{"product_id":10256,"v_id":10256,"product_name":"DbProtect AppDetective 2009.1 R2","certification_status":"Not Certified","certification_date":"2012-06-04T00:06:00Z","tech_type":"Miscellaneous","vendor_id":{"name":"Application Security, Inc.","website":"http://www.appsecinc.com"},"vendor_poc":"Anirban Chowdhuri","vendor_phone":"212-912-4126","vendor_email":"anirban@appsecinc.com","assigned_lab":{"cctl_name":"Leidos Common Criteria Testing Laboratory"},"product_description":"

The Target of Evaluation (TOE) is DbProtect AppDetective 2009.1 R2, hereinafter referred to as DbProtect AppDetective, as configured in accordance with the supplied guidance documentation.

\r\n

DbProtect AppDetective consists of the DbProtect Console (a web-based graphical user interface that provides the management capabilities) and one or more database scanning engines (the Scan Engine). Each of these components is an application designed to run in the context of a commercial operating system. Supported operating systems are: Microsoft Windows Server 2003 and 2008 Enterprise Edition, and Microsoft Windows Server 2003 and 2008 Enterprise x64, each with the latest patches. DbProtect AppDetective utilizes a library of known vulnerabilities and misconfiguration signatures. DbProtect AppDetective includes modules for the following database applications:

\r\n\r\n

Note, in order to perform audit-type tests on some database applications, the administrator needs to ensure the following components are installed and accessible in the operational environment:

\r\n\r\n

DbProtect AppDetective performs the following operations:

\r\n\r\n

DbProtect AppDetective includes a number of built-in Audit-type Test and Pen Test Policies that represent useful collections of checks to be performed against targeted database applications. It should be noted the evaluation has not assessed the efficacy of any specific built-in policy or its compliance with any regulatory requirements implied by the policy. Rather, the evaluation has assessed the ability of DbProtect AppDetective to perform specific types of checks that can detect particular types of vulnerability to which a targeted database may be susceptible. However, the evaluation did not analyze the signatures, templates, and other mechanisms used in the Penetration Test and Audit operations for suitability to task or completeness.

\r\n

The product includes a number of tools that are executed directly from the underlying operating system rather than from the Console, including Configuration Manager, DbProtect Migration, ASAP Updater, and Policy Editor. Access to these tools from the host cannot be controlled or monitored by the TOE and as such they are excluded from the scope of evaluation (and hence are not part of the TOE). Configuration Manager provides a means for modifying various configuration parameters on the Console’s host machine. DbProtect Migration provides a means to migrate data from AppDetective Pro (a separately evaluated product from Application Security, Inc.) to DbProtect AppDetective. ASAP Updater upgrades product components to the most current version, and as such cannot be used with the evaluated version of the TOE. Policy Editor provides an interface for managing policies that define the checks to be performed by Audit-type Test and Pen Test jobs.

\r\n

It should be noted the evaluated TOE is not the current version of this product and must be specially ordered from the vendor.

","evaluation_configuration":null,"security_evaluation_summary":"

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process. The criteria against which the DbProtect AppDetective 2009.1 R2 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 3.  The evaluation methodology used by the Evaluation Team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 3.  Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is the EAL2 family of assurance requirements, augmented with ALC_FLR.2 (Flaw reporting procedures).  The product satisfies all of the security functional requirements stated in the DbProtect AppDetective 2009.1 R2 Security Target, when configured as specified in the supplied guidance documentation.

\r\n

A validation team on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC.  The evaluation was completed in April 2012.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10256-2012), prepared by CCEVS.

","environmental_strengths":"

DbProtect AppDetective 2009.1 R2 provides a low to moderate level of independently assured security in a conventional TOE and is suitable for a cooperative non-hostile environment with good physical access security and competent administrators.

\r\n

DbProtect AppDetective 2009.1 R2 supports the following security functions:

\r\n\r\n

DbProtect AppDetective can discover database applications within the network infrastructure and assess them for potential vulnerabilities. Without requiring any agents on the target systems, DbProtect AppDetective can perform audit-type tests and simulate attacks against discovered and targeted applications to uncover security vulnerabilities and misconfiguration, and report the results to the authorized administrator.

\r\n\r\n

DbProtect AppDetective has the ability to generate audit records for the TOE security-relevant events, including management of security policies and launching of Discovery, Audit-type Test and Pen Test scans. The TOE records within each audit record at least the following information: Date, Time, Event Type, Success or Failure, User ID of the user. The TOE relies on the IT environment to protect and store the audit records, provide the ability to review the audit records, and to provide a reliable timestamp.

\r\n\r\n

The Console component maintains four different roles (super user, admin user, basic user and view user). The Console requires each user to provide a username and password before accessing any Console security functions. The Console will pass the provided username and password to the underlying operating system and will deny the user session if the operating system does not indicate successful authentication of the username.

\r\n\r\n

The Console implements role-based security management to control user access to the management functions. The Console partitions access in two ways: by Organization and by role. Organizations are created by super users. The admin user defines the users, policy access rights, and data partitioning within each Organization. The main principle is to restrict data stored, collected, and associated with an Organization to users in that Organization. This applies to all jobs, reports, and discovery results. Organizations are hierarchically organized, which affects the visibility of one Organization to another. The admin users can create new Organizations or delete Organizations within the Organization to which they have access. However, they are restricted from creating or deleting Organizations above the Organization to which they have access.

","features":[]}