Application Security Locks Down DB2
IBM DB2 version of AppDetective tool is now in beta.Application Security Inc. has put out the beta for an IBM DB2 version of the companys AppDetective tool, a network-based, penetration testing tool and security audit scanner for databases. AppDetective has three modes of operation: Scan, Pen Test and Audit. Scan searches a network for databases and database components. Pen Test is a penetration test that performs brute-force external vulnerability assessments, mimicking the attempts of intruders who exploit holes to break into systems from the outside. Its test categories include denial of service, misconfigurations and password susceptibility. The tool comes equipped with a customizable, 30,000-word dictionary that checks for easily guessed passwords. The Audit mode examines internal database configurations and potential security holes, including specific access control settings, such as create_not_fenced, to determine who has been granted such access privileges.
Joe Zhou, a security specialist for the Corporate Security division of Sprint Corp. and a beta user of AppDetective for IBM DB2 as well as the Oracle and SQL Server versions of the tool, said that the tool isnt perfect yet. But it at least has more capabilities than the few other security tools for database protection hes managed to find and test, such as Symantec Corp.s Enterprise Security Manager, which only checks DB2s privilege settings against the ISO 17799 standard (the ISO information security standard).