Database Security Best Practices and Common Vulnerabilities

Database Security Best Practices and Common Vulnerabilities
Slide Note
Embed
Share

This content delves into database security, focusing on best practices, common vulnerabilities from 2010 and 2018, and solutions for safeguarding against threats. Learn about broad user privileges, SQL injections, audit management, backup storage, and more to enhance your database security measures.

  • Security
  • Database
  • Best Practices
  • Common Vulnerabilities
  • Solutions
bmale
bmale Follow

Uploaded on Mar 05, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Database Security for Developers Ilya Verbitskiy WebStoating s.r.o.

  2. About me 15 years of experience in finance and e-commerce field Co-founder of WebStoating s.r.o. Solutions architecture, system integration and e-Commerce

  3. The cost of bug fixing 160 140 120 100 80 60 40 20 0 Requirements Design Code Test Production We are hacked!

  4. Common Vulnerabilities (2010) Default, blank, and weak username/password SQL injections Extensive user and group privileges Unnecessarily enabled database features Broken configuration management Buffer overflows Privilege escalation Denial-of-service attack Unpatched databases Unencrypted sensitive data at rest and in motion

  5. Common Vulnerabilities (2018) Broad user's privileges SQL injections Missing audit Insecure backup storage RDMS vulnerabilities and configuration issues Insecure data processing Weak passwords Denial-of-Service attacks

  6. Broad user's privileges Principle of least privilege Grant limited permissions to monitoring users Start with read only access Log database errors within your app Grant CRUD permissions once needed Grant permissions explicitly in your SQL scripts pgTAP PostgreSQL unit-testing framework Static code analyzers for ORM (Roslyn, typescript-parser, Esprima, Acorn, etc.) Row level security sepgsql Label-based mandatory access control based on SELinux

  7. SQL injections Injections in client code Injections in dynamic SQL statement inside stored procedures Injections in a connection string Injections in ORM queries Tools: sqlmap

  8. Missing audit PostgreSQL error reporting and logging Windows Event Log pgAudit READ, WRITE, FUNCTION, ROLE, DDL, MISC pgAudit Analyze

  9. Insecure backup storage Backup and recovery procedures are periodically tested. Backup retention intervals are documented and sufficient to meet the business needs. Make sure that backups are encrypted and decryption keys are not stored together with backups. Make sure you remove sensitive data from development and staging databases.

  10. Insecure backup storage pg_dump DATABASE DATABASE | bzip2 | openssl smime -encrypt -aes256 binary \ -outform DEM -out DATABASE.sql.bz2.enc DATABASE.sql.bz2.enc "PUBLIC_KEY.pem.pub" "PUBLIC_KEY.pem.pub" openssl smime -decrypt -in DATABASE.sql.bz2.enc -inkey PRIVATE_KEY.pem PRIVATE_KEY.pem | bzcat > DATABASE.sql DATABASE.sql.bz2.enc -binary -inform DEM \ DATABASE.sql

  11. Vulnerabilities and configuration issues Apply all new security patches as soon as possible and not later than a month Firewall pg_hba.conf Disable all trust connections Use strong authentication (scram-sha-256 (PostgreSQL 10), gss, ldap, radius, cert) Limit connections only from allowed IP Use SSL connection Anti-virus

  12. Insecure data processing Password encryption SCRAM or MD5 Client encrypts password before it is being sent across the network Encryption for specific columns pgcrypto Data partition encryption eCryptfs, EncFS (Linux), EFS (Windows), etc.

  13. Insecure data processing Encrypting data across a network pg_hba.conf: host, hostssl Certificate authentication Client-side encryption No indexing No searches No calculations

  14. Weak passwords ALTER ROLE VALID UNTIL timestamp ; passwordcheck CrackLib integration Need to update Makefile and recompile Kerberos, LDAP, RADIUS, PAM auth_delay Tools: Metasploit MDCrack

  15. Denial-of-Service attacks Install the latest patches Firewall Anti-DDoS solutions

  16. Summary Install all security updates Principle of least privilege Firewall and pg_hba.conf Implement password policy SQL injections are not just about SQL pgAudit Encrypt backups, test backup and recovery procedures Encrypt your data

  17. Thank you! https://verbitskiy.co/ Twitter: @ilich_x86 GitHub: https://github.com/ilich

Related


Addressing 5G Signaling Protocol Vulnerabilities

Addressing 5G Signaling Protocol Vulnerabilities

lyon
Database Design Process and Concepts

Database Design Process and Concepts

eithan
Database Systems in IT

Database Systems in IT

haisley
Entity-Relationship Diagrams (ERD) for Database Design

Entity-Relationship Diagrams (ERD) for Database Design

corbin
Introduction to Database Security and Countermeasures

Introduction to Database Security and Countermeasures

ailbe
Database Security Measures and Controls

Database Security Measures and Controls

aristotle
Performers and Programs Database Webinar - Overview and Features

Performers and Programs Database Webinar - Overview and Features

leyla
Overview of Database Systems Architecture and Languages

Overview of Database Systems Architecture and Languages

izuku
Database Management Systems and Concepts

Database Management Systems and Concepts

ranveer
Software Security Principles and Practices: Enhancing Program Code Security

Software Security Principles and Practices: Enhancing Program Code Security

abcde
Computer Security and Software Vulnerabilities

Computer Security and Software Vulnerabilities

chriss
The World of Azure Database Offerings

The World of Azure Database Offerings

kbeat
Server-Side Technologies and Security Vulnerabilities in Mobile Services

Server-Side Technologies and Security Vulnerabilities in Mobile Services

alaysha
Security Threats and Vulnerabilities in Computer Systems

Security Threats and Vulnerabilities in Computer Systems

nathanlo
SQL Database Security Best Practices

SQL Database Security Best Practices

lamb_tif
The Importance of OWASP Dependency-Check Project

The Importance of OWASP Dependency-Check Project

gwilk
Spectre and Meltdown Security Vulnerabilities

Spectre and Meltdown Security Vulnerabilities

mcsherry_k
Cloud Security Threats and Vulnerabilities

Cloud Security Threats and Vulnerabilities

mesa_i
Importance of Security in Web Development

Importance of Security in Web Development

kharmync
Network Security Vulnerabilities and Attacks

Network Security Vulnerabilities and Attacks

leyo_5
Web Application Vulnerabilities in Information Warfare

Web Application Vulnerabilities in Information Warfare

vanvliet_h
Programming Language Vulnerabilities and ISO/IEC/SC22/WG23

Programming Language Vulnerabilities and ISO/IEC/SC22/WG23

ely_wi

More Related Content