You can't secure what you don't acknowledge.SM

Monday, October 18, 2010

AppDetectivePro v7 worth checking out

Have you checked out Application Security's (somewhat) new AppDetectivePro version 7? Have you even heard of AppDetectivePro? If not, it needs to be on your radar. It's a powerful database vulnerability scanner that can perform both unauthenticated penetration tests as well as authenticated audits of SQL Server, Oracle, MySQL, DB2, Notes/Domino and Sybase (wow) systems. A screenshot of a penetration test of an Oracle 11g-based system is shown below:

AppDetective is a tool that I've relied on for years to help with database security assessments. The price per database instance is pricey but it's worth it. I've found that the results are very similar when running it on similar systems so one scan per platform may be enough to get by with as long as you implement the same changes on like systems across the board.

Probably the biggest improvement with AppDetective Pro version 7 is the User Rights Review shown below:

User Rights Review allows you to run reports on effective role and user permissions for a specific database. That's big in today's world of big government and big regulation. I'm not surprised at its utility, however, since reporting is one of AppDetectivePro's strong suits - pleasing compliance managers, auditors, and regulators from sea to shining sea for years.

The bad news (not necessarily related to the new version 7) is that I recently lost about 5 hours of my life troubleshooting a problem with AppDetectivePro that should've been readily-accessible in the documentation or online knowledgebase. In essence, a SQL Server system I was testing was running in shared memory mode and had TCP/IP disabled. Running the tool on the same SQL Server box still yielded a big fat nothing until a level 2 support person helped me get to the bottom of the problem.

Overall, AppDetectivePro is still the most comprehensive and recognized database vulnerability scanner. It's definitely worth checking out. As for SQL Server 2008 R2 support (a biggie in my book) I checked with the folks at Application Security about a month ago, and according to their site today, there's still no support for it but I suspect that'll come soon as more clients demand it. Furthermore the name of the product doesn't really reflect what it does (databases not apps, although it used to perform basic Web app scans)...but, hey, now you know, right?


  1. Nice correction point that AppDetectivePro 7 can scan MSSQL2008R2

  2. Thanks Mark. That must be a very recent update to the product. Also, here's what your website says:

    AppDetectivePro for Microsoft SQL Server Target Database Servers
    * Microsoft SQL Server Versions 2000, 2005, 2008, and 2005 Express Edition (Windows)
    * MSDE 2000 (Windows)

    ...might be worth adding SQL Server 2008 R2 to the list.