The work presented in [2] describes a set of use-cases
and generic scenarios for the application of best practices to
develop security appraisals. The approach proposed in [2]
was used to define the concrete appraisal as described in [1].
The tool is composed by the security practices a set of tests
to verify their correct implementation in a given installation.
The problem is that these works focus on the assessment of
the final configuration of a database engine (i.e., the
mechanism and parameters implemented in a concrete
installation) and targets only the DBMS, disregarding the
other software components needed to run a database server.
Additionally, they ignore the initial phase of selecting the set
of software products that best fit the installation
requirements, and the method clearly cannot be used to
address this problem, which calls for a different approach.