Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:41 PM
Adrian Lane
Adrian Lane

Database Security On The Cheap

A look at some free tools to help tackle database security

Every month I speak with a Fortune 500 firm about database security challenges. I love these conversations because simultaneously dealing with multiple security, regulatory, and performance requirements across multiple user groups is challenging to impossible.

But that's a very small part of the database security world, and every week I talk with someone about how to meet basic security requirements when there is no time and no money. The big shops have huge challenges, but they have personnel and budget. For small IT shops, resources are always scarce. Most DBAs wear three (or more) hats: administrator, architect, security expert. There's always too much to do, and it's the perfect environment where tools and automation help DBAs get their job done.

The problem is small companies also lack the budget to buy many of the expensive commercial tools to automate operations, assessments, monitoring, and auditing. Worse, there is not a lot of open-source development for database security tools.

So I thought it would be appropriate to mention some of the free resources that are available to help you get your job done. And what's cool about this is, besides the fact that they are free, some free tools provide capabilities that are not otherwise available.

A few weeks ago, I mentioned the v3rity tool for Oracle database forensics. It helps you construct an audit trail from the Oracle database. Yes, you can do that with Oracle natively, but this tool is a bit different in that you get multiple data sources for a more complete view, and it's a very forensics-focused perspective. Manually combing through audit logs or -- worse -- transaction logs is a nightmare. This is a handy tool for forensic analysis, answering the question, "What the heck just happened?"

McAfee recently announced a free plug-in for creating an audit trail for the MySQL database. If you've use MySQL, you know that there is about zero auditing capabilities, a problem exacerbated by the plug-and-play storage model. Rather than gathering audit logs from the database engine, it's monitoring user activity. This is database activity monitoring on a platform that is underserved by the database security vendors. There are lots of small shops using MySQL as core production database servers, and this is a handy way to monitor databases activity regardless of deployment model (in house, virtual server, cloud). And you can set policies to alert on specific events,

GreenSQL provides a free monitoring solution for MySQL, Postgres, and MS SQL Server. The product deploys in-line as a proxy server, so you need to route traffic through the software before it hits the database. It can both monitor user activity as well as block SQL requests deemed malicious.

I ran across a free SQL Injection Tool last week as well.

If you're a DBA, then you know that if the database gets hacked, you will get the blame -- despite the fact that the application developers failed to scrub input variables or used stored procedures. Or that the platform providers miss vulnerabilities all the time. I do recommend using these tools prior to production database and application deployment to detect application vulnerabilities. It's free tools like these that many of the hackers leverage, so you might as well test it before an unreliable third party does.

Nessus offers a free version of its vulnerability scanning tool. It examines configuration settings and patch levels, but omits the audit file capability, which is faster than logging into a bunch of machines and manually checking configuration and patch settings. Technically, the free version is only for home, noncommercial use, so you're not supposed to use it at work. It is limited to 16 IPs, but I don't know many people who run 16 systems at home, so you do the math. Some construe this to mean "no free version," but as I usually mimic my home and test configurations from my production databases, scan results were consistent.

For many years, Imperva has offered Scuba, a free database vulnerability assessment tool. It's cross-platform and examines patch levels, configuration settings, and administrative account settings. It even has reporting capabilities so you can integrate the results with other services.

If you're willing to put a little more time in to do some script development, then I've always found the local user groups a great source for ideas and sample scripts for database security. Some of the best user rights discovery and management scripts I've ever used came from regional Oracle database users groups. I've attended events over the years for Postgres, MS SQL Server, and DB2, and always came away with a new script for security. Finally, with a little patience and a search engine, there are lots of scripts published that help with sensitive data discovery.

One final note on the tools since were are referencing commercial vendors that offer free versions or trials: The products usually provide limited functionality or number of databases supported. These products are not "enterprise" quality despite marketing efforts to the contrary, but the enterprise audience is not the focus here.

And a further downside is possible phone solicitation from sales teams congratulating you on a successful download and inquiry as to when you will upgrade to the commercial version of the product. That said, it's a small price to pay for helpful security automation tools. I'm sure I've missed a few others out there, so feel free to list some that you use in the comments section below.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading.

Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-10
marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
PUBLISHED: 2019-12-09
IBM DataPower Gateway throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.