Database Security On The Cheap

Every month I speak with a Fortune 500 firm about database security challenges. I love these conversations because simultaneously dealing with multiple security, regulatory, and performance requirements across multiple user groups is challenging to impossible.

But that's a very small part of the database security world, and every week I talk with someone about how to meet basic security requirements when there is no time and no money. The big shops have huge challenges, but they have personnel and budget. For small IT shops, resources are always scarce. Most DBAs wear three (or more) hats: administrator, architect, security expert. There's always too much to do, and it's the perfect environment where tools and automation help DBAs get their job done.

The problem is small companies also lack the budget to buy many of the expensive commercial tools to automate operations, assessments, monitoring, and auditing. Worse, there is not a lot of open-source development for database security tools.

So I thought it would be appropriate to mention some of the free resources that are available to help you get your job done. And what's cool about this is, besides the fact that they are free, some free tools provide capabilities that are not otherwise available.

A few weeks ago, I mentioned the v3rity tool for Oracle database forensics. It helps you construct an audit trail from the Oracle database. Yes, you can do that with Oracle natively, but this tool is a bit different in that you get multiple data sources for a more complete view, and it's a very forensics-focused perspective. Manually combing through audit logs or -- worse -- transaction logs is a nightmare. This is a handy tool for forensic analysis, answering the question, "What the heck just happened?"

McAfee recently announced a free plug-in for creating an audit trail for the MySQL database. If you've use MySQL, you know that there is about zero auditing capabilities, a problem exacerbated by the plug-and-play storage model. Rather than gathering audit logs from the database engine, it's monitoring user activity. This is database activity monitoring on a platform that is underserved by the database security vendors. There are lots of small shops using MySQL as core production database servers, and this is a handy way to monitor databases activity regardless of deployment model (in house, virtual server, cloud). And you can set policies to alert on specific events,

GreenSQL provides a free monitoring solution for MySQL, Postgres, and MS SQL Server. The product deploys in-line as a proxy server, so you need to route traffic through the software before it hits the database. It can both monitor user activity as well as block SQL requests deemed malicious.

I ran across a free SQL Injection Tool last week as well.

If you're a DBA, then you know that if the database gets hacked, you will get the blame -- despite the fact that the application developers failed to scrub input variables or used stored procedures. Or that the platform providers miss vulnerabilities all the time. I do recommend using these tools prior to production database and application deployment to detect application vulnerabilities. It's free tools like these that many of the hackers leverage, so you might as well test it before an unreliable third party does.

Nessus offers a free version of its vulnerability scanning tool. It examines configuration settings and patch levels, but omits the audit file capability, which is faster than logging into a bunch of machines and manually checking configuration and patch settings. Technically, the free version is only for home, noncommercial use, so you're not supposed to use it at work. It is limited to 16 IPs, but I don't know many people who run 16 systems at home, so you do the math. Some construe this to mean "no free version," but as I usually mimic my home and test configurations from my production databases, scan results were consistent.

For many years, Imperva has offered Scuba, a free database vulnerability assessment tool. It's cross-platform and examines patch levels, configuration settings, and administrative account settings. It even has reporting capabilities so you can integrate the results with other services.

If you're willing to put a little more time in to do some script development, then I've always found the local user groups a great source for ideas and sample scripts for database security. Some of the best user rights discovery and management scripts I've ever used came from regional Oracle database users groups. I've attended events over the years for Postgres, MS SQL Server, and DB2, and always came away with a new script for security. Finally, with a little patience and a search engine, there are lots of scripts published that help with sensitive data discovery.

One final note on the tools since were are referencing commercial vendors that offer free versions or trials: The products usually provide limited functionality or number of databases supported. These products are not "enterprise" quality despite marketing efforts to the contrary, but the enterprise audience is not the focus here.

And a further downside is possible phone solicitation from sales teams congratulating you on a successful download and inquiry as to when you will upgrade to the commercial version of the product. That said, it's a small price to pay for helpful security automation tools. I'm sure I've missed a few others out there, so feel free to list some that you use in the comments section below.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading.