While you can perform most of your audit using manual methods, it is often helpful to have a set of tools to perform repetitive or technical chores. Tools allow you to spend more time working on results rather than doing the actual work or wrestling with the technical details. Auditing tools are useful at providing you raw materials that you will need to analyze and interpret. This is the added value that a human auditor brings when using one of these tools.
Tools are useful for looking for vulnerabilities and patches. There are two common perspectives on scanning a database for patches and vulnerabilities. One is to look for and document as many vulnerabilities as possible. The other is to deemphasize vulnerabilities and instead focus on what patches you have installed. The first view is great for figuring out how bad your security is. The second view focuses less on vulnerabilities and instead pushes you toward a solid plan for implementing a patching process. The first view focuses on ad hoc vulnerabilities and handling them on a one-off basis. At the end of the day, you and the DBA need to know what patches you haven't applied, not the technical details of every vulnerability in the system.
It's also important to understand that network and operating system auditing tools fail miserably at helping with database audits. Why is this? Databases are complex beasts. They have their own access-control systems, their own user accounts and passwords, their own auditing subsystems, and even their own network protocols. Generic scanners simply do not have the expertise to provide more then a cursory look at the database.
There are a number of tools that are specialized to help the auditor run audits on a database. These tools include:
AppDetective by Application Security, Inc.
NGSSquirrel by NGS Software, Ltd.
Database Scanner by Internet Security Systems, Inc.
There are also tools designed to assist you in database activity monitoring. As an auditor, you have influence over the use of these tools to properly record and detect unauthorized or malicious access to sensitive data. You will need to determine what regulations apply to the database and translate them into terms that can be implemented as native auditing or more in-depth activity monitoring.
Several tools are listed below that provide the needed technology for monitoring activity in the database:
AppRadar from Application Security, Inc.
Database Security & Compliance Platform from IPLocks
SQL Guard from Guardium
AuditDB from Lumigent
Auditors also need to understand the tools available to meet database encryption requirements. These tools include:
DbEncrypt from Application Security, Inc.
Secure.Data from Protegrity
Encryptionizer from NetLib
DataSecure from Ingriam