Securing Databases | Database Security

Course Code: 1318

Securing Databases | Database Security

Learn how to identify common vulnerabilities in databases and how to implement defenses against them

Course Code : 1318

Overview
Schedule classes
What you'll learn
Outline
Prerequisites
Who should attend

Overview

This course equips participants with the skills they need to recognize actual and potential database vulnerabilities, implement defenses against them, and also test if those defenses are sufficient. During the course, participants are introduced to common security vulnerabilities faced by databases, and each of these vulnerabilities is examined from a database perspective. The course discusses the threat and attack mechanisms, how to recognize associated vulnerabilities and how to design, implement and test effective defenses. The course encompasses practical demonstrations and exercises to ensure that participants get a thorough understanding of the concepts discusses in the course.

Schedule Classes

Looking for more sessions of this class?

Course Delivery

This course is available in the following formats:

Live Classroom
Duration: 5 days

Live Virtual Classroom
Duration: 5 days

What You'll learn

Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
Test databases with various attack techniques to determine the existence of and effectiveness of layered defenses
Prevent and defend the many potential vulnerabilities associated with untrusted data
Understand the concepts and terminology behind supporting, designing, and deploying secure databases
Appreciate the magnitude of the problems associated with data security and the potential risks associated with those problems
Understand the currently accepted best practices for supporting the many security needs of databases.
Understand the vulnerabilities associated with authentication and authorization within the context of databases and database applications
Detect, attack, and implement defenses for authentication and authorization functionality
Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
Detect, attack, and implement defenses against XSS and Injection attacks
Understand the concepts and terminology behind defensive, secure, coding
Understand the use of Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
Perform both static reviews and dynamic database testing to uncover vulnerabilities
Design and develop strong, robust authentication and authorization implementations
Understand the fundamentals of Digital Signatures as well as how it can be used as part of the defensive infrastructure for data
Understand the fundamentals of Encryption as well as how it can be used as part of the defensive infrastructure for data

Outline

Module 1: Foundation

Who is safe?
- The assumptions we make
- Security: The complete picture
- Anthem, Sony, Target, Heartland and TJX Debriefs
- Verizon’s 2017 data breach report
- Attack patterns and recommendations
Security concepts
- Motivations: Costs and standards
- Open web application security project
- Web application security consortium
- CERT secure coding standards
- Microsoft SDL
- Assets and trust boundaries
- Threat modelling
Principles of information security
- Security is a lifecycle issue
- Minimize attack surface area
- Layers of defense: Tenacious D
- Compartmentalize
- Consider all application states
- Do not trust the Untrusted

Module 2: Database security vulnerabilities

Database security concerns
- Data at rest and in motion
- Privilege management
- Boundary defenses
- Continuity of service
- Trusted recovery
Vulnerabilities
- Unvalidated input
- Broken authentication
- Cross site scripting (XSS/CSRF)
- Injection flaws
- Error handling, logging and information leakage
- Insecure storage
- Direct object access
- XML vulnerabilities
- Web services vulnerabilities
- Ajax vulnerabilities
Cryptography overview
- Strong encryption
- Message directs
- Keys and key management
- Certificate management
- Encryption/Decryption
Database security
- Design and configuration
- Identification and authentication
- Computing environment
- Database auditing
- Boundary defenses
- Continuity of service
- Vulnerability and incident management
Understanding what’s important
- Common vulnerabilities and exposures
- OWASP 2017 top 10
- CWE/SANS Top 25 most dangerous SW errors
- Monster mitigations
- Strength training: Project teams/developers
- Strength training: IT organizations

Module 3: Secure Development Lifecycle (SDL)

SDL process overview
- Types of security controls
- Phases of typical data-oriented attack
- Phases: Offensive actions and defensive controls
- Security lifecycle activities
Applying processes and practices
- Threat modeling process
- Modeling assets and trust boundaries
- Modeling data flows
Risk analysis
- Identifying threats
- Relating threats to models
- Mitigating threats
- Reviewing the application

Module 4: Security testing

Testing tools and processes
- Security testing principles
- Dynamic analyzers
- Static code analyzers
- Criteria for selecting static analyzers
Testing practices
- OWASP web app penetration testing
- Authentication testing
- Session management testing
- Data validation testing
- Denial of service testing
- Web service testing
- Ajax testing

Prerequisites

Participants need to be familiar with databases, and have some experience working with them.

Who Should Attend

This is an intermediate-level database course, designed for participants who seek to get up and running on developing well defended database applications.

The course is highly recommended for –