AppRadar is a real-time database monitoring platform that is used to identify potential security-related misuses of the DB and/or provide an audit trail of database activity for compliance reporting or forensic purposes. The vendor bills the product as complementary to existing intrusion detection or anti-malware security detection infrastructure; AppRadar focuses specifically on the identification of database attacks or misuse.

AppRadar is deployed as a two component system: AppRadar Sensors examine database related traffic, and the AppSecInc Console is a centralized console that provides management tools for multiple sensors as well as a collection repository and alerting mechanism for event data that is captured and forwarded to it from the sensors.

The sensors are available in network- or host-based flavors. The network sensors are run on Windows machines (2000 Server/Server 2003) and receive data from a SPAN port on a switch. This data is filtered by the sensor in order to focus only on database related transmissions; with selected events forwarded to the AppSecInc Console for further examination. Network Sensors are available for the examination of Oracle (7.x/8/8i/9i/10g), Sybase (11.x-15), and IBM DB2 UDB (8) DBs.

The host-based sensors run on the actual database servers themselves, and provide similar functionality as do the network sensors but at the local DB level. Host-based sensors are available for MS SQL Server (2000/2005) on Windows (2000 Server/Server 2003) machines; and now for Oracle (9i/10g), on Solaris (8/9/10) or Linux (Red Hat Enterprise Linux 3/4).

In addition to reporting selected events to the AppSecInc Console, the AppRadar Sensors additionally support SNMP reporting to 3rd-party systems.

The AppSecInc Console is a Web-based application (Windows 2000 Server/Server 2003) that provides the ability to configure and monitor the sensors; receive and store sensor alert data; generate reports down to a specific user, machine, application, or event type; and create or modify alerting policies. Such policies include pre-defined compliance related policies such as FISMA, HIPAA, Payment Card Industry Data Security Standard (PCI), and Sarbanes-Oxley (SOX); as well as the ability of the administrator to create new policies from scratch via a policy editor. Exceptions can also be created for existing policies, allowing the administrator to filter out alerts based on specific parameters (such as the user) of the alert information. The AppSecInc Console supports role-based access in that administrators can access all facilities of the console, while others can receive read-only access to collected information and defined policies. Alerts from the console can be sent via SNMP, via E-mail, or to a file.

Among the types of threats watched for by the platform are attacks targeting specific database vulnerabilities such as buffer overflows in stored procedures, brute-force password attacks (a notification can be sent when a large number of failed logins is detected within a specified time frame), privilege escalation, SQL injection, and attempts to access the underlying operating system. Additionally, an "Audit Events" category contains rules to capture all DB activity regardless of threat level; for complete auditing of what activities were carried out by what users at what time.

AppRadar is available now. Visit the Application Security Web site for further information.