• AppDetectivePro v7 worth checking out

    18 Oct 2010

    Have you checked out Application Security’s (somewhat) new AppDetectivePro version 7? Have you even heard of AppDetectivePro? If not, it needs to be on your radar. It’s a powerful database vulnerability scanner that can perform both unauthenticated penetration tests as well as authenticated audits of SQL Server, Oracle, MySQL, DB2, Notes/Domino and Sybase (wow) systems. A screenshot of a penetration test of an Oracle 11g-based system is shown below:

    AppDetective is a tool that I’ve relied on for years to help with database security assessments. The price per database instance is pricey but it’s worth it. I’ve found that the results are very similar when running it on similar systems so one scan per platform may be enough to get by with as long as you implement the same changes on like systems across the board.

    Probably the biggest improvement with AppDetective Pro version 7 is the User Rights Review shown below:

    User Rights Review allows you to run reports on effective role and user permissions for a specific database. That’s big in today’s world of big government and big regulation. I’m not surprised at its utility, however, since reporting is one of AppDetectivePro’s strong suits – pleasing compliance managers, auditors, and regulators from sea to shining sea for years.

    The bad news (not necessarily related to the new version 7) is that I recently lost about 5 hours of my life troubleshooting a problem with AppDetectivePro that should’ve been readily-accessible in the documentation or online knowledgebase. In essence, a SQL Server system I was testing was running in shared memory mode and had TCP/IP disabled. Running the tool on the same SQL Server box still yielded a big fat nothing until a level 2 support person helped me get to the bottom of the problem.

    Overall, AppDetectivePro is still the most comprehensive and recognized database vulnerability scanner. It’s definitely worth checking out. As for SQL Server 2008 R2 support (a biggie in my book) I checked with the folks at Application Security about a month ago, and according to their site today, there’s still no support for it but I suspect that’ll come soon as more clients demand it. Furthermore the name of the product doesn’t really reflect what it does (databases not apps, although it used to perform basic Web app scans)…but, hey, now you know, right?