Vulnerability Assessment

 

Vulnerability Assessment Overview

The Guardium Vulnerability and Threat Management solution is the first step in the security and compliance life-cycle management for any database environment. A set predefined and custom tests, along with a process workflow, allow organizations to identify and address database vulnerabilities in an automated fashion, pro-actively improving configurations and hardening infrastructures.

Database Vulnerability Assessment is included in the Guardium Vulnerability and Threat Management solution to scan the database infrastructure for vulnerabilities and provide evaluation of database and data security health, with real time and historical measurements.

The Guardium Vulnerability Assessment application enables organizations to identify and address database vulnerabilities in a consistent and automated fashion. Guardium’s assessment process evaluates the health of your database environment and recommends improvement by:

 

Integration with CAS

CAS plays an important role in the identification of vulnerabilities and threats. Guardium pre-configured and user-defined CAS templates can be used in the Assessment test and bring a holistic view of the customer’s database environment; With CAS, Guardium can identify vulnerabilities to the database in the OS level such as file permissions, ownership and environment variables. These tests can be seen through the CAS Template Set Definition panel and have the word 'Assessment' in their name.

 

Vulnerability Assessment Tests

A Vulnerability Assessment may contain one or more of the following types of tests. Additionally over two hundred new tests have been added to check database configuration parameters, privileges, etc. See Security Assessment Tests for a detailed list.

 

Predefined Tests

Predefined tests are designed to illustrate common vulnerability issues that may be encountered in database environments. Because of the highly variable nature of database applications and the differences in what is deemed acceptable in various companies or situations, some of these tests may be suitable for certain databases but totally inappropriate for others (even within the same company). Most of the predefined tests are customizable to meet requirement of your organization. Additionally, to keep your assessments current with industry best practices and protect against newly discovered vulnerabilities, Guardium distribute new assessment tests and updates on quarterly bases as part of its Database Protection Subscription Service. Please refer to Guardium Administration Guide for more details.

Predefined Tests include:

 

Observed Tests

This set of tests assesses the security health of the database environment over time and are based on the information collected by the appliance.

As an example, some of the observed vulnerability tests included are:

Configuration Tests

This set of assessments checks security-related configuration settings of target databases, looking for common mistakes or flaws in configuration create vulnerabilities.

As an example, the current categories, with some high-level tests, for configuration vulnerabilities include:

Custom Tests

Guardium provides an interface to define custom assessment tests, either as a Java class or through the Guardium’s query builder facility. A custom assessment test is a user-written vulnerability assessment test implemented as a Java class. Custom tests must be uploaded to the system by the administrator before they can be used. For information about creating and maintaining custom tests, see the Custom Assessment Tests topic in the Administrator Guide.

Query Based Tests

A query based tests is a user defined test that can be quickly and easy created by defining or modifying a SQL query, which will be run against database datasource and results compared to a predefined test value. See Define a Query-based Test for additional information.

CAS-base Tests

A CAS-based test is a user defined test that allows users to define custom tests based on a CAS template item of type OS Script command. Users can specify which template item and test against the content of the CAS results. See Create a New Template Set Item for assistance on creating an OS Script type CAS template.

Guardium also comes pre-configured with some CAS template items of type OS Script that can be used for creating a CAS-based test. These tests can be see through the CAS Template Set Definition panel and have a name which contains the word 'Assessment'. For instance, the Unix/Oracle set for assessments is named 'Guardium Unix/Oracle Assessment'. Additionally, any template that is added that involves file permissions will also be used for permission and ownership checking. See Modify a Template Set Item for viewing these template sets and seeing those items with type OS Script. Whether using a Guardium pre-configured or defining your own, once defined, these tests will appear for selection during the creation or modification of CAS-based tests. See Define a CAS-based Test for additional information.