accesses a set of nine reports that are based on data from multiple tests. One useful report, Vulnerability Differences, compares two audits or pen tests done at different times and reports the vulnerabilities that are resolved, unresolved, and new between the two. Another report gives the details of a specified policy. A summary report graphs the vulnerabilities detected during the testing for a session.
ADP has several other features that support your efforts to maintain secure systems. The Vulnerability Manager feature lets you focus on a particular area of interest by filtering test results by subjects such as IP address, vulnerability, or severity. The Fix Scripts feature generates scripts that you can customize and manually apply to correct common configuration problems. You can also create custom tests that consist of a SQL query and a set of criteria to apply to the result set. Another feature facilitates download and installation of program updates, ensuring that you have the most current program code and testing rules.
I am impressed by ADP. It's easy to install and very easy to use. I found the PDF Help documentation and the GUI's Help files useful. I appreciated that ADP can assess a system by using authenticated access from the inside as well as attack the system using unauthenticated access from the outside. ADP includes a useful set of reports and the flexibility to export them in your favorite format. I think many users will appreciate that ADP not only provides a full description of reported vulnerabilities but also suggests remedial action, including providing SQL statement syntax where appropriate. This application is easy to recommend. When you're looking for a database vulnerability scanner, let AppDetectivePro be the first one you evaluate.
AuditPro Enterprise 4.0
Network Intelligence (India) describes AuditPro Enterprise as a security audit tool rather than a vulnerability assessment tool because APE uses administrative credentials to authenticate to the system being tested. Testing in this way lets the product thoroughly assess the system's configuration, including patch levels, registry contents, and NTFS and database permissions. However, APE doesn't simulate attacks from outside the system.
APE assesses systems running under Windows 2003, XP, Win2K, Red Hat Linux, and Solaris. It assesses SQL Server 2005 and 2000, Oracle databases, DB2, and Cisco Systems routers. The application includes a vulnerability database, which it uses to check for known conditions. Options in the GUI let you check for updates at startup or on demand.
AuditPro Enterprise 4.0
PROS: Performs a good selection of tests; tests SQL Server and Windows; good at detecting patch status
CONS: Documentation is inadequate; UI is inflexible; some features didn’t work during testing
RATING: 1.5 stars
PRICING: Starts at $400/host for scanning OS + $800/host for scanning databases
RECOMMENDATION: AuditPro Enterprise isn’t ready for prime time, so I’m reluctant to recommend it.
CONTACT: Network Intelligence (India) · (91) (22) 28-39-26-28 · www.niiconsulting.com |
In APE, named policies define the tests that will run against a particular system type out of those that APE can assess. Selecting one of the options displays the sets of "probes"—individual tests—appropriate to that system. You complete a policy by selecting the probes you want to run. APE includes 74 probes for SQL Server systems—a goodly number—and a separate set of probes for Windows OSs. OS probe sets also include network-related testing for open ports. APE targets ISO/IEC 27001 compliance and includes probes in each of the key application areas in support of that compliance.
Named profiles define the systems you want to test, together with the needed authentication credentials and the policy defining the probes you want to run against the system. APE lets you add individual systems by NetBIOS host name or IP address and choose from a display of host names for a domain from Active Directory (AD). I was surprised to discover that APE doesn't let you enter a DNS-style host name. When a system is running more than one supported application that you want to test within a profile, such as Windows and SQL Server or SQL Server and Oracle, APE lets you provide credentials and select a testing policy for each application on the system. Your completed profile is a list of systems, each with one or more applications, along with necessary authentication credentials and testing policy.