Welcome! I’m Thomas…

SQL Vulnerability Assessment


SQL Vulnerability Assessment

Last month there were a plethora of announcements coming out of Microsoft Ignite. So many announcements that it was hard to keep up with everything. James Serra (blog | @JamesSerra) did a good job detailing the data platform announcements here. However, that list is only data platform announcements. Ignite had many more, creating a lot of noise. It was easy to lose track of everything in all that noise.

One of the announcements that got overlooked (IMO) was the release of SQL Vulnerability Assessment (VA). For those of us working with Azure SQL Database we were already familiar with the Audit and Threat Detection features. Data is the most critical asset that any company owns and Microsoft is making every effort to help protect your data in every possible way.

To start, navigate to your SQL database. Then find ‘Vulnerability Assessment’ in the Settings:


Click, then make sure you have configured a storage account for gathering the data. Once complete, click ‘Scan’, wait a few seconds and see the results:


That’s it. You don’t need to be a security expert to perform a vulnerability assessment. The scan will run quick. It will look for vulnerabilities against a baseline assessment of common issues. You can then click through to review the findings. You can see above that I have a database that would benefit from some column security:


If this were the Earthed version of SQL Server I would now spend time reviewing these columns. I want to determine what security feature to use (Always Encrypted, Dynamic Data Masking, or Row Level Security). Then I would spend time configuring that feature inside of SQL Server Management Studio (SSMS). But with Azure SQL Database I am only a few clicks away from remediation:


Microsoft is making great strides in automating away operational DBA tasks. If you ever need proof, just have a look at all the great stuff they are doing with data security. And here is the best news: this will be coming to your Earthed servers as some point.

[The SSMS build is still in private release. I will post an update once I have access.]

Microsoft continues to blur the lines between Earthed and Cloud. I will call this “foggy” until I think of something better.

  • Hugo Shebbeare

    Nice post Thomas! Glad they finally released a product to rival IBM Security’s VA tool – hope that in the next versions they continue to not only build a great security tool for within the MSFT feature space, but also incorporate NIST/STIG, CIS, standards (known well in the CISSP space) that are matched for the passes settings, as well as include what CVEs are satisfied, correlated to the patching level.