Database security compliance is really a problem, frequently we in the security profession are kept at arms length from the mysterious world of the DBA and their schemas.

Last year I began using a cool tool from "Imperva" entitled "scuba", it lets the auditor / security analyst do a hit and run security analysis of the base database product against security best practice. Like most of these tools it does nothing to analyse the information flow or inter-relationships inside the application schema, but it does look at the vendor system tables and stored procedures and looks for obvious security misconfigurations. It works with DB2, Sybase, Oracle and Microsoft SQL Server.

The tool will require the auditor to have a temporay "sa" level read privelige on the entire database system and access to the network port the database runs on.

The tool runs on Windows platforms and requires a Java run time engine to be installed.

The reports are pretty HTML tables (good for cutting and pasting)