General database security resources
  Database and Applications Security by Bhavani Thuraisingham (~US$66 from Amazon)
is a heavyweight text covering database security issues such as ‘inference’.
A database hacking incident at TJX exposed bank/credit card and drivers’ license details of
millions of customers at its American, Canadian and Puerto Rican TK Maxx and other stores. The systems appear to have been hacked some 18 months before the incident was
discovered. This incident has cost TJX $millions already and it’s not over yet.
Privacy exposure incidents are mostly the result of unauthorized disclosure from databases.
MatriXay is database vulnerability/penetration testing tool.
Red Database Security is a German consultancy specializing in Oracle security and auditing with white papers on Oracle rootkits, SQL injection etc.
Security Focus, best known perhaps for hosting the Bugtraq mailing list, is a useful source of news on
database security breaches.
Secure database design & development
 Effective Oracle Database 10g Security by Design - Design and administer a rock-solid
security plan for your Oracle database by Oracle’s David Knox extends Oracle’s own installation/security guides with p lenty of practical advice (~US$33 from Amazon).
Many Oracle security tools and papers have been collected and annotated by an Oracle security consultant, Pete Finnigan. His book Oracle Security Step-by-Step (~US$100 from Amazon) is well worth considering.
The CIS Oracle benchmark has dual utility: the benchmark tool helps assess an Oracle database system against the security
requirements identified by CIS while the requirements themselves can be used to generate Oracle security standards and guidelines.
Database designers and programmers who are either unaware of, or complacent about, the threat of SQL injection would do well to study a technical whitepaper by ApplicationSecurity Inc. It explains hacker tricks
such as using SQL injection to connect a compromised SQLserver system to a remote one directly controlled by the hacker, outbound over port 80 (which will traverse most corporate firewalls without
missing a beat).
“sqlmap is an automatic blind SQL injection tool, developed in python, capable to perform an active database
fingerprint, to enumerate entire remote database and much more. The aim of this project is to implement a fully functional database mapper tool which takes advantages of web application programming security flaws
which lead to SQL injection vulnerabilities”. Best let your SQL programmers know about this before your adversaries find out ...
“Scuba by Imperva is a free, lightweight Java utility that scans Oracle, DB2, MS-SQL, and Sybase databases
for known vulnerabilities and configuration flaws. Based on its assessment results, Scuba creates clear, informative reports with detailed test descriptions. Summary reports, available in Java and HTML format,
illustrate overall risk level. With Scuba by Imperva, you are quickly on your way to meeting industry-leading best practices for database configuration and management.”
A database application error (presumably) led to a customer of HBOS (Halifax Bank of Scotland) being sent 75,000 statements for other customers when she requested hers. “Ms McLaughlan, of Netherkirkgate,
Aberdeen, said: ‘I sent away for my bank statements to get a refund on some bank charges. A couple of days later these five packages turned up at my door and they were filled with people’s names, credit
numbers, what they had paid in, and had taken out every day. The details started from April 2003 and there
was also the total of the bank’s overdraft.’” This is exactly the kind of gross error that output validation is meant to detect and stop.
The SQL Security site is dedicated to security aspects of Microsoft’s SQL Server database.
Next Generation Security Software sells tools for application security testing.
The Open Web Application Security Project covers security for online applications in general, including web
-based database applications. OWASP is an open project whose wiki website is overflowing with useful information.
Here’s a blog on Oracle security. If you run Oracle databases, you are well advised to take advice directly from Oracle on securing their databases.
 Database security review & audit
Oracle Privacy Security Auditing by Arup Nanda (~US$40 from Amazon) explains how
to review database security systematically.
Sarbanes-Oxley auditors frequently have to audit database systems.
Related NoticeBored links collections
Bugs!, systems development, privacy, confidentiality and integrity.
NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk. Please let us know about new or broken links.
|
