Read NBlog, the NoticeBored blog
Click the banner for the site map of NoticeBored.com, the information security awareness service
Database security resources

   

Quotation from John Poindexter

General database security resources

‘The Sony database hack’ is rapidly morphing into ‘Sony’s information security breaches’ after yet another disclosure.  Nearly 25 million accounts of the Sony Online Entertainment network have also been exposed.  For news of the Sony database hacks, just search your favorite news media or try the Daily Mail’s coverage for example.  If you’re curious about how much this will cost Sony, here are some pointers.  Remember the database hacking incident at TJX?  It must have cost them $millions.  Privacy exposure incidents are mostly the result of unauthorized disclosure from databases.Buy me on Amazon

Implementing Database Security and Auditing by Ron Ben-Natan (~US$60 from Amazon) covers Oracle, SQL Server, DB2 UDB and Sybase.

MatriXay is database vulnerability/penetration testing tool.

Red Database Security is a German consultancy specializing in Oracle security and auditing with white papers on Oracle rootkits, SQL injection etc.

Security Focus, best known perhaps for hosting the Bugtraq mailing list, is a useful source of news on database security breaches, as are Data Loss DB and the Privacy Rights Clearing House.

Secure database design & development

Securosis published a report laying out the process they recommend to secure databases.  Their suggested process has 6 main processes, 21 sub-processes and a stack of metrics.

Buy this on AmazonAn Oracle security quick reference card from Integrigy is nice and succinct.

Recommended resource Applied Oracle Security: Developing Secure Database and Middleware Environments by David Knox et al. (~US$36 from Amazon) is highly recommended by readers for system and database administrators as well as database security architects, application developers and auditors.

Click to see my Amazon page

Recommended resource Effective Oracle Database 10g Security by Design - Design and administer a rock-solid security plan for your Oracle database by Oracle’s David Knox extends Oracle’s own installation/security guides with plenty of practical advice (~US$33 from Amazon).

 

Click here to buy the book on AmazonMany Oracle security tools and papers have been collected and annotated by an Oracle security consultant, Pete Finnigan.  His book Oracle Security Step-by-Step (~US$100 from Amazon) is well worth considering.

Recommended resource The CIS Oracle benchmark has dual utility: the benchmark tool helps assess an Oracle database system against the security requirements identified by CIS while the requirements themselves can be used to generate Oracle security standards and guidelines.

Pete Finnegan has a fascinating set of papers concerning Oracle insecurity on his website.  Here’s a blog on Oracle security.  If you run Oracle databases, you are well advised to take advice directly from Oracle on securing their databases.

Database designers and programmers who are either unaware of, or complacent about, the threat of SQL injection would do well to study a technical whitepaper by ApplicationSecurity Inc.  It explains hacker tricks such as using SQL injection to connect a compromised SQLserver system to a remote one directly controlled by the hacker, outbound over port 80 (which will traverse most corporate firewalls without missing a beat). 

sqlmap is an automatic blind SQL injection tool, developed in python, capable to perform an active database fingerprint, to enumerate entire remote database and much more. The aim of this project is to implement a fully functional database mapper tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities”.  Best let your SQL programmers know about this before your adversaries find out ...

Scuba by Imperva is a free, lightweight Java utility that scans Oracle, DB2, MS-SQL, and Sybase databases for known vulnerabilities and configuration flaws. Based on its assessment results, Scuba creates clear, informative reports with detailed test descriptions. Summary reports, available in Java and HTML format, illustrate overall risk level. With Scuba by Imperva, you are quickly on your way to meeting industry-leading best practices for database configuration and management.”

The SQL Security site is dedicated to security aspects of Microsoft’s SQL Server database.

The Open Web Application Security Project covers security for online applications in general, including web -based database applications.  OWASP is an open project whose wiki website is overflowing with useful information.

Related NoticeBored links collections

Bugs!, systems development, privacy, confidentiality and integrity.

NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk.  Please let us know about new or broken links.

HomeLinks > Database security links >

Copyright © 2012  IsecT Ltd.