December 10, 2002 at 6:10 pm
I am looking for references for products that test a SQL Server Installation's vulnerability to attack. I have identified:
- NGSSQuirrel
- One of NET IQ Components
Does anyone know of other products?
If so, it would be appreciated, if you include the company's URL in your response.
Also, do you know of any other sites dedicated to SQL Server Security?
Thanks,
Michael
December 10, 2002 at 7:03 pm
The best SQL security related site is http://www.sqlsecurity.com/ . They have lots of information, current articles, links to other sites, links to applications. Another good one is AppDetective which I have used, check out http://www.appsecinc.com/.
December 11, 2002 at 7:38 am
You may want to check out: http://www.iss.net
They have a product call DBSCANNER that scans SQL Server reporting security vulerabilities.
Gregory Larsen, DBA
If you looking for SQL Server Examples check out my website at http://www.geocities.com/sqlserverexamples
Gregory A. Larsen, MVP
December 11, 2002 at 10:22 am
http://www.microsoft.com/misc/unsubscribe.htm
They might be arrogant but at least they often admit to found holes. Subscribe to the Microsoft security newsletter and you'll be as informed as everyone else.
December 11, 2002 at 12:39 pm
Not exactly... certain companies practic "Open Disclosure" meaning Microsoft finds out when the rest of the public does. Microsoft won't announce a vulnerability until they have a patch. And it may not get all the vulnerabilities found. Case in point: Grey Magic's list of 9 using Active Scripting in IE. Microsoft covers 8 of the 9. The clipboard vulnerability is still there. Even so, Microsoft took over a month to acknowledge the issue publically.
Example: MS02-068 addressing the Grey Magic vulnerabilities was released for the first time December 4. Even so, it rated the ability for an external user to start up any program on the sytem as only a moderate (not critical) vulnerability. On December 6, after the firestorm, MS upgraded the serverity level. When did the original bulletin from Grey Magic post? Why October 22, 2002. So if you relied on just the MS Security Bulletin, you had a known vulnerability out in the public domain for over a month before you got wind of it.
Subscribe to NTBugTraq. Open disclosure posts usually get sent there, too.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
December 11, 2002 at 3:54 pm
I agree with Steve and that is an awesome news letter which MS is trying earnestly to have surpressed. MS is not into open disclosure about specific issues until they know they have them resolved. The problem they see is that as long as noone knows then it is less likely a malicious code writer (not neccessarily a hacker folks) will go after it. But unlike MS the rest of the real world wants to know before they get hit and not afterwards.
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply