Automated Vulnerability Assessments are integral to a systematic and proactive approach to database security and reduce the risk associated with both web and database specific attacks and support compliance with relevant standards, laws & regulations.
Key activities include:
- Leveraging an open-source or commercial database vulnerability assessment tool to discover known database security vulnerabilities; and,
- Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include; root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
The predominant benefits realized by a Database Vulnerability Assessment are:
- Quickly identify configuration errors, default settings, coding errors, and patch management issues in an automated manner in an economical fashion;
- Capable of being run on automated, regular basis to provide baseline and ongoing vulnerability management metrics; and,
- Can be used to focus other database assessment activities on those areas of greatest concern.
Because Database Vulnerability Assessments are fully "tool-based," manual review of the findings by someone well versed in database security is usually necessary to optimally leverage the output.
Database Vulnerability Assessments are best used:
- As a quick and inexpensive means of assessing the risk associated with a database that is in operation but has not (recently) gone through a broader database security assessment;
- As part of an ongoing vulnerability/configuration management program, especially in support of demonstration of ongoing compliance with relevant standards/regulations;
- To assess less critical databases (i.e., databases with a moderate risk profile where the risk does not justify greater extent and rigor; and,
- As an information gathering mechanism to focus penetration testing or code reviews.