Upload
mohammad-ashfaqur-rahman
View
140
Download
1
Embed Size (px)
Citation preview
Database & Application Security
Presented by
Mohammad Ashfaqur RahmanCompliance Professional
www.linkedin.com/in/ashfaqsaphal
Objective
● Concept of database security● Security risks to database systems● Example of enforce security in DB layer● Web Application Architecture● Web Server / Application Server Security● Application Security● Reverse proxy as a security tool
Database Security
● Database security concerns about protecting databases against compromises of their CIA.
● Potentially including – the data– the database applications or stored functions– the database systems– the database servers– the associated network links
Security risks to database systems
● Unauthorized or unintended activity or misuse by authorized database users
● Malware infections causing incidents● SQL injection● Overloads, performance constraints and capacity issues● Physical damage to database servers● Design flaws and programming bugs and backdoors● Data corruption and/or loss
Access Issue
● DBA are having all kind of privilege– Trust & Ethics
● Excessive privilege to application user● DBA role to application user● Default profile
Database under Firewall
● DBA defines who can access the database
● Security domain defines the settings for apply
User Administration● Create an User
– Apply password– Enforce reset password after first login– Apply quota– Apply profile
● Restrict an user
– Expire password– Account lock– Set quota to zero– Drop with cascade clause
User Administration
● Default User– Delete default user / schema– Perform password management of admin
account– Restrict remote login of admin user
User Administration : Examplecreate profile developer_profile limitsession_per_user 2cpu_per_session 10000idle_time 60connect_time 480failed_login_attemps 3password_life_time 30password_reuse_time 30password_grace_time 5;
Monitoring of Database : DB audit
Monitoring of Database : DB auditalter system set audit_sys_operations=TRUE scope=SPFILE;
alter system set audit_trail=db_extended scope=SPFILE;
shutdown immediate;
startup;
show parameter audit;
Network Security of Database
● Listener configuration– Disable remote listener– Change default listener name– Change default port– User IP address rather than hostname– Remove write permission of other users from
listener
Network Security of Database
● Multiple services in the same server● Internet Connectivity● Firewall placement
Web Application
Web Application
Web Application
Web Server / Application Server
● Apache– Apache HTTPD– Apache TomCat
● Oracle– Oracle Application Server– WebLogic
● IBM– IBM WebSphere– IBM HTTP Server
● JBoss
Server Security
● Apache– httpd.conf
ServerSignature OffServerTokens ProdOptions -indexes# mod_imap # mod_include# mod_info # mod_userdir # mod_autoindexUserGroupOptions -FollowSymLinksOptions -ExecCGISecure SSL certificate
Server Security
● manager.xml <!-- allow only LAN IPs to connect to the manager webapp →
<!-- contrary to the current Tomcat 5.5 documation the value for allow is not a regular expression →
<!-- future versions may have to be specified as 192\.168\.1\.* →
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="192.168.1.*" />
Application Security
● 37% Cross-site scripting● 16% SQL injection● 5% Path disclosure● 5% Denial-of-service attack● 4% Arbitrary code execution● 4% Memory corruption● 4% Cross-site request forgery● 3% Data breach (information disclosure)● 3% Arbitrary file inclusion● 2% Local file inclusion● 1% Remote file inclusion● 1% Buffer overflow● 15% Other, including code injection (PHP/JavaScript),
etc.
Application Security
● Integrate Security Testing In Developer’s Workflows– Secure code reviews– Defect management
● Integrate Security Testing in Tester’s Workflows– Test security in integrated application builds– Validate application security requirements– Fuzz testing, reverse engineering– Validate application security requirements– Remediate all high risk vulnerabilities before release
Reverse Proxy
Reverse Proxy
● Authentication– Single sign on
● SSL Termination– Single point certification– processing load of encrypting/decrypting HTTPS
● URL Rewriting– “id=1234”
● Caching– DdoS prevention
Feedback