Database Security Review
Your ISO 27001 auditor, PCI QSA, or NHS DSPT assessor will ask for independent evidence of database security controls. We provide a CREST-accredited database security review: read-only scripts, industry standard benchmark mapping, and a remediation report your auditor will accept.
Not Another Checkbox Exercise
Internal Review
- Spot-checks rather than systematic verification
- No adversarial privilege escalation testing
- Not accepted as independent audit evidence
- No stored procedure SQL injection analysis
- No compliance framework mapping
CREST-Accredited Review
- 100-300+ security controls verified per platform
- Privilege escalation path analysis
- Stored procedure SQL injection testing
- ISO 27001 / PCI DSS / NHS DSPT evidence
- Remediation SQL scripts per finding
When to Commission a Database Review
Most database security reviews are triggered by a specific compliance deadline, audit finding, or change in ownership. If any of these scenarios describe your situation, this review provides the evidence you need.
ISO 27001 Surveillance Audit
Your Annex A.12 controls require independent evidence of database security configuration. Our report maps directly to the auditor's evidence checklist.
PCI DSS Requirement 2 & 3
PCI DSS Requirement 2 (secure configurations) and Requirement 3 (protect stored cardholder data) require evidence of database hardening and encryption controls. Our industry benchmark-mapped report provides the evidence your QSA needs.
Pen Test Finding Follow-Up
A penetration test flagged "insufficient database hardening" without specifying which of the 200+ controls to prioritise. Our review provides the structured remediation path mapped to industry standard benchmarks.
NHS DSPT Submission
Your NHS Data Security and Protection Toolkit submission requires evidence of appropriate technical measures for databases holding patient data. Our report provides the independent assessment evidence.
Inherited Database Estate
You have inherited a database environment from a predecessor team, an acquisition, or an outsourced provider and need to understand the security posture before assuming responsibility for the data it holds.
UK GDPR Article 32 Evidence
Your DPO needs to demonstrate "appropriate technical measures" including encryption of personal data at rest. Your DBA says TDE is on. You need independent proof the ICO would accept.
The Data Breach Risk
AVERAGE BREACH DETECTION
Median dwell time for a data breach where an attacker maintains access via a misconfigured database before detection. The question is not whether data was exfiltrated, but how much.
DEFAULT MONGODB STATE
MongoDB requires authentication to be explicitly enabled. If the DevOps team deployed without it, the database is readable without credentials to anyone on the same network.
STARTING FROM
Single instance database security review including industry standard benchmark assessment, access control audit, encryption validation, and stored procedure analysis. Fixed-price quote after scoping.
Controls
What We Typically Find
Across every database estate we review, certain misconfiguration patterns appear repeatedly. These are not theoretical risks. They are findings our consultants document in reports issued to UK organisations every month.
SA account enabled with default or weak password
The SQL Server SA account is enabled with Mixed Mode authentication, allowing direct SQL login that bypasses Windows domain controls. Credential spraying or brute-force attacks against this account grant full SysAdmin privileges over all databases on the instance.
TDE not enabled on databases containing PII
Production databases holding personal data lack Transparent Data Encryption. Physical disk theft, backup tape loss, or snapshot exposure reveals plaintext data. UK GDPR Article 32 requires encryption of personal data at rest.
Database listener exposed to 0.0.0.0/0
The database management port (1433, 5432, 1521, or 27017) is accessible from the internet or untrusted network segments. Direct brute-force and exploit attacks against the database engine without any perimeter control.
SQL injection in stored procedures via dynamic SQL
Stored procedures concatenate user-supplied parameters into dynamic SQL strings without parameterisation. Exploitation grants arbitrary query execution with the procedure owner privileges, bypassing application-layer input validation.
EOL database version with known CVEs
The database engine version has reached end-of-life and no longer receives security updates. Known remote code execution CVEs exist with public exploits available. Upgrade or migration is the only remediation path.
Audit logging disabled or not forwarded to SIEM
The SQL Server Audit feature is either not configured or logs are written only to local files. An attacker with database access can clear local audit logs, eliminating forensic evidence of data access, privilege escalation, and exfiltration.
Most production databases we review have at least two Critical and five or more High findings on first independent assessment.
Databases We Assess
Each platform is assessed against the applicable industry standard hardening benchmark. We check the controls that matter for your version, not a generic template.
SQL Server
2016, 2019, 2022, Azure SQL
Industry Standard Database Hardening Benchmark
PostgreSQL
13, 14, 15, 16
Industry Standard Database Hardening Benchmark
MySQL
8.0, 8.4
Industry Standard Database Hardening Benchmark
Oracle
19c, 21c, 23ai
Industry Standard Database Hardening Benchmark
MongoDB
6.0, 7.0, 8.0
Industry Standard Database Hardening Benchmark
What We Assess
Default database configurations are insecure. Our database hardening checklist aligns your SQL and NoSQL instances with industry standard security benchmarks, covering SQL Server, PostgreSQL, MySQL, Oracle, and MongoDB across six critical control domains.
Authentication & Roles
We audit the SA account status, SysAdmin role membership, Windows vs Mixed Mode authentication, EXECUTE AS permission chains, and database access control lists against the principle of least privilege. For SQL Server environments, we validate Windows Authentication enforcement and check for orphaned logins. The SQL Server security checklist covers all named administrative accounts and cross-database ownership chains.
Data At Rest Encryption
We validate whether TDE is active on all sensitive databases, not just the ones the DBA team knows about. We check the TDE certificate configuration, key rotation status, and backup encryption. Data at rest encryption is required under UK GDPR Article 32 and PCI DSS Requirement 3; we produce the evidence your DPO or QSA needs to close the control.
Network Exposure
We check if the database listener (1433, 1521, 5432, 27017) is exposed to the internet or untrusted internal segments, and whether client connections are encrypted in transit using TLS 1.2 or later.
Auditing & Logging
We check whether the SQL Server Audit feature (or platform equivalent) is capturing failed logins, privilege escalations, schema changes, and bulk data reads from sensitive tables, and whether those events are forwarded to your SIEM rather than written only to local logs that can be cleared by an attacker.
Patch Management
We identify End-of-Life (EOL) versions and missing security patches that allow for trivial remote code execution. We check SQL Server 2016/2019/2022, PostgreSQL 13-16, MySQL 8.0, Oracle 19c/21c, and MongoDB 6.0/7.0 against current release baselines and known CVE databases.
Stored Procedure Security
We review stored procedures, user-defined functions, and dynamic SQL for injection vulnerabilities and use of dangerous extended procedures such as xp_cmdshell. SQL injection within stored procedures bypasses application-level input validation entirely and executes with elevated database privileges.
Database Security Audit Workflow
From read-only access to a compliance-ready report. A safe, non-intrusive assessment lifecycle with zero production impact.
Discovery & Scoping
We scan the network to identify all running database instances, including shadow IT development databases that often lack security controls. You provide read-only audit access: VIEW SERVER STATE or equivalent. We never require DBA credentials.
Config Dump & Analysis
We run read-only SQL scripts to export the full configuration, user rights map, and stored procedure logic for offline analysis. Zero production impact. No heavy JOIN operations or stress testing.
Industry Benchmark Assessment
We compare every assessed control against the industry standard hardening benchmark for your platform version, covering SQL Server, PostgreSQL, Oracle, and MongoDB. We distinguish between Level 1 (scored, broadly applicable) and Level 2 (defence-in-depth, higher operational impact) controls, and flag where Level 2 hardening may break application dependencies before you remediate.
Report & Remediation
The delivered report includes a prioritised list of findings mapped to industry standard benchmark controls, CVSS-equivalent severity ratings, and a remediation checklist formatted for auditor review under ISO 27001, PCI DSS, or NHS DSPT requirements. Remediation SQL scripts included per finding.
What You Receive
Every database security review includes the following deliverables, formatted for both technical remediation teams and non-technical stakeholders.
Reports are delivered via our real-time penetration testing portal with role-based access. Also available in PDF and DOCX formats.
Detect Data Exfiltration in Real Time.
A security review identifies the configuration gaps. MDR closes the monitoring gap that follows. Feed assessment findings directly into detection rules that watch for anomalous database query volumes, privilege escalation attempts, and bulk data reads.
Discuss Your RequirementsManaged Detection & Response
Detect anomalous database queries and data exfiltration in real time
Cloud Security Assessment
AWS, Azure, and GCP configuration review against industry standard benchmarks
Web App Penetration Test
Test the application layer for SQL injection and data exposure
Configuration Reviews
Server, firewall, and endpoint hardening reviews
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
Database security review pricing typically starts from £2,500, with the range depending on database type and environment complexity. Single instance reviews average £2,500-£4,000 including industry standard benchmark assessment, access control audit, and encryption validation. Multiple database reviews (3-5 instances, mixed platforms) typically cost £4,000-£6,000. Enterprise environments (5+ instances, NoSQL clusters, complex replication) typically cost £6,000-£8,000+. All pricing includes stored procedure review for SQL injection vulnerabilities. We provide fixed quotes after understanding your database inventory and platform requirements.
Database hardening is the process of reducing a database's attack surface by systematically disabling insecure default features, enforcing least-privilege access, enabling encryption for data at rest and in transit, and configuring audit logging. Industry standard security benchmarks for SQL Server, PostgreSQL, Oracle, MySQL, and MongoDB each contain 100-300+ controls. Hardening is not a one-time exercise: database software updates, new application deployments, and schema changes can reintroduce insecure configurations, which is why periodic independent review is necessary.
A database security audit checklist covers: (1) Authentication configuration: default accounts, password policies, authentication mode selection, MFA enforcement; (2) Privilege assignment: SysAdmin/DBA role membership, EXECUTE AS chains, cross-database ownership; (3) Encryption status: TDE configuration, certificate health, key rotation, column-level encryption; (4) Network exposure: listener port exposure, encrypted client connections, service account network permissions; (5) Audit logging: which events are captured, log retention, SIEM forwarding; (6) Patch status: database engine version against current release, known CVE exposure; (7) Stored procedure review: SQL injection vulnerabilities, use of dangerous extended stored procedures such as xp_cmdshell.
A database security review directly addresses UK GDPR Article 32, which requires organisations to implement appropriate technical measures including encryption of personal data. The review validates whether Transparent Data Encryption (TDE) is correctly configured, whether encryption covers all databases holding personal data, whether encryption keys are properly managed and backed up, and whether data-at-rest encryption extends to database backups. The deliverable is a written report documenting the encryption controls reviewed, findings, and remediation actions, providing the evidence record an ICO investigation or internal DPO audit would require. PCI DSS Requirement 3 (protecting stored cardholder data) is similarly addressed.
Yes, but the scope is distinct from web application SQL injection testing. During a database security review, we examine stored procedures, user-defined functions, and dynamic SQL within the database engine itself, code that executes with elevated database privileges and bypasses web-layer input validation entirely. Web application SQL injection testing (where an attacker injects through a form field or API endpoint) is covered under our web application penetration testing service. Many clients run both: the database review catches server-side injection risks, while the web application test covers the client-facing attack surface.
DBA teams focus on availability and performance, not adversarial security: (1) DBAs configure access controls for functionality but rarely test privilege escalation paths; (2) Default configurations persist because they work. Security hardening requires deliberate effort DBAs may lack time for; (3) Industry standard security benchmarks contain hundreds of controls that require systematic verification, not spot-checking; (4) Application-level SQL injection in stored procedures requires security-specific analysis; (5) Compliance frameworks require independent third-party assessment, not self-review; and (6) DBAs do not regularly test data exfiltration scenarios attackers would use. External review provides adversarial perspective and compliance-ready evidence that internal teams cannot deliver.
Yes. We regularly audit MongoDB 6.0/7.0, Redis, Cassandra, and Elasticsearch clusters, which often suffer from default unauthenticated access misconfigurations. MongoDB's default configuration requires authentication to be explicitly enabled. If a DevOps team deployed without it, the database may be readable without credentials.
No. Our audit scripts are lightweight and read-only. We do not perform stress testing or execute heavy JOIN operations during a configuration review. We typically require a temporary account with VIEW SERVER STATE or equivalent read-only permissions to export the configuration data.
Yes. A major part of our SQL Server audit involves reviewing stored procedures for SQL injection vulnerabilities and dangerous extended procedures such as xp_cmdshell, which can allow operating system command execution from within the database engine.