Overview of the Oracle Database Security Assessment Tool

Security has not always been as big an issue as it is now. In the past, DBAs were more focused on performance, high availability, or scalability. Today, security is an issue at the forefront of every IT project. Security should come by design and by default, so developers need the right tools to help make that happen.

Recently, François Pons, senior principal product manager at Oracle, provided a video overview of the Oracle Database Security Assessment Tool (DBSAT), which helps identify areas where a database configuration, operation, or implementation introduces risks and also recommends changes and controls to mitigate those risks.

Even if security is addressed through a multi-layered approach, the database is an obvious target where sensitive data resides and is neatly organized in lines and columns, said Pons. So, no matter what, you still need to put a focus on database security. The first thing you need to know is the current level of security that your database has—and this, said Pons, is where the DBSAT can help.

What Is DBSAT?

DBSAT is relatively recent, but there have been a series of releases. The most recent version, Release 2.2.0, came out in September 2019. It is a free tool that you can download from My Oracle Support (Doc ID 2138254.1). You can run DBSAT from Oracle 10 to Oracle 19, and the database can be on-premise or in the cloud. DBSAT can address a multitude of configurations.

Essentially, DBSAT quickly scans an Oracle database and gives you a profile in different formats that you can use to understand the current status of your security. It will also provide you with recommendations and the rationale behind them. The tool identifies security risks and recommends relevant products and features to help with those risks.

Oracle designed this tool with the intent of it having a low barrier to entry, meaning it is free, quick, and easy to understand. The tool can produce information in multiple formats, including HTML, XLS, TEXT, or JSON.

Why Do You Need DBSAT?

The battle between DBAs and hackers who want to steal your data is unfair. It’s asymmetric because, so far, DBAs are more preoccupied with the performance capability or high availability of a system. In some cases, DBAs may lack the time, resources, or even expertise in terms of security that hackers have. Not only do hackers have expertise in breaching security protections, but they also have a lot of tools available to them. This means that if DBAs are not also given the proper tools, they won’t stand a chance. There is the potential for an organization to end up with a DBA who knows less about their database than a hacker does.

Without a tool that can process a checklist of actual or potential security gaps, it can be extremely difficult to be sure that you aren’t missing something when it comes to the security of your database.

It’s important to ask yourself some questions. A database has a portfolio of security features, but have you been using them? Have you encrypted your data or network? Do you use auditing? Do you have default or non-expiring passwords? Do you have open ports in your database? Who are your privileged users? Who are your over-privileged users, and what can they do? How do you apply security fixes to your database?

DBAs need to know the answers to these questions and have the right tools to help them understand their databases inside and out. This will help your organization fight against data breaches, whether they come from inside or outside of your business. Note that most data breaches come from insiders, which is another good reason to have multiple security solutions built into the big picture of your database.

What Does DBSAT Do?

There are three core items that DBSAT assists with:

  1. The general security configuration of your database
  2. Users and their entitlements
  3. Identifying sensitive data in your database

DBSAT will look at whether or not you are following security best practices, are utilizing encryption auditing, and are applying the latest security patches, etc. It also focuses on who your users are, particularly those who are privileged users, and what they are able to access. DBSAT identifies sensitive data within your database and whether it is a good candidate to be audited, pseudonymized, redacted, anonymized, masked, etc. Regulations such as the EU’s GDPR attach particular importance to identifying and protecting sensitive data.

DBSAT Use Cases

Let’s look at two of the main use cases for DBSAT:

  1. Identifying misconfigurations and policies
  2. Identifying sensitive data

Identifying Misconfigurations and Policies

The first use case takes a general look at the database and its users. Call the DBSAT with a reference to the Collector on the command line. This Collector should be installed on the target database, which requires a very basic installation—unzip it and connect it to the database. Do not select anything inside the database apart from metadata.

The Collector doesn’t read your tables, per se; it only accesses dictionary tables and runs its analysis, which produces a JSON file output. This JSON file should be protected because it contains all of your security holes. This is the source for the DBSAT Reporter to turn this raw information into readable outputs in different formats (i.e., HTML, XLS, TEXT, JSON) that all have the same information. The Reporter can be run on a different computer if desired. You simply need to have the protected JSON file on the server where you want to run the Reporter. The output will show you what security features you are or are not currently using, where your database is at low/medium/high risk, and provide you with recommendations for how to best address security risks.

Identifying Sensitive Data

The second use case is sensitive data discovery analysis. For this, use the same DBSAT tool with a different command line. Instead of running the Collector and Reporter, you are going to use the Discoverer.

Sensitive data can be a number of things, including personally identifiable information, financial information, political affiliation, gender, race, etc. This sensitive data should be protected to abide by regulations such as HIPAA, GDPR, and others.

The first step is to identify this sensitive information. DBSAT is one of three Oracle tools that can help you do that. You could also use the Oracle Data Masking and Subsetting Pack and the Lifecycle Management Pack. DBSAT is the easiest of the three to use, but it has some limitations. It only looks at metadata, so it doesn’t read anything inside the data, which is both good and bad. This tool is good for a first level of analysis. For deeper analysis, you may consider one of the other two.

When you run the DBSAT Discoverer, it will produce an output in two different formats—HTML and XLS. You will need to edit and review a number of parameters in configuration files before running the Discoverer. You will also need to review and edit patterns for sensitive data types. After running Discoverer, you will have information about the sensitive categories within your database, the number of sensitive tables/columns/rows within each category, and what type of sensitive data each one contains.

Protecting Data Is Mission-Critical

With data breaches growing every day along with the evolving set of data protection and privacy regulations, protecting business-sensitive and regulated data is mission-critical. However, knowing whether the database is securely configured, who can access it, and where sensitive personal data resides is a challenge for most organizations. DBSAT can help address that problem and identify ways to improve security.

To learn more, check out the Oracle YouTube video, which includes a demonstration of the Oracle Database Security Assessment Tool, at, or visit