The set of knowledge around database security is not nearly as vast as the knowledge around network or operating system security. There is, however, enough detail to effectively get the job done.
Below is a list of books written to assist in securing and understanding security in databases. If you do need to run an audit, it is recommended you review one of these books that apply to your specific database platform.
Oracle Security Handbook, by Marlene L. Theriault and Aaron C. Newman
Oracle Security Step-by-Step, by Pete Finnigan
The Database Hacker's Handbook, by David Litchfield, Chris Anley, Bill Grindlay, and John Heasman
Implementing Database Security and Auditing, by Ron Ben Natan
SQL Server Security, by Chip Andrews, David Litchfield, Chris Anley, and Bill Grindlay
SQL Server Security Distilled, by Morris Lewis
SQL Server Security: What DBAs Need to Know, by K. Brian Kelley
Oracle Privacy Security Auditing, by Arup Nanda and Donald Burleson
Effective Oracle Database 10g Security by Design, by David Knox
Special Ops, by Erik Birkholz et al.
Mysql Security Handbook, by Wrox Author Team
Cryptography in the Database: The Last Line of Defense, by Kevin Keenan
Database Security, by Maria Grazia Fugini, Silvana Castano, and Giancarlo Martella
Database Security and Auditing: Protecting Data Integrity and Accessibility, by Sam Afyouni
There are many online technical guides as well. The advantages of these guides are that they are often free, more update to date, and can be accessed from anywhere. Of course, they are also typically incomplete and not nearly as comprehensive as the books just listed.
Oracle Database Security Checklist, by Oracle Corporation; available at http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf
A Security Check List for Oracle9i, by Oracle Corporation; available at http://www.otn.oracle.com/deploy/security/oracle9i/index.html
SANS Oracle Security Checklist; available at http://www.sans.org/score/checklists/Oracle_Database_Checklist.doc
Ten Steps to Securing SQL Server 2000; available at http://www.microsoft.com/sql/techinfo/ administration/2000/security/securingsqlserver.asp
SQLSecurity.com Checklist; available at http://www.sqlsecurity.com
NIST Security Checklists; available at http://www.checklists.nist.gov/repository/ category.html
ISACA Auditing Guidelines; available at http://www.isaca.org/
You also can gain practical, hands-on experience by attending a training course on database security. Below is a list of the more popular training courses:
The majority of database vulnerabilities discovered and fixed can be credited to a relatively small subset of security researchers. While some groups, including many of the database vendors, view this work as "malicious," security researchers have done the database security market a huge service, and to top it all off, they have done it free of charge. The database vendors themselves have gone as far as to threaten law suits and revoke partnership agreements, and they have been particularly vocal about telling customers about how security researchers are "evil." The silver lining is that these security researchers are real watchdogs in the community. A good number of the really simple security vulnerabilities have been eliminated or at least reduced because of the work of these security researchers. Of course, the vendors have been dragged into securing and fixing their databases kicking and screaming the whole way.
The most prominent database security research teams include
Argeniss Information Security at http://www.argeniss.com
Red-Database-Security at http://www.red-database-security.com
Application Security, Inc., Team SHATTER at http://www.appsecinc.com/aboutus/ teamshatter/index.html
NGS Research at http://www.ngssoftware.com
Pentest Limited at http://www.pentest.co.uk
Pete Finnigan at http://www.petefinnigan.com
Integrigy at http://www.integrigy.com
Chip Andrews at http://www.sqlsecurity.com
These websites serve as the most definitive source of vulnerability information on databases. If you have a question about a particular vulnerability, search these locations, and you're likely to find an answer.
As always, never forget the most up-to-date source of database security–Google. Simply search on any term of interest such as "Oracle Exploits" or "Auditing MySQL." Google provides a great list of resources to explore to help you do your job.