Vulnerability Assessments and Compliance
One technique for evaluating database security involves performing vulnerability assessments or penetration tests against the database. Testers attempt to find security vulnerabilities that could be used to defeat or bypass security controls, break into the database, compromise the system etc. Database administrators or information security administrators may for example use automated vulnerability scans to search out misconfiguration of controls within the layers mentioned above along with known vulnerabilities within the database software. The results of such scans are used to harden the database (improve the security controls) and close off the specific vulnerabilities identified, but unfortunately other vulnerabilities typically remain unrecognized and unaddressed.
A program of continual monitoring for compliance with database security standards is another important task for mission critical database environments. Two crucial aspects of database security compliance include patch management and the review and management of permissions (especially public) granted to objects within the database. Database objects may include table or other objects listed in the Table link. The permissions granted for SQL language commands on objects are considered in this process. One should note that compliance monitoring is similar to vulnerability assessment with the key difference that the results of vulnerability assessments generally drive the security standards that lead to the continuous monitoring program. Essentially, vulnerability assessment is a preliminary procedure to determine risk where a compliance program is the process of on-going risk assessment.
The compliance program should take into consideration any dependencies at the application software level as changes at the database level may have effects on the application software or the application server. In direct relation to this topic is that of application security.
Read more about this topic: Database Security
Famous quotes containing the word compliance:
“I am not of the opinion generally entertained in this country [England], that man lives by Greek and Latin alone; that is, by knowing a great many words of two dead languages, which nobody living knows perfectly, and which are of no use in the common intercourse of life. Useful knowledge, in my opinion, consists of modern languages, history, and geography; some Latin may be thrown into the bargain, in compliance with custom, and for closet amusement.”
—Philip Dormer Stanhope, 4th Earl Chesterfield (1694–1773)