PentaSafe Releases SQL Security Tool

New product monitors SQL configurations and currency of security patches

• By Matt Migliore
• 11/13/2002

The offering, based on the same technology PentaSafe previously developed for Oracle and Sybase databases, helps database administrators and security managers cope with information-based attacks on SQL by ensuring the currency of patches and service packs, as well as by looking for certain configuration problems.

A report by the SANS Institute released in October ranked SQL as one of the most vulnerable systems in wide use today. The report said, "[SQL] contains several serious vulnerabilities that allow remote attackers to obtain sensitive information, alter database content, compromise SQL servers, and in some configurations, compromise server hosts." (For more information, visit http://www.esj.com/news/article.asp?EditorialsID=293.)

PentaSafe’s VigilEnt Security Agent for SQL is an effort to address these issues.

According to the company, while enterprises are aggressively working to “lock down” operating systems and Web servers to alleviate vulnerabilities, databases aren’t being given the same attention. The reason: database administrators simply don’t have time to stay on top of all the security alerts. From January to August 2002, Microsoft released nine major alerts for SQL.

Some of the configuration problems VigilEnt for SQL looks for include null passwords, default accounts, and faulty privilege settings.

Greg Davoll, product manager for database products at PentaSafe, says most companies aren’t up to date on the latest patches and service packs. “I’m not aware of anyone that’s doing that very well and keeping up with it as much as the vendors would like them to be,” he says. “There’s always a lag. Whether it’s six months, nine months, or a year, that’s hard to say, but there’s always a lag there.”

Particularly in regard to SQL, Davoll says vulnerability problems are related to features companies never use. “It’s analogous to Microsoft Office. You’ve got 80 percent of the functionality you never use,” he says. One specific problem he cites is the way SQL handles passwords. SQL is installed with no password requirement, which leaves the system open to attack.

According to Microsoft, the .NET 2003 edition of SQL will be installed in a locked down state. As such, all configurations will be set up in their most secure state upon implementation, which could take some of the value out of PentaSafe’s product.

Davoll says that’s not a problem for PentaSafe. “We’d be pretty excited about that,” he says. “Any improvement the vendors can make will be welcome by not only users but providers of add-ons like [VigilEnt for SQL].”