Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Server and Application Security for Developers Mladen Prajdić SQL Server

Published byDaisy Walker Modified over 8 years ago

Similar presentations

Presentation on theme: "SQL Server and Application Security for Developers Mladen Prajdić SQL Server"— Presentation transcript:

1 SQL Server and Application Security for Developers Mladen Prajdić SQL Server MVP mladenp@gmail.com @MladenPrajdic

2 Sponsors

3 Feedback http://speakerscore.com/sqlsaturday376

4 About me Welcome to Slovenia The sunny side of alps!

5 Security Usability Price Pick two

6 Company Attack Vectors Website SQL Injection XSS, CSRF DDOS Other Social Engineering People impersonation Direct person interaction Others that I haven’t thought of GCHQ, NSA, CIA, etc

7 SQL Injection http://xkcd.com/327

8 SQL Injection 2005 + 83% of hacks Stats by FireHost.com

9 SQL Injection

10 Website attack with malicious SQL Error based Union based Blind Data destruction Data stealing Spam Redirects

11 SQL Injection - Prevention Tries Stored procedures Because they have parameters, right? CREATE PROC spIAmVerySafe @TableName varchar(256) AS EXEC('SELECT * FROM ' + @TableName); GO; CREATE PROC spNowIAmSafe @ID int AS SELECT ID, FirstName, LastName FROM Person WHERE ID = @ID GO;

12 SQL Injection - Prevention Tries Input validation Usually server and client keywords blacklists Replace all single quotes to 2 single quotes ‘ ->’’ They are all USELESS! SELECT * FROM sys.tables DECLARE @s VARCHAR(MAX) = CONVERT(VARCHAR(MAX), 0x53454C454354202A2046524F4D207379732E7461626C6573); EXEC(@s);

13 SQL Injection - The Only Protection SQL Parameters Use them properly! SqlCommand cmd = new SqlCommand(sqlText, sqlConnection); cmd.Parameters.Add("@IntParam", System.Data.SqlDbType.Int); cmd.Parameters["@IntParam"].Value = 6; SqlDataReader reader = cmd.ExecuteReader();

14 Cross-Site Scripting (XSS) Exploits the trust a user has for a particular site Perfect attack vector to use with SQL Injection Since 2007 about 84% of all client attacks About 70% of all websites are likely open to it Inject javascript into Web pages viewed by other users Various JS client libraries bugs HTML, JS, Attribute encode/decode everything

15 Cross-Site Request Forgery (CSRF) Exploits the trust that a site has in a user's browser Attacks extremely under-reported Involve sites that rely on a user's identity Bank Exploit the site's trust in that identity Stored Cookie of the person you’re attacking Trick browser to send HTTP request to a target site Cookie authenticates and goes to the bank Involve HTTP requests that have side effects Withdraw money

16 DEMO

17 Distributed Denial Of Service (DDOS) Exploits the resources of your computer On average at least 1 person in your extended family is unknowingly working for the Russian mafia Extortion, Political agenda Feedly, Evernote Code Spaces Out of business

18 Amateurs hack systems, professionals hack people

19 Exploits a person’s kindness and willingness to help Investment in security awareness in non-IT employees: Minimal It is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system (Kevin Mitnick) Social Engineering

20 Social Engineering - Profiling

21 Calling employees Call centers, pretending to be support or customer, … Getting various system information OS, Broswer, VPN client, WiFi, Anti-virus,… Phishing with XSS and CSRF included Giving away information not perceived to be important Smart small talk Advanced target level Hot women in bars “Forgotten” or free USB sticks Social Engineering – Contact

22 Stanley Mark Rifkin defrauded the Security Pacific National bank in Los Angeles managed to steal $10,200,000 in a single social engineering attack In 1978! Social Engineering - Prevention Educate people Use two-factor authentication

23 Social Engineering Success rate? 100%

24 Social Engineering Clean up cost for company between $25,000 and $100,000 per incident

25 Securing SQL Server for Developers So how can we as developers protect our Applications and SQL Servers?

26 Security Mechanisms Overview Run the SQL Server under a special domain account Create a new “SqlRunner” user in AD Give it minimal permission to the domain and computer Use it to run SQL Server DBA realm Transparent DB encryption SQL Server Audit Reducing the possible surface attack vector

27 Security Mechanisms Overview Securables Objects that can be secured with permissions Principals People/Processes that access securables GRANT, DENY, REVOKE DENY always has priority Various Cryptographic functions EncryptBy*, DecryptBy*, SignBy*, HASHBYTES, …

28 Permissions Hierarchy - Principals Windows Windows Group Windows Domain Login Windows Local Login Server SQL Server Login Fixed Server Role User-defined Fixed Server Role Database Database User Fixed Database Role User-defined Database Role

29 Server SQL Server Login Endpoint Database Permissions Hierarchy - Securables Database Schema User, Certificate, Role, … Table, View, Function, Stored Procedure, Type, …

30 Permissions Hierarchy - Example SQL Server Login Windows Domain Login Database User User Permissions Object Access Certificates Schema OR Maps 1:1 Depending on permissions from Return data from Treat the database access objects as an interface User Roles

31 DEMO

32 SET TRUSTWORTHY ON “hole” If DB is trustworthy If DB owner login is a sysadmin If YourAppLogin’s user is member of db_owner role YourAppLogin can elevate himself to sysadmin Let’s secure it properly: YourAppLogin with no default permissions DB owner’s login in public role only No users in database in db_owner role

33 DEMO

34 .Net Connection Encryption SSL Install CA cert on the server or server self-signed cert If required by Server (encrypt all connections) ForceEncryption=Yes in SQL Server Configuration Manager No client change required If required by Client (encrypt just one connection) On the server encryption is an option Encrypt=true in connection string (TrustServerCertificate) sys.dm_exec_connections.encrypt_option IPsec both client and server OS must support it

35 Things to Remember - SQL Use login/user with least privileges Run SQL Server service with a custom account Use SQL parameters No SysAdmin (SA) or SET TRUSTWORTHY ON No sysadmin database owners Treat the database access objects as secure interface

36 Things to Remember -.Net Machine.config Web.config Redirect to custom error pages HTML encode/decode all traffic from/to DB Microsoft Web Protection Library (AntiXSS) Nuget Also part of the Microsoft SDL tools

37 Things to Remember - Social Watch out for hot blondes in the bar Split your security budget 80%: sysadmin education 20%: people education Metasploit Social-Engineer Toolkit (SET)

38 The less data you store the safer you are

Download ppt "SQL Server and Application Security for Developers Mladen Prajdić SQL Server"

Similar presentations

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
SQL Server and Application Security for Developers

SQL Server and Application Security for Developers
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Similar presentations

Ads by Google