Let’s take a look at how traditional vulnerability assessment (VA) tools compare to those built specifically to assess database security.
General vulnerability assessment tools have been in use for more than 25 years, so the technology is mature. However, there are significant differences in the tools available and their specific purposes regarding database security management.
Many VA solutions on the market offer general vulnerability assessments, focusing on a wide range of IT assets. Over time, these solutions have evolved to include features for assessing web applications and databases, and some even evaluate system configurations.
However, database scanning for many remains a checkbox for compliance rather than a thorough assessment that will, in fact, protect your data. Organizations needing rigorous database security certification should work with providers who offer comprehensive assessments. For instance, while leading VA vendors might identify hundreds of database security issues, Trustwave and its purpose-built tools can uncover thousands, providing context to prioritize critical vulnerabilities.
Trustwave accomplishes this in a variety of ways. Most importantly, we employ an elite team of database security researchers within Trustwave SpiderLabs who have created the vulnerability knowledgebase for our AppDetectivePRO and DbProtect solutions. This knowledgebase goes beyond checking for known vulnerabilities and provides an in-depth assessment of security weaknesses such as password issues, excessive permissions to users/roles, misconfigurations, improper access controls, and more.
It also provides comprehensive remediation information beyond just what patch to apply. The knowledgebase offers proven workarounds and fix scripts to help your team remediate issues more quickly. SpiderLabs has discovered hundreds of vulnerabilities within database platforms and is well-known within the industry.
This is a far more detailed approach than traditional VA solutions, which rely on feeds from the National Vulnerability Database (NVD) run by NIST and CVE lists from MITRE for content. This information is important and common among traditional solutions but only provides a surface-level assessment of known vulnerabilities.
AppDetectivePRO and DbProtect have an entire extra scanning layer and go beyond scanning based on policies within their knowledge base. These tools can perform deep-dive scans of the relationship between users, roles, and objects in a database. This in-depth analysis helps organizations understand key areas of risk and answer questions security and business leaders need to know like:
- Who has access to a sensitive table containing PII?
- What type of access does a user have to that PII?
- How was the user granted access to the PII? Was it by a role, a nested role, a direct grant, or granted via multiple roles?
- Which privileged users should be placed on a watchlist?
Traditional VA solutions do not provide the functionality to review database user access rights.
Trustwave has found that some organizations need help prioritizing the level of security that needs to be placed on their databases. Databases that contain sensitive data require a higher frequency of scanning with a more stringent policy. Databases storing critical information have added risk and require additional security controls like data masking, encryption, or activity monitoring.
Trustwave AppDetectivePRO and DbProtect can scan and identify PII and PHI, data that is extremely sensitive and highly favored by threat actors and thus requires additional scanning. Sensitive data discovery generally is not provided by traditional VA solutions.
Compliance scanning is only a fraction of the capabilities found in AppDetectivePRO and DbProtect, but it is among the most useful and important. The Trustwave knowledge base has policies specific to each Center for Internet Security (CIS) benchmark and Defense Information Systems Agency (DISA) - Security Technical Implementation Guides (STIGs) down to the database vendor and version.
Trustwave’s knowledgebase is consistently updated when CIS or DISA provide new versions. Beyond DISA-STIG and CIS, AppDetectivePRO and DbProtect have best practice policies recommended as starting baselines for various regulatory and compliance standards. Policies can be customized to adapt to any organization’s environment. Policies include but not limited to HIPAA, PCI DSS, GDPR, CCPA, APRA CSP 234, CMMC, and GLBA.
Some traditional VA tools have added database compliance scanning capabilities that help organizations comply at a surface level and provide vanilla policies (i.e., CIS or DISA-STIG) but do not always allow for customization for known unique environment configurations.
Understanding How Trustwave Differs from Traditional VA Tools
Traditional VA tools focus on identifying security weaknesses across a broad range of IT assets within your network. These tools typically cover:
- Operating Systems (e.g., Windows, MacOS, AIX, Linux, Solaris)
- Network protocols (e.g., DNS, FTP, SMTP, RPC)
- Network devices (e.g., firewalls, UTC, WAF)
Due to their broad coverage, traditional VA tools cannot provide the deep security analysis required for specialized IT assets like databases. Databases have unique authentication subsystems, security configurations, and vulnerabilities that differ from the operating systems they run on. These critical IT assets need a purpose-built solution to effectively identify security weaknesses and associated risks.
Traditional VA tools focus on patchable items or issues with a CVE. While they may scan for the latest database patches, they cannot match the detailed assessments provided by Trustwave’s AppDetectivePRO and DbProtect. These tools offer a deeper analysis, identifying more vulnerabilities and providing the context to address them effectively.
Access Control: Addresses the internal security policy of the database system. Trustwave examines issues such as:
- Identifying all accounts with system-level privileges
- Identifying all accounts with administrative access
- Identifying excessive permissions to security configurations and functions
Application Integrity: Ensures that security controls, configuration settings, and data have not been tampered with and are reliable. Trustwave examines issues such as:
- Identifying misconfigured security configurations and features
- Identifying missing patches
- Identifying vulnerabilities
Identification and Password Control: Refers to mechanisms and controls for processes like password creation and account expiration. Trustwave examines issues such as:
- Identifying insecure password configuration settings
- Identifying default and weak passwords
- Identifying guest users and locked logins
Operating System (OS) Integrity ensures that the OS has not been altered or can’t be accessed by an unauthorized user. Database systems store many configuration files on the OS that require restricted access to only appropriate users. Some examples of the OS integrity controls Trustwave examines for:
- Identify all accounts with privileges to database files stored on the OS.
- Identify all accounts with local administrative OS privileges that could be used to change database system security functions.
- Identify database system OS features that could be used as an attack vector.
By considering these factors, organizations can select the right vulnerability assessment tool for their databases, ensuring comprehensive security and compliance.
