Application Security Locks Down DB2 - 2

AppDetective tool performs penetration tests, security audits on IBM's database.

Application Security Inc. this week will make available an IBM DB2 version of its AppDetective, a network-based, penetration testing tool and security audit scanner for databases.

AppDetective has three modes of operation: Scan, Pen Test and Audit. Scan searches a network for databases and database components.

Pen Test is a penetration test that performs brute-force external vulnerability assessments, mimicking the attempts of intruders who exploit holes to break into systems from the outside. Its test categories include denial of service, misconfigurations and password susceptibility. The tool comes with a customizable, 30,000-word dictionary that checks for easily guessed passwords.

Audit examines internal database configurations and potential security holes, including access control settings, such as create_not_fenced, to determine who has been granted such access privileges.

Joe Zhou, a security specialist for the Corporate Security division of Sprint Corp. and a beta user of AppDetective for IBM DB2, as well as a user of versions for Oracle Corp. and Microsoft Corp. databases, said AppDetective isnt perfect yet. But Zhou said it at least has more capabilities than the few other security tools for database protection hes managed to find and test, such as Symantec Corp.s ESM (Enterprise Security Manager).

While ESM checks DB2s privilege settings against the ISO 17799 standard (the ISO information security standard), Zhou said, the fact that it doesnt perform penetration testing makes ESM an incomplete solution for his requirements. AppDetectives capabilities exceed that, but for Zhou, in Kansas City, Mo., a perfect database security tool also checks security at the operating system level.

"If you can do an operating-system-level check, you can verify that you have the right patches," he said. "From the database level, you can only check that settings are right, like authentication and authorization."

According to Stephen Grey, manager of product marketing for Application Security, of New York, operating system checks will be available in an upgrade within one month after AppDetective for IBM DB2 ships.

But some people might question the need for DB2 protection. After all, it hasnt been targeted by worms or viruses to the same extent Microsofts SQL Server database has, which was attacked in May by the Spida worm, also known as SQLsnake. The Spida worm attacked servers running any version of SQL Server and, at one point, clocked in at 100 new infections per hour.

Some say its just a matter of time before DB2 gets slammed in a similar way. As Grey pointed out, hackers write worms to the most popular and widespread databases. As DB2s popularity grows, so, too, will its desirability as a target.

"With DB2s growing popularity, it will eventually happen," Grey said. "SQL Servers a big target because it was traditionally cheaper or free with Back Office."

Furthermore, databases tend to be enterprise weak spots, Grey said, since they dont get the same attention as other infrastructure components.

The final version of AppDetective for IBM DB2 is priced at $1,295 per database instance. A maintenance package costs 20 percent more. The upgrade for operating-system-level checks will be offered at no additional charge.