SQLServerCentral Article

Review: AppDetective Helps You Be a Nosy DBA


I recently had the opportunity to look at the Application Security Inc. core

product called AppDetective 3.1. Since I’ve evaluated it a month ago, it’s

become a vital part of my day to day security auditing and I’m not really sure

how I survived without it now. This review will focus mostly on how the

application works with SQL Server but it also can handle other data sources and

applications like IIS.

The Problem

If you’re a DBA, you may remember the calls you received when the SQL Slammer

virus first came out. I received a page at 7:30AM that Saturday morning from a

corporate security employee asking me if I had deployed service pack 2 for SQL

Server in our environment. We had just deployed it 3 weeks prior but there how

could we be sure we caught all the servers? Luckily, we didn’t get harmed by

the virus because of strong firewall rules and patch deploy. How could we be

sure we got all the servers though? We first downloaded AppDetective then to

make sure we patched all the servers. We had though we had 75 or so servers in

our environment and what we found was terrifying.

How AppDetective Solved It

As you know, the problem and advantage with SQL Server is that it’s so easy to

install. It asks you a few simple questions and whalla, you’ve got an unpatched

copy of SQL Server installed that’s vulnerable to all sorts of viruses. Rarely

do people remember to install the latest service pack. As AppDetective scanned

our network, it found an additional 200 SQL Servers or MSDE instances that we

didn’t know about and where developers had installed their MSDN copy of SQL

Server or were using MSDE to develop against. We scurried to finish the patch

work, as most of them didn’t have the proper service pack installed on them


The nice thing we found about AppDetective was that it outputted all the

instances it found to an Access or SQL Server table for easy trend analysis. We

imported their host table into an Excel spreadsheet to monitor our server list

as we kicked of a server consolidation project. You can also schedule these

types of network scans on a periodic basis so if a developer stands up a SQL

Server in our environment, they receive a call shortly thereafter.

The true power in the application is the ability to audit an individual

server’s security policies. We pointed AppDetective at our development server

and it found lots of vulnerabilities that I wasn’t aware of. It also shows you

how to fix the problem with easy to read instructions. As you can imagine, the

type of vulnerabilities out there are constantly changing and you can update

your security profile with ASAP Update, which downloads the latest

vulnerability lists from the Application Security’s website. I’ve been doing

this once every few weeks since I installed the program.

The product can also perform brute force attacks or denial of service (DoS)

attacks on your server to test your security measures. It will try to crack

your passwords that are installed and will find easy to guess passwords. It

then creates an easy to read report that even a manager can read. Each scan is

kept historically so you can see if things are improving or getting worse.

Overall, the program was very simple to install, configure and use. There is

only a client to install on your workstation and no component on the servers to

install. There was no learning curve at all and I was using the program in a

panic within minutes. I can’t recommend AppDetective enough as an enterprise

tool to scan your network for SQL Server and then find vulnerabilities. It can

be costly to deploy AppDetective to too many servers in an enterprise

environment however. You need one license to scan the network and then one per

server to scan for vulnerabilities or security policies. So if you wanted to

scan 2 servers in your environment but only wanted to test your policies

against one, you would only need one license. As with most vendors, enterprise

licensing is available.

The Big Picture

AppDetective helped us in a struggle to find newly installed SQL Servers and

helped us be a nosy DBA. Users can no longer install SQL Server on their

computers without getting a call from us shortly thereafter. AppDetective has

saved us countless days of work in locating the servers and then really tests

our security policies before their tested in the real world.



on Investment













4.0 - Expensive product at $1295 an instance but well worth it.














5.0 – All the features were very easy to use.














5.0 - Everything you need to secure your SQL Server in a nice
















5.0 – Wizards made it easy to configure your environment in 5
















5.0 -

Saves tons of time in auditing your

system and finding SQL Servers you didn't know existed.


of Bugs













5.0 - None found during this review.














5.0 -

Support provided phone number to call back in less than 10 mins when

anonymously e-mailed















– Easy product to use and

find SQL Servers that you didn't know existed. Auditing a snap.


Vendor Information

Application Security, Inc.

117 East 24th Street

Suite 2A

New York, NY 10010


Tel: +1 212-420-9270

Fax: +1 212-420-9680




Price : Lists at $1,295 per instance but enterprise-wide pricing to

cover an entire organization available

30 day full demos are available of all ASI products


You rated this post out of 5. Change rating




You rated this post out of 5. Change rating