It’s not just for security anymore!
Vulnerability Assessment has traditionally been the way to check your servers and application for their respective patch levels. The motivation was to make sure that security patches were in place to address vulnerabilities, and the typical process to scan the network ports of all servers to detect. There are lots of tools out there that perform this kind of assessment. There are even great free tools out there like Nessus that can provide a fairly good general discovery and assessment services. But there is only so much information available at the network level, and this type of scan no longer provides the depth of information a typical IT administrator needs.
In the database and application realm, Assessment has changed quite a bit in the last year or so. Database Vulnerability Assessment (DBVA) or Application Vulnerability Assessments, are more operationally focused. Sure, Security is still a driver, but what I am seeing is the function is oft put under the umbrella of Compliance or Operations. In practice, DBVA has evolved into a very different product than your typical network based vulnerability assessment. They have evolved into agent based, script over SSH, or even JDBC/connection oriented interrogations. The result of being able to see inside the application, and how it uses the surrounding system, provides far better depth of information and allows for greater analysis of security and compliance.
‘Who cares’ you ask?
Compliance and Audit: Compliance efforts do not differentiate between assessment, monitoring and auditing technologies, only that they have a list of requirements to meet. Preventative controls forms a huge portion of the list and that is typically where assessment is best suited. Assessment provides the method to accurately detect the configuration setting or patch level, as well as a comparison with what industry or (more importantly) company compliance standards are. They check to ensure that controls are in place, permissions are appropriate, unneeded packages are not present, and that features like audit are turned on when necessary. The tools tend to be far simpler to use than IDS or Monitoring , and thus allow non-technical people to perform policy management without requiring DBA or IT Admin intervention.
IT Administration & Operations: Most of the large firms I speak with have corporate standards for how applications are set up, approved versions of software, and a deployment or rollout process. Software is not updated every time an update comes along, a la Anti-Virus. For eBusiness applications and databases like Oracle, for example, a certification process is run prior to rolling out the patches. How a particular issue is addressed, or even if it is addressed, is a decision made by several stake holders, and that policy decision is implemented in the assessment tool. Assessment is a place holder for corporate IT and compliance standards, and can also provide the data collection and reporting infrastructure to demonstrate policies are being enforced.
Security: Subtle trust and configuration issues that lead to security weaknesses that could be exploited are evident from the application perspective, and not visible from the network. For example, features and packages that can be exploited like external stored procedures or DBA roles that also carry OS Admin credentials. We are not just playing the security patch-up & catch-up game, but thinking like a hacker to examine where potential vulnerabilities are and what trust relationships may be subverted. Preventative measures and analysis is the intention to provide more meaningful security in context of the applications business use case.
Assessment is also being used as a ‘Stop Gap’ between the time is patched is the ability to send assessment results to other workflow systems, Monitoring or IDS in order to provide active security until the application is patched.
Notice I did not offer a Database Administrator perspective? That is because they are one of many stakeholders, and while important to the overall process, not the driver for the business, security and operations issues that I discussed above.
You will also notice that the thrust of many posts I have made are about the coalescing of various security technologies like DLP & DAM under a policy management umbrella. I see security & compliance moving in this direction of a somewhat evolutionary step of policy puppeteer controlling various security and audit tools, and it has more to do with customer perception levels than real security rationale. VA is the closest I have seen to a pure policy engine, but not ultimately what I envision. I imagine we will see a lot of new offerings introduced to the market this year, but today Assessment acts as a very nice bridge between non-technical, quasi-technical and technical stakeholders who need to perform various certifications, audits and checks. It can also provide some degree of separation of duties in context to the security or compliance process.
Finally, preventative measures are a good starting place for security and compliance programs, helping to focus the more process intensive DLP or Monitoring solutions. Fix what you can, Monitor what is vulnerable. As Rich Mogull noted in his series of posts on ‘Understanding Database Activity Monitoring’, Vulnerability Assessment that works at the application level provides both a depth of information pertinent to multiple stakeholder, and forms a very nice complement to Database Activity Monitoring and Auditing. In fact, neither should really stand alone, but need to be complemented by one-another.