I recently had the opportunity to look at the Application Security Inc. core
product called AppDetective 3.1. Since I’ve evaluated it a month ago, it’s
become a vital part of my day to day security auditing and I’m not really sure
how I survived without it now. This review will focus mostly on how the
application works with SQL Server but it also can handle other data sources and
applications like IIS.
The Problem
If you’re a DBA, you may remember the calls you received when the SQL Slammer
virus first came out. I received a page at 7:30AM that Saturday morning from a
corporate security employee asking me if I had deployed service pack 2 for SQL
Server in our environment. We had just deployed it 3 weeks prior but there how
could we be sure we caught all the servers? Luckily, we didn’t get harmed by
the virus because of strong firewall rules and patch deploy. How could we be
sure we got all the servers though? We first downloaded AppDetective then to
make sure we patched all the servers. We had though we had 75 or so servers in
our environment and what we found was terrifying.
How AppDetective Solved It
As you know, the problem and advantage with SQL Server is that it’s so easy to
install. It asks you a few simple questions and whalla, you’ve got an unpatched
copy of SQL Server installed that’s vulnerable to all sorts of viruses. Rarely
do people remember to install the latest service pack. As AppDetective scanned
our network, it found an additional 200 SQL Servers or MSDE instances that we
didn’t know about and where developers had installed their MSDN copy of SQL
Server or were using MSDE to develop against. We scurried to finish the patch
work, as most of them didn’t have the proper service pack installed on them
yet.
The nice thing we found about AppDetective was that it outputted all the
instances it found to an Access or SQL Server table for easy trend analysis. We
imported their host table into an Excel spreadsheet to monitor our server list
as we kicked of a server consolidation project. You can also schedule these
types of network scans on a periodic basis so if a developer stands up a SQL
Server in our environment, they receive a call shortly thereafter.
The true power in the application is the ability to audit an individual
server’s security policies. We pointed AppDetective at our development server
and it found lots of vulnerabilities that I wasn’t aware of. It also shows you
how to fix the problem with easy to read instructions. As you can imagine, the
type of vulnerabilities out there are constantly changing and you can update
your security profile with ASAP Update, which downloads the latest
vulnerability lists from the Application Security’s website. I’ve been doing
this once every few weeks since I installed the program.
The product can also perform brute force attacks or denial of service (DoS)
attacks on your server to test your security measures. It will try to crack
your passwords that are installed and will find easy to guess passwords. It
then creates an easy to read report that even a manager can read. Each scan is
kept historically so you can see if things are improving or getting worse.
Overall, the program was very simple to install, configure and use. There is
only a client to install on your workstation and no component on the servers to
install. There was no learning curve at all and I was using the program in a
panic within minutes. I can’t recommend AppDetective enough as an enterprise
tool to scan your network for SQL Server and then find vulnerabilities. It can
be costly to deploy AppDetective to too many servers in an enterprise
environment however. You need one license to scan the network and then one per
server to scan for vulnerabilities or security policies. So if you wanted to
scan 2 servers in your environment but only wanted to test your policies
against one, you would only need one license. As with most vendors, enterprise
licensing is available.
The Big Picture
AppDetective helped us in a struggle to find newly installed SQL Servers and
helped us be a nosy DBA. Users can no longer install SQL Server on their
computers without getting a call from us shortly thereafter. AppDetective has
saved us countless days of work in locating the servers and then really tests
our security policies before their tested in the real world.
Rating
Return on Investment |
|
|
|
|
|
|
|
|
|
|
|
| 4.0 - Expensive product at $1295 an instance but well worth it. |
Ease-of-Use |
|
|
|
|
|
|
|
|
|
|
|
| 5.0 – All the features were very easy to use. |
Features |
|
|
|
|
|
|
|
|
|
|
|
| 5.0 - Everything you need to secure your SQL Server in a nice package. |
Learning Curve |
|
|
|
|
|
|
|
|
|
|
|
| 5.0 – Wizards made it easy to configure your environment in 5 minutes. |
Time savings |
|
|
|
|
|
|
|
|
|
|
|
| 5.0 - Saves tons of time in auditing your system and finding SQL Servers you didn't know existed. |
Lack of Bugs |
|
|
|
|
|
|
|
|
|
|
|
| 5.0 - None found during this review. |
Support |
|
|
|
|
|
|
|
|
|
|
|
| 5.0 - Support provided phone number to call back in less than 10 mins when anonymously e-mailed |
Overall |
|
|
|
|
|
|
|
|
|
|
|
| 5.0 – Easy product to use and find SQL Servers that you didn't know existed. Auditing a snap. |
Specifics
Vendor Information
Application Security, Inc.
117 East 24th Street
Suite 2A
New York, NY 10010
USA
Tel: +1 212-420-9270
Fax: +1 212-420-9680
Pricing
Price : Lists at $1,295 per instance but enterprise-wide pricing to
cover an entire organization available
30 day full demos are available of all ASI products
