A common complaint with scanners is that they return an unmanageable number of results. Shaul suggests starting with the easiest parameters to manage, such as blank passwords, and then moving to another issue, such as default passwords. "Every time you run through the scanning process, you should bite off manageable chunks so you get 12 results, not 10,000."

Hortobagyi would like vulnerability scanners to give results with business context, such as which databases are critical or high-risk. "I need to collate these databases to lines of business, applications and business owners so I can take appropriate actions and know which people to notify."

Another challenge is managing output from scanner reports, especially when vulnerabilities, such as patching, cannot be addressed right away, he says. Most systems allow you to add comments and suppress notification of known vulnerabilities so you're not seeing repetitive alerts. But Hortobagyi would like to record progress on vulnerabilities over time. "It's not enough to get a point-in-time view; we need an actual process for vulnerability management and a way to oversee it," he says.

[Also read ]

One promising development is the compensatory controls that some vendors offer, which protect the database while vulnerabilities are being fixed. Application Security's virtual patching, for instance, monitors unpatched databases for known exploits, Hortobagyi says.