Database security testing terms: Setting the record straight

Much of the confusion stems from how people look at IT and information security as a whole. Some see it as purely a technical drill, while others look at things from an IT governance perspective. So, to set the record straight, here are the differences between security audits, penetration tests, and vulnerability assessments:

Security audits
A security audit determines what you say you're doing (via policy) or must be doing (via regulatory requirements) versus what's actually being done. Here are some characteristics of a typical security audit:

Penetration tests
A penetration test looks through the eyes of a malicious attacker to determine which vulnerabilities – typically in externally-facing systems – can be exploited and what level of access can be gained. Here are some characteristics of a typical penetration test:

Vulnerability assessments
A vulnerability assessment roots out security vulnerabilities in both external and internal systems. Here are some charact

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SQL Server Security The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Securing SQL Server with access control, login monitoring and DDL triggers SQL Server security: Controlling access via database roles Implementing security audit in SQL Server 2008 New security features in SQL Server 2008 leave some work for you Can I encrypt and restore a database backup in SQL Server 2005? FAQ: How to troubleshoot and grant SQL Server permissions Secure SQL Server from SQL injection attacks SQL Server Management A first look at Microsoft SQL Server 2008 R2 Maintaining high availability of SQL Server virtual machines Creating fault-tolerant SQL Server installations Using Microsoft Hyper-V for SQL Server consolidation Scaling up vs. scaling out with SQL Server 2008 Migrating to SQL Server 2008 and leveraging new features Testing a SQL Server environment before an upgrade Does upgrading to SQL Server 2008 fit your business? Meeting business needs with SQL Server full-text search Using dynamic management views to improve SQL Server index effectiveness

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

eristics of a typical vulnerability assessment:

So, what about the often used term ethical hacking? Well, it sort of encompasses both penetration tests and vulnerability assessments. To me, it's the best of both worlds. For fear of sounding too goofy, I usually just refer to my ethical hacking work as "security testing" in general.

There's no wrong way of analyzing database security – just wrong ways of classifying how you're doing it. That said, using the tools and techniques of a malicious attacker via ethical hacking will undoubtedly uncover many more flaws in your database environment than a high-level security audit ever will. It's the only true way to see where you're security is weak.

Everyone has an opinion about defining the different types of database security analysis, in the same way everyone has differing views on information risk. In the end, all three types have essentially the same goal: to enhance information security within the business. It all depends on how you look at it and what you want to get out of it. The technicalities could be argued all day long. That's okay. We can all get along as long as our systems are secure, right? Just know the differences among the terms for database security testing because technically they do exist. Doing so will help you talk the talk and ensure you're getting what you really want and what your business needs.

[TABLE]