Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Database Scanners

From: Jay Beale <jay () bastille-linux org>
Date: Fri, 13 Aug 2004 09:32:44 -0700
The first part of the question seems to be whether there should be a separate security administrator at all -- I think there definitely should be. Having a primary focus on security allows an individual to both build up and practice not only the requisite skills, but also the right attitude, one that forces you to constantly consider how you would break into your site and thus what remediation steps should be taken. Honestly, a huge part of what we do as security people is just exercising this attitude. Having a separate security administrator not only allows some part of your organization to think in this way, but also gives you someone to serve as a kind of "security conscience," a voice that questions bad implementation decisions, hopefully while they're being made.
As far as what department the Security Administrator should work for, the jury is still out. Many people favor a separate security team that doesn't share space or resources with the normal IT department. This has always seemed ideal, but it comes at a very high cost. By not being part of the operational IT group, sitting with those folks every day, the security group very often loses the ability to influence the IT folks in any way but fiat. And fiat is a difficult way to do security... 

 - Jay


Frank Boldewin wrote:

hi peter,

in my opinion the auditor (revision or tiger team) of the company,
because it's a bad idea to let the department check there own environment.
i think that dual control makes a better security and assures that the scans
are really done at regular intervals.

greetings,
frank
----- Original Message ----- From: "PETER INEH" <PINEH () mbc-nig com> 
To: "Jay Beale" <jay () bastille-linux org>; "Frank Boldewin"
<frank.boldewin () gmx de>; <pen-test () securityfocus com>
Sent: Friday, August 13, 2004 11:25 AM
Subject: Re: Database Scanners




Greetings,

Can anyone confirm to me which department should handle the duties of the
Security Adminstrator. Is it IT department or the IT Auditor?

Thanks.



Peter Ineh
Inspection Department
MBC International Bank Limited


-----Original Message-----
From: Jay Beale <jay () bastille-linux org>
To: Frank Boldewin <frank.boldewin () gmx de>
Cc: pen-test () securityfocus com
Date: Thu, 17 Jun 2004 23:12:33 -0700
Subject: Re: Database Scanners



I'm pretty impressed by MetaCortex.

http://www.metacoretex.com/

Quoting:

MetaCoretex is an entirely JAVA vulnerability scanning framework which
puts special emphasis on databases. Probe objects are written in JAVA
by
means of an easy to extend AbstractProbe class. Additionally, probe
generators make the process of writting simple probes almost automagic.

Please see the Features FAQ for information on all the junk MetaCoretex
can do...

Also, check out the Probe List for a current listing of active probes.


 - Jay



In the wise words of Frank Boldewin:



hi,

the only good database scanner i know is appdetective.

http://www.appsecinc.com/products/appdetective/

scans several databases: oracle, db2, mssql, mysql, notes, sybase and


web


apps.

hope that helps.

cheers,
frank
----- Original Message ----- From: <brownsec () hotmail com> 
To: <pen-test () securityfocus com>
Sent: Wednesday, June 16, 2004 10:39 PM
Subject: Database Scanners





Is anyone aware of a good scanner that will work well against DB2


databases?  I know ISS has a DB-Scanner but it does not appear to be
compatible with DB2.




Thanks...
Previous By Date Next
Previous By Thread Next

Current thread: