AppDetective scans for IBM DB2 market

Database hackers beware: Application Security Inc. has finally released its AppDetective v.3.0 for IBM Corp.’s DB2 databases.

Once installed, AppDetective seeks out and discovers every database on a network – even ones installed on non-standard ports.

“AppDetective for IBM DB2 is an automated vulnerability assessment application scanner that empowers security with practitioners and database administrators with an all-in-one solution to discover rogue DB2 installations, check for accounts with weak passwords, misconfigurations and vulnerabilities,” said Aaron C. Newman, chief technology officer for Application Security.

Subsequently, it does two tests – it tries to hack into the database from outside the network, and tries to penetrate the database from inside the network, posing as an unauthorized user to determine points of entry where these rogue users could gain access to classified information.

Once vulnerabilities are detected, network administration is notified via a report that includes instructions on how to eliminate the threat. However, right now, fixing up the holes has to be done manually. But automation is a function the company plans to include in AppDetective’s next version – patches would be automatically downloaded and settings reconfigured at the click of a mouse, Newman said.

Because AppDetective is Web-based, penetration tests and security audits can be performed remotely over the Internet or from a laptop – this requires at minimum Microsoft Internet Explorer v.4.01.

Newman said AppDetective is scalable to accommodate about 1,000 databases. It runs on Microsoft Corp.’s Windows NT v.4.0 and up, Microsoft Windows 2000 Professional, and Windows XP Professional. It can be installed on any machine as long as it’s attached to the network – it doesn’t even have to be installed on the server.

Target database servers include IBM DB2 v.6.1, v.7.1, v.7.2 and v.8.1. AppDetective costs US$1,295 per database.

Soon, Newman said, an enterprise edition of AppDetective will be released, allowing companies with many locations to run only one version of the software and administer the scanning from one spot. This version would divvy up database scanning tasks to different machines, but reports would all be generated in one spot. Right now, all the reports are generated separately and have to be relayed manually to a central location.

Joe Zhou, IS Security Specialist, database architecture for Sprint, based in Overland Park, Kan., said Sprint participated in the testing of the device and added that there is only one competitor in security software in the DB2 market: Symantec Corp.

Pete Lindstrom, research director with Spire Security based in Malvern, Penn., said that indeed, there are not many database-scanning tools around for IBM’s DB2. And because DB2s are mainly associated with mainframes, they have an aura about them of running larger and more mission-critical applications.

Zhou cited one concern about the product tied in with the scanning capabilities. There are two different places where the database is scanned, he said. One is the database itself, and the other is the part of the operating system that deals with the database. It is the latter that is not functioning, Zhou explained. The architecture for this functionality exists but the functionality itself isn’t available.

AppDetective v.3.0 is available for IBM’s Lotus Domino, Oracle Corp., Microsoft Corp.’s SQL server, and Sybase Databases. Lindstrom said the more platforms that are supported, the more valuable it is to the enterprise. AppDetective for MySQL, Oracle Application Server, Microsoft Exchange and IBM WebSphere are also on their way.

Lindstrom and Jim Hurley, vice-president and managing director, information security with the Aberdeen Group in Boston, said database security is rapidly becoming more important to the enterprise. Hurley said because this market is still fairly new there are lots of players, and there is one crucial problem: that of patching up security holes in databases.

He said if users need a patch, they’re going to go directly to the database vendor as opposed to Application Security. And he said that none of the players in this industry are really large enough to act as brokers between the vendor and the user. He said this problem could impact the speedy patching of security holes, but stressed that this issue is industry-wide, not solely with Application Security.

Application Security Inc. is based in New York City. For further information visit