Tool Tests DB2 Security

AppDetective scans applications and performs penetration tests and security audits on IBM database apps.

Application Security Inc. on Monday rolled out an IBM DB2 version of its AppDetective application security vulnerability scanner.

The scanning and penetration-testing software performs network-based penetration tests and security audits. AppDetective locates and identifies a variety of applications within a network, including those running on DB2 and Lotus Domino databases, as well as on databases from Oracle Corp., Microsoft Corp. and Sybase Inc. The software presents version numbers, patches and other inventory-specific information for use in security analysis. Security audits can be performed on target DB2 databases remotely from laptops or desktops.

The tool produces reports with instructions on how to fix vulnerabilities with reference links to database vendors sites to ease the task of securing patches.

Aaron Newman, ASIs Chief Technology Officer, said that as IBM gains database market share with DB2, the need for securing these databases is growing. "With more organizations relying on IBM DB2 to store their most critical information, properly securing and keeping a watch over these databases is important," said Newman, in a statement. "AppDetective for IBM DB2 is an automated vulnerability assessment application scanner that empowers security practitioners and database administrators with an all-in-one solution to discover rogue DB2 installations [and to] check for accounts with weak passwords, misconfigurations and vulnerabilities."

ASI, of New York, already markets the tool for use with Domino, Oracles namesake database, Microsoft SQL Server and Sybase ASE databases. Officials said that the company soon will release versions of AppDetective for MySQL, Oracle Application Server, Microsoft Exchange and IBM WebSphere.

Free evaluation versions of ASI products are available at ASIs Web site. AppDetective for DB2 sells for $1,295 per database instance, with an additional 20 percent for maintenance, which includes a continuously updated library of vulnerabilities and misconfigurations.