Professional Documents
Culture Documents
SQL injection
* based on : http://www.darkreading.com/security/encryption/211201064/index.html
Top Six Database Attacks [2]
Cracking username/password
Not to change default password is disaster
It is also better to change password periodically
Privilege Escalation
Give right person right privilege
Avoid giving low-level user all database (even read
only access)
SQL Injection
Old but still widely used attacks
Usually exploit web application weakness
Result of poor practice application development
Use statement binding to filter user input
Case Study
Security Checklists [1]
Accounts
Lock and Expire Unused Accounts
Define a user account naming standard
Define and Enforce a Good Password Policy
Roles
Be careful to make new role and give meaningful name
All user accounts should be assigned to specific role with
minimal privileges
Revoke any unnecessary permissions
Security Checklists [3]
DBA Role
Enable data protection to prevent users access
sensitive tables
User secure PL/SQL coding standard, to ensure
developers make secure PL/SQL programs
Perform security audits regularly
Before installing database, use checklist of what is
needed and what is not
Install patching as soon as possible
Case Study
Security Checklists [1]
Background
Since MySQL is open source, find many resources in the
Internet to find bugs and patches
Stay tune to MySQL security issue and MySQL update
Routine Audit
Check logs to search common SQL injection
Audit the users and check the granted privileges
Check the hashing user password to double check password
patterns
Security Checklists [2]
MySQL Users
Use strong password
Rename the root MySQL user to something obscure
Restrict MySQL users by IP address and passwords
Never give anyone access to the mysql.user table
MySQL Configuration
Enable logging via the --log option
Disallow the use of symbolic links
Remove the default test database
Ensure MySQL traffic is encrypted
Security Checklists [3]
Operating System
Turn off unnecessary services or daemons
Ensure MySQL data files cannot be read by users other than
the root or Administrator account
Use a low-privileged MySQL account to run the
MySQL daemon
Ensure MySQL users cannot access files
outside of a limited set of directories