Slide Set #24: Database security SY306 Web and Databases for Cyber Operations.

Slides:

Advertisements

Similar presentations

PHP SQL. Connection code:- mysql_connect("server", "username", "password"); Connect to the Database Server with the authorised user and password. Eg $connect.

Advertisements

MySQL Access Privilege System

Basic SQL Introduction Presented by: Madhuri Bhogadi.

Understand Database Security Concepts

What is MySQL? MySQL is a relational database management system (A relational database stores data in separate tables rather than putting all the data.

System Administration Accounts privileges, users and roles

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.

Concepts of Database Management Sixth Edition

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Security and Integrity

Session 5: Working with MySQL iNET Academy Open Source Web Development.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

SQL HW1 Turn in as a hardcopy at the start of next class period. You may work this assignment in groups.

PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.

Mass user creation On our servers is used the convention, that each of user has only one database, which has the same name, as the user itself. This method.

Chapter 4 The Relational Model 3: Advanced Topics Concepts of Database Management Seventh Edition.

Database Programming Sections 13–Creating, revoking objects privileges.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Eurotrace Hands-On The Eurotrace File System. 2 The Eurotrace file system Under MS ACCESS EUROTRACE generates several different files when you create.

Chapter 7 Working with Databases and MySQL PHP Programming with MySQL 2 nd Edition.

SEC835 Practical aspects of security implementation Part 1.

MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

Computer Security: Principles and Practice

ITN Wake Tech1 ITN270 Advanced Internet Databases Lecture 15. General MySQL Administration Topics: –Securing a New MySQL Installation –MySQL Server.

Reliability and Security in Database Servers By Samuel Njoroge.

Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.

NMED 3850 A Advanced Online Design January 12, 2010 V. Mahadevan.

CSE 3330 Database Concepts Stored Procedures. How to create a user CREATE USER.. GRANT PRIVILEGE.

Controlling User Access. Objectives After completing this lesson, you should be able to do the following: Create users Create roles to ease setup and.

1 IT420: Database Management and Organization Database Security 5 April 2006 Adina Crăiniceanu

Copyright © 2013 Curt Hill Database Security An Overview with some SQL.

Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 5.1 © Copyright IBM Corporation 2008 DB2 9 Fundamentals.

MySQL Database Connection

MySQL Database Management Systems Universitas Muhammadiyah Surakarta Yogiek Indra Kurniawan.

CSCI 3140 Module 6 – Database Security Theodore Chiasson Dalhousie University.

Oracle & SQL Introduction. Database Concepts Revision DB? DBMS? DB Application? Application Programs? DBS? Examples of DBS? Examples of DBMS? 2Oracle.

Access The L Line The Express Line to Learning 2007 L Line L © Wiley Publishing All Rights Reserved.

Security Considerations Steve Perry

Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:

ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Database MySQL Universitas Muhammadiyah Surakarta Yogiek Indra Kurniawan.

Chapter 15: Reliability and Security in Database Servers Neyha Amar CS 157B May 6, 2008.

Chapter 13Introduction to Oracle9i: SQL1 Chapter 13 User Creation and Management.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.

Oracle 11g: SQL Chapter 7 User Creation and Management.

Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:

Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.

SQL Introduction to database and SQL. Chapter 1: Databases and Database Users 6 Introduction to Databases Databases touch all aspects of our lives. Examples:

Dr. Chen, Oracle Database System (Oracle) 1 Chapter 7 User Creation and Management Jason C. H. Chen, Ph.D. Professor of MIS School of Business Gonzaga.

Lab 3.21 MySQL Database Lab Developing the Tools May 5 th, 2004 Montréal, Québec Dominik Gehl Hôpital Ste-Justine, Montréal.

MY SQL INTRODUCTION TO LOGIN BASIC COMMANDS OTHER COMMANDS.

Database Security Advanced Database Dr. AlaaEddin Almabhouh.

Database and Cloud Security

Managing Privileges.

Database Mysql Hayk Avdalyan.

Open Source Server Side Scripting Permissions & Users

Unix System Administration

ITEC 313 Database Programming

Chapter 8 Working with Databases and MySQL

אבטחת נתונים בסביבת SQL Data Security

Chapter 13 Security Methods Part 3.

Lecture 2 - SQL Injection

MySQL User Privileges: Grant

SQL .. An overview lecture3.

Copyright © 2013 – 2018 by Curt Hill

Presentation transcript:

Slide Set #24: Database security SY306 Web and Databases for Cyber Operations

2 DBMS Security DBMS products provide security facilities They limit certain actions on certain objects to certain users or groups (also called roles) Privilege: Right to perform a particular action on a particular object and is associated with a particular user Principle of least privilege Example? MIDS Database

3 GRANT and REVOKE Command GRANT: grants privileges REVOKE: removes priviledges Privileges: –SELECT –INSERT, DELETE, UPDATE –CREATE, ALTER, DROP

4 GRANT Syntax GRANT privileges ON object TO user [IDENTIFIED BY 'password'] [WITH GRANT OPTION] Example: GRANT ALL ON le.* TO user IDENTIFIED BY ‘userpword’ GRANT Select ON le.products TO user IDENTIFIED BY ‘userpword’

5 REVOKE Syntax REVOKE priv_type ON object FROM user [, user] Example: REVOKE ALL ON le.* FROM user1 REVOKE Insert ON le.products FROM user1, user2

ICE: DB User Security Use MySQL workbench to connect to your database on mope With a partner: 1.Try to select all shipments from your partner’s SHIPMENT table (from Lab10) 1.Select * from mYYYYYY.SHIPMENT 2.Did it work? 2.Ask partner to grant you select privileges on his SHIPMENT table 1.Try again the select statement. Did it work? 3.Ask partner to revoke your privileges on their table 4.Switch roles with your partner, so you can grant/revoke privileges for him/her

7 Changing the Password SET PASSWORD [FOR = PASSWORD('newpass'); Example: SET PASSWORD=PASSWORD(‘newpword’) While logged into DB:

8 Application Security If DBMS security features are inadequate, additional security code could be written in application program Use the DBMS security features first –Native DBMS security features are faster, cheaper, and probably result in higher quality results than developing your own

Application Users Passwords –Enforce Strong password policies –Never store passwords in plain text! –Hash passwords and store it

10 Making your MySQL Database Secure - Server Do not run MySQL (mysqld) as system’s root! –Set up a user just for running the server –Make directories accessible just to this user Run MySQL server behind a firewall

11 Making your MySQL Database Secure - Passwords Make sure all users have strong passwords Connecting from Python: –Have the user and password stored in a file and include this file when needed –Store config.py outside web tree –Store passwords only in.py files (not.inc,.txt, etc.) Do not store application passwords in plain text. Use hashing. Use salt Iterate

12 Making your MySQL Database Secure – User Privileges Use principle of least privilege: –Grant only the privileges actually needed to each user –Grant access only from the host(s) that they will be connecting from

13 Making your MySQL Database Secure – Web Issues Check all data coming from user (SQL Injection Attacks!!) Use parametrized queries