News

AppSec Ports Security Tool to SQL, Exchange on Tap

• By Stephen Swoyer
• 05/23/2002

In addition to its seminal DbEncrypt database encryption product, AppSec currently markets AppDetective, a vulnerability assessment and security testing suite, for SQL Server platforms.

According to AppSec marketing manager Stephen Grey, while IT organizations have rushed to secure their operating system and Web server platforms in the wake of any number of well-publicized exploits, they’ve neglected in many cases to safeguard the integrity of their database platforms.

“We’ve been in this industry for a number of years as consultants, as professional developers, as security guys, and we’ve found a real almost black hole in regards to database security and application security. Companies just don’t get it,” he says.

At the same time, Grey contends, IT organizations aren’t getting much help from security vendors.

“We’ve see vulnerability assessment scanners and intrusion detection systems for network operating systems or Web servers, but you never really see anything for database, groupware or ERP [systems], which all seem to have … a whole slew of their own individual vulnerabilities,” he says.

As an example, Grey points to a spate of Oracle vulnerabilities uncovered by security consultant David Litchfield in February 2002. And just this month, Grey notes, SQL Server 7.0 and SQL Server 2000 systems were compromised by a new attack worm, dubbed SQL Spida. Microsoft released an informational alert on Spida this week.

To protect against Spida and other worms, AppDetective can do a variety of things. First, it discovers any supported platforms present in an IT environment. AppDetective-supported platforms include SQL Server versions 7.0 and 2000; Oracle versions 7, 8, 8i and 9i; Sybase versions 11, 11.5, 11.9.2, 12.0 and 12.5; and Lotus Notes/Domino. Grey says that AppDetective will soon support IBM’s DB2, the open source MySQL database and Microsoft Exchange.

AppDetective next performs a penetration test, in which it inspects a database as a hacker would, testing it for known vulnerabilities and in the process attempting to exploit a number of known denial-of-service- (DoS), misconfiguration- and password-related attacks. “It’s a zero knowledge test. We require nothing of you. We’re able to look at your network and look at your applications the way a hacker would,” Grey says.

Finally, AppDetective performs a security audit of all of the supported systems it finds. It includes a reporting engine that can generate canned or custom reports based on the results of an audit.

AppSec's other product, DbEncrypt, encrypts data stored within a relational database. It’s available for Oracle and SQL Server environments, and boasts what Grey claims is the “ultimate” in database security. “If someone breaches the database, they won’t be able to view any of the data without the proper key,” he says. “And if somebody actually makes off with your database server, or just steals your database storage, if they don’t have the proper key, all that they’re going to see is a lot of cipher text.”