Part of the vulnerability assessment process must include a vulnerability assessment of your databases.
And the sad reality is that while there are thousands of tools that focus on Web application and network security scanning, there are very few of them which are doing the same for databases.
Today we are comparing the results delivered by Scuba by Imperva - a free tool and NGSSQuirreL for SQL by Next Generation Security Software - a commercial tool.


















The tools comparison table
Here is a side-by-side comparison of functionality and results of both tools


The results
To provide the most impartial evaluation of the results, we have generated detailed reports of both tools as PFD files. You can review them and assess the quality yourself.

• Here you can download and view a SCUBA PDF Database Vulnerability Detailed Scan of a SQL 2008 Express DBMS
• Here you can download and view a NGSSQuirreL PDF Database Vulnerability Detailed Scan of a SQL 2008 Express DBMS

Conclusion
It is evident that the commercial tool beats the free Scuba in every area. But before you jump into a purchase, you need to assess your requirements and expectations.

So it is very advisable to get the free tool, run it in your environment and understand the results, so you can understand what is missing, and extend your search to a better tool


Talkback and comments are most welcome

Related posts
Thrown in the Fire - Database Corruption Investigation
Quick and Basic Security Assessment for Databases
SQL Server Bulk Import - BCP HOW TO

When preparing a database solution, one must always make sure that the security of the database is up to specification. The first step in proper securing of the database is a security posture assessment.

While there are a lot of tools that will do this for you, Imperva has a free tool named Scuba that will do very basic but very fast database security posture assessment.

To use Scuba, just download and extract the zip file to a folder. Input the DBMS connection parameters, test the connection and press Go.


After Scuba finishes the assessment, it produces an XML report. To review it in a human readable form, choose the level of detail from the report templates (Summary, Assessment with details, Assessment without details) and generate the HTML.

Here is a screenshot of the generated assessment report


The level of the report quality is basic, but it will point you in the right direction by sifting through the well known attack methods and vulnerabilities. One must not rely simply on this tool for database security, and should employ other relevant tools.

User warning: Since the tool comes with NO DOCUMENTATION, here are several warnings and tips that will ease your usage

1. Since Scuba is a Java based tool, it requires JRE to work. Also, in order to connect to MS SQL RDBMS, you must have a Microsoft SQL Server JDBC Driver installed.
   
2. The error messages are logged but there is no user friendly message when an error occurs. In order to debug possible problems, look for the 'scuba-error.txt' file and read through the Java exceptions recorded.
3. The 'scuba-error.txt' file is appended, so the last error in the file is the one that hit you. For easier debugging, delete the scuba-error.txt after each session to limit the errors from the current session only.

Talkback and comments are most welcome

Related posts
Thrown in the Fire - Database Corruption Investigation
SQL Server Bulk Import - BCP HOW TO
3 Rules to Prevent Backup Headaches

A lot of people using the free MS SQL Server 2005 Express hit a brick wall when they try to import data into the created database. Here is a tutorial, with video demo included on how to use the command-line BCP tool to import data into MS SQL Server 2005 Express.

During an analysis i conducted in the past days, I also found out the hard way that MS SQL Server 2005 Express does not have a GUI based Data Transformation Services. The only thing it does have is a BCP command-line tool.

So, here is a step-by-step tutorial how to use the BCP tool and not give up on an otherwise good (and free) product:

1. The data - I am importing data collected by tcpdump. I stored the data into a CSV file (data.csv), a text file with a comma delimiter.
2. Here is a sample row 16,10.176.1.105,NULL,10.176.1.254,NULL,NULL,64,17.12.2007,19:20:52,520,PING Req,NULL
3. Creating the database - Log-in with the command-line sql tool (sqlcmd) and use the following set of commands to create the database and table for storing of imported data:
   

• sqlcmd -S ATLAS\SQLEXPRESS
• create database data_analysis
• go
• use data_analysis
• go
• create table data_import (
• [No_packet] [int] NULL ,
• [Src_Logical] [varchar] (255) ,
• [Src_Port] [varchar] (255) ,
• [Dest_Logical] [varchar] (255) ,
• [Dest_Port] [varchar] (255) ,
• [Flags] [varchar] (255) ,
• [Packet_Size] [int] NULL ,
• [Packet_Date] [varchar] (255) ,
• [Absolute_Time] [varchar] (255),
• [Additional] [varchar] (255) ,
• [Protocol] [varchar] (255) ,
• [newdata] [varchar] (255)
• )
• go

Content verification - To verify the contents of the created table, use the following set of commands

• use data_analysis
• select count(*) from data_import
• go
• quit

Data import - To import the data, use the following command

• bcp data_analysis.dbo.data_import in data.csv -T -C1250 -c -t, -S ATLAS\SQLEXPRESS

Detailed explanation

• bcp - the executable file name
• data_analysis.dbo.data_import - name of database, owner and name of table to receive the data
• in - the same command is used for export and import. in means importing, out means exporting
• data.csv - file name that contains data to be imported, or to receive exported data when using the out direction
• -T - swich indicating trusted connection. When using this switch, the bcp command uses the kerberos ticket of the logged-on Windows user to authenticate. If you don't use -T, you'll have to use -U and -P (user name/password)
• -C1250 - collation. I found out that BCP does not work well with Unicode files, so i am forcing the 1250 collation (central European) - works with most characters
• -c - treat everything as characters. This way it will be very easy to import any information.
  
• -t, - delimiter. Default delimiter for BCP is tab, so i need to inform it of my delimiter character (comma)
• -S ATLAS\SQLEXPRESS - server. This switch is followed by the hostname\instance name (for MS SQL Server Express its SQLEXPRESS)
  

Content verification - To verify the contents of the created table, use the following set of commands

• use data_analysis
• select count(*) from data_import
• go
• quit

Here is a video clip of the entire process



Related posts

Personal Data Protection - Anonymizing John Doe

Talkback and comments are most welcome