Penetration Testing mailing list archives
Re: Database Scanners
From: Jay Beale <jay () bastille-linux org>
Date: Fri, 13 Aug 2004 09:32:44 -0700
The first part of the question seems to be whether there should be a separate security administrator at all -- I think there definitely should be. Having a primary focus on security allows an individual to both build up and practice not only the requisite skills, but also the right attitude, one that forces you to constantly consider how you would break into your site and thus what remediation steps should be taken. Honestly, a huge part of what we do as security people is just exercising this attitude. Having a separate security administrator not only allows some part of your organization to think in this way, but also gives you someone to serve as a kind of "security conscience," a voice that questions bad implementation decisions, hopefully while they're being made.
As far as what department the Security Administrator should work for, the jury is still out. Many people favor a separate security team that doesn't share space or resources with the normal IT department. This has always seemed ideal, but it comes at a very high cost. By not being part of the operational IT group, sitting with those folks every day, the security group very often loses the ability to influence the IT folks in any way but fiat. And fiat is a difficult way to do security...
- Jay Frank Boldewin wrote:
hi peter, in my opinion the auditor (revision or tiger team) of the company, because it's a bad idea to let the department check there own environment. i think that dual control makes a better security and assures that the scans are really done at regular intervals. greetings, frank----- Original Message ----- From: "PETER INEH" <PINEH () mbc-nig com>To: "Jay Beale" <jay () bastille-linux org>; "Frank Boldewin" <frank.boldewin () gmx de>; <pen-test () securityfocus com> Sent: Friday, August 13, 2004 11:25 AM Subject: Re: Database ScannersGreetings, Can anyone confirm to me which department should handle the duties of the Security Adminstrator. Is it IT department or the IT Auditor? Thanks. Peter Ineh Inspection Department MBC International Bank Limited -----Original Message----- From: Jay Beale <jay () bastille-linux org> To: Frank Boldewin <frank.boldewin () gmx de> Cc: pen-test () securityfocus com Date: Thu, 17 Jun 2004 23:12:33 -0700 Subject: Re: Database ScannersI'm pretty impressed by MetaCortex. http://www.metacoretex.com/ Quoting: MetaCoretex is an entirely JAVA vulnerability scanning framework which puts special emphasis on databases. Probe objects are written in JAVA by means of an easy to extend AbstractProbe class. Additionally, probe generators make the process of writting simple probes almost automagic. Please see the Features FAQ for information on all the junk MetaCoretex can do... Also, check out the Probe List for a current listing of active probes. - Jay In the wise words of Frank Boldewin:hi, the only good database scanner i know is appdetective. http://www.appsecinc.com/products/appdetective/ scans several databases: oracle, db2, mssql, mysql, notes, sybase andwebapps. hope that helps. cheers, frank----- Original Message ----- From: <brownsec () hotmail com>To: <pen-test () securityfocus com> Sent: Wednesday, June 16, 2004 10:39 PM Subject: Database ScannersIs anyone aware of a good scanner that will work well against DB2databases? I know ISS has a DB-Scanner but it does not appear to be compatible with DB2.Thanks...
Current thread:
- Re: Database Scanners Jay Beale (Aug 16)