APE seems inconsistent in some features, such as its support for Sybase. For example, the application shows Sybase as an option in Profile Manager but not Policy Manager. The AuditPro Enterprise GUI, shown in the screen below, could be more user-friendly. For example, the main UI, Policy Manager, and Profile Manager are implemented in windows that you can't resize, and several columns are too narrow to show all the information.
Figure 2: AuditPro Enterprise GUI. Click to expand. |
 |
The documentation for APE is inadequate. Documentation available on the Network Intelligence (India) website describes the product but provides no usage information. When I requested more documentation, the vendor sent me an eight-page PDF that described the installation and usage cycle for APE in general terms. The Help installed with APE provides information about probes for Windows, Linux, and DB2, but not for SQL Server or Oracle databases or for using Probe Manager to create custom probes.
I installed APE on a Windows Server 2003 system running SQL Server 2005. I had to run two installation modules, one for AuditPro, and a second one that the vendor described as a Crystal Reports module for advanced reporting features. I used the AD discovery feature to create a profile that included eight Windows systems with a minimal set of probes for each, a profile with a Win2K Server system with SQL Server 2000, and a third profile with a Windows 2003 and SQL Server 2005 system. The latter two I configured with the full set of probes for their versions of Windows and SQL Server. After running the audit for each profile, APE generated a set of HTML reports. The high-level report reported the number of vulnerabilities detected in five categories, with a link to a detail report for each system and application—in this case, one report for the Windows probes and a separate report for the SQL Server probes. In each case, the tests for a single target system completed in only a few minutes, and APE reported a set of vulnerabilities similar to that reported by ADP. The summary results matrices in both the GUI, shown in the screen above, and the summary report include hotlinks to the detail information, but the links produced only blank reports.
The detail report lists the detailed results of each probe, reporting and assigning a severity level to each vulnerability tested and giving a value of OK or a risk level of low, medium, or high. APE also calculates a weighted vulnerability score, assigning a value of 1, 2, or 3 to low-, medium-, and high-risk vulnerabilities, respectively, and reporting the total. For Windows, the report lists security-related updates, open IP ports, running services and processes, local security policy settings, administrative users, and an analysis of event log settings, to name a few. For SQL Server, the report includes authentication and authorization information, such as members of the sysadmin role, execute permissions assigned to various stored procedures, the state of login auditing, and SQL Server trace settings.
I eventually discovered a Settings menu option, used to change the console password and create a database where APE stores audit results, a procedure described in updated documentation I eventually received for APE. I created the database, which included four user tables. After I ran some audits, the Advanced Reporting option presented the audits as available for comparison and reporting, but none of the four report types (generic report, trending analysis, audit results report, software inventory) produced a report. Considering the absolute dearth of documentation around the installation, configuration, and use of the reporting component, I chose not to investigate further.
Overall, APE isn't quite ready for prime time. Perhaps if the documentation were complete enough to describe how to configure and use the product in greater detail, I'd have had a different experience. As it is, the HTML-based detail reports generated directly by running an audit provide a lot of useful detail information and can be used as a checklist to lock down security on a system.
A Clear Winner
APE can't do penetration tests but generally performs well as a scanner. It can detect a wide variety of vulnerabilities and helps with ISO/IEC 27001 compliance. However, APE's interface is difficult to use, its documentation is incomplete and insufficient, and some of its reporting features seem nonfunctional. ADP surpasses APE with audit scans that are at least as good as APE's, extensive penetration tests, a much better UI, and excellent documentation. While APE generally tells you what to do to fix problems, ADP provides more thorough explanations and, frequently, step-by-step procedures. I have to award my Editor's Choice to ADP. In all respects, it's the more complete product.