Dr. Drew Hwang, CIS, Cal Poly Pomona
Home
101
WDD
ECOMM
SWA
SP
Secure Web Development
Home
Basics
Offense
Defense
SDLC
Code
Access
Parameter
Perimeter
Browser
Industry
Resource
Defense
Defensive Mechanism
Input Validation
CAPTCHA
Cryptography
Cryptography
ASPNET Cryptography
Error Handling
Alert & Audit
Database Security
Access Control
Regex Library
Common Regex
Regex Reference (.NET)
Regex Reference (PHP)
Regex Analyzer
Encode/Decode
HTML Encoder
HTML Decoder
URL Encoder
URL Decoder
Print
Web Database Security
Traditionally databases have been largely secured through
hosting server measures
and
network security measures
such as firewalls and network-based intrusion detection systems. As networks are increasingly opened to wider Internet access, databases need more application security control.
Attack Surfaces
Stored data
Web applications using the data
Stored functions
DBMS (database server)
Associated network links
Security Risks
Unauthorized or unintended activity or misuse
Malware infections
Overloads
Physical damage
Design flaws and programming bugs
Data corruption and/or loss
Impacts on Data
Confidentiality
Integrity
Availability
Defense Measures
Separation
: between the database and Web servers
Access control
: the network layer, the application layer, and the data layer
Auditing
: monitoring and logging files and database transactions for traceability, auditability, repudiation
Data validation
: whitelisting, blacklising, sanitation
Encryption
: data, files, backups
Resources
Wikipedia: database security
Database Security Best Practices
Security issues for online databases