AppDetective

for Oracle
Product Briefing

www.AppSecInc.com
AppDetective™ Briefing Agenda
• There is a problem…
– Database Security Problems
• In General
• Industry Requirements and Regulations
• There is a solution…
– AppDetective™ Capabilities
• Key Technology Feature Differentiation
• Who Benefits? How? Why?
– Requirement and Regulation Compliance
• Financial Services, Health Care, and E-Commerce
• There is a way… and a plan…
– What’s included?
– Our Organization, Current Position and Future Plans

www.AppSecInc.com
Database Security Problems
• Inability to Effectively Inventory and Identify
Databases
• Database Vulnerabilities and Threats are Easily
Exploitable and are Growing Every Day
• Database Vulnerabilities and Threats Endanger
Trusted Systems
– Host Operating Systems
– Network Operating Systems
– Web Servers/Applications

www.AppSecInc.com
Database Security Problems
• Database security problems directly affect
how organizations are able to fulfill
industry requirements such as the following:
– VISA CISP (Cardholder Information Security
Program)
– Gramm-Leach-Bliley Act (GLBA)
– Health Insurance Portability Accountability Act
(HIPAA)

www.AppSecInc.com
Existing Security Solution Shortcomings
• Security Management / Policy Compliance
– Agent Based
– Configuration Settings Management
• Vulnerability Assessment
– Many Solutions Do Not Check the Database Security
Subsystem Level
– Require Administrative-Level Privileges
– Connection Configuration Requirements
• Database Client Drivers Installation
• Database Connection Troubleshooting
• Latest Versions and Vulnerabilities
– Organizations aren’t dedicated to this level

www.AppSecInc.com
AppDetective™ is the Answer
• AppDetective™ for Oracle Empowers
Organizations with the Following
Capabilities:
1. Database Discovery and Identification
2. Penetration Testing
3. Security Audit
4. Reporting Facilities
5. Complimentary and Compatible
6. Extensive and Updated Library of Vulnerabilities
and Misconfigurations

www.AppSecInc.com
AppDetective™ is the Answer
• AppDetective™ for Oracle Empowers the
Following Individuals:
• Security Practitioners
• Internal Auditors
• General System Administrators
• Database Administrators

www.AppSecInc.com
1. Discovery and Inventory
• Scanning
– IP Number
– Port Number
– Version (x.x.x.x)
– Host OS
• Scanning Advantages
– Accurate
– Continually Updated
– NMAP Integration

www.AppSecInc.com
Penetration Testing
• Pen Test™
– True “Zero Knowledge” and non-
intrusive penetration techniques are
utilized – as simple as:
1.Discover the database through a Scan
2.Right-clicking on the selected database
3.Selecting “Pen Test” from the provided menu
– All checks are performed externally
without elevated privileges
– Target database is not affected

www.AppSecInc.com
2. Penetration Testing
• Pen Test™ Categories
– Denial of Services (DoS) Attacks
• Simulation and Verification of Version
– Misconfigurations
• Examples: Advanced Security Options Configuration Settings,
Buffer Overflows, Listener Password Enabled
– Password Attacks
• Default and Easily Guessed Passwords
– Vulnerabilities
• Examples: NSPTCN Buffer Overflow, TNS Packet Leaking,
etc.
• Pen Test™ Advantages

www.AppSecInc.com
3. Security Auditing
• Security Audit Advantages
– Provides an “Inside-out” approach to
auditing the security of your database
– Examine how an unauthorized user can
obtain elevated privileges or circumvent
security controls from the inside
– Automatic configuration upon discovery

www.AppSecInc.com
3. Security Auditing
• Security Audit Categories
– Access Control
• Examples: Permissions, Roles, and Options Enabled
– Identification/Password Control
• Examples: Clear-Text, Default, and Easily Guessed Passwords
– System (Database) Integrity
• Examples: Denial of Service Checks, Buffer Overflows,
Configuration Settings
– Operating System (OS) Integrity
• Examples: Trace Collection Buffer Overflow Susceptibility

• Security Audit Advantages

www.AppSecInc.com
4. Reporting Facilities
• Report Generation Facilities
– Policy Reports
– Summary Reports of the Tests Performed
– Detailed Reports of the Tests Performed
– High-Level Overview and Detailed Overview
of Found Vulnerabilities
– Recommendations and Fix Information
• Report Generation Advantages

www.AppSecInc.com
4. Reporting Facilities
• Reporting Examples

www.AppSecInc.com
5. Complimentary and Compatible
• AppDetective essentially picks up where
all of the following leave off:
– Network and Host Operating System
Scanners
– Port Scanners
– Other “Database” Scanners

www.AppSecInc.com
6. Vulnerabilities and Misconfigurations
• Databases
– Oracle, Microsoft SQL Server, IBM DB2, Sybase, and
MySQL
• Groupware
– Lotus Notes/Domino and Microsoft Exchange
• ERP
– SAP R/3, PeopleSoft, CRM
• Key Industry Advantage
– Application Security, Inc. concentrates its entire
R&D to the security, protection, and defense of
applications.

www.AppSecInc.com
AppDetective™ Fulfilling Requirements
• AppDetective™ capabilities provide
organizations with a way to fulfill industry
requirements in the following:
– Gramm-Leach-Bliley Act (GLBA)
– Health Insurance Portability Accountability Act
(HIPAA)
– VISA CISP (Cardholder Information Security
Program)

www.AppSecInc.com
AppDetective™ and the GLBA
• Gramm-Leach-Bliley Act (GLBA)
• TITLE V – PRIVACY
– SEC. 501 PROTECTION OF NONPUBLIC
PERSONAL INFORMATION
– SEC. 505 (b) ENFORCEMENT OF SECTION
501.
• Interagency and NCUA Standards for
Safeguarding Objectives and Guidelines

www.AppSecInc.com
AppDetective™ and the GLBA
AppDetective™ Capabilities Interagency and the NCUA
• Inventory and Guidelines
Identification B. Assess Risk
• Penetration Testing C. Manage and Control
• Security Audit Risk
• Reporting Facilities
D. Oversee Service
• Extensive and Updated
Library of Application
Provider Agreements
Vulnerabilities and E. Adjust the Program
Misconfigurations F. Report to the Board

www.AppSecInc.com
AppDetective™ and HIPAA
AppDetective™ Capabilities Administrative Procedures
• Inventory and • Certification
Identification • Contingency Plan
• Information Access Control
• Penetration Testing
• Internal Audit
• Security Audit
• Personnel Security
• Reporting Facilities • Security Configuration
• Extensive and Updated Management
Library of Application • Security Incident Procedures
Vulnerabilities and • Security Management Process
Misconfigurations • Termination Procedures
• Training

www.AppSecInc.com
AppDetective™ and HIPAA
AppDetective™ Capabilities Technical Security Services
• Inventory and • Access Control
Identification • Audit Controls
• Authorization Controls
• Penetration Testing
• Data Authentication
• Security Audit
• Entity Authentication
• Reporting Facilities
• Extensive and Updated
Library of Application
Vulnerabilities and
Misconfigurations

www.AppSecInc.com
AppDetective™ and Visa CISP
AppDetective™ Capabilities Visa CISP Requirements
• Inventory and 1. Install and maintain a working
firewall to protect data accessible
Identification via the Internet
• Penetration Testing 2. Keep security patches up to date
6. Restrict access to data by business
• Security Audit need-to-know.
• Reporting Facilities 7. Assign a unique ID to each person
with computer access to data.
• Extensive and Updated
8. Do not use vendor-supplied defaults
Library of Application for system passwords and other
Vulnerabilities and security parameters
Misconfigurations 9. Track all user access to data by
unique ID
10. Regularly test security systems and
processes
11. Administrative Data Security

www.AppSecInc.com
Availability
• Evaluation Copies Available for
Download:
– http://www.appsecinc.com/downloads/
• Updates are easily downloadable from:
– http://www.appsecinc.com/products/appdetective/updat
es.html

www.AppSecInc.com
AppDetective™ Future Plans
• Expanded Database and Groupware Platforms
– Microsoft SQL Server
• http://www.appsecinc.com/products/appdetective/mssql/
– Lotus Domino
• http://www.appsecinc.com/products/appdetective/domino/
– Sybase
• http://www.appsecinc.com/products/appdetective/sybase/
– IBM DB2
• http://www.appsecinc.com/products/appdetective/db2
– MySQL
– Microsoft Exchange

www.AppSecInc.com
Who is Application Security, Inc.
• Unique Position and Background
– SHATTER focuses on database, groupware,
web, and ERP applications
• Encryption
• Penetration Testing/Vulnerability Assessment
• Intrusion Detection
• Where Application Security, Inc. (ASI) is
Heading
– Develop security solutions in providing
“protection where it counts”

www.AppSecInc.com
Proposed Product Family Suite
• Database Encryption
– DbEncrypt™
• Oracle | SQL Server
• Pen Test / Vulnerability Assessment
– AppDetective™
• Lotus Domino | Microsoft SQL Server | Sybase |
Microsoft Exchange | IBM DB2/UDB | MySQL
• Intrusion Detection
– AppRadar™ (Coming Soon)

www.AppSecInc.com
Wrapping Up…
• There is a problem…
– Database Security Problems
• In General
• Industry Requirements and Regulations
• There is a solution…
– AppDetective™ Capabilities
• Key Technology Feature Differentiation
• Who Benefits? How? Why?
– Requirement and Regulation Compliance
• Financial Services, Health Care, and E-Commerce
• There is a way… and a plan…
– What’s included?
– Our Organization, Current Position and Future Plans

www.AppSecInc.com