Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide Set #24: Database security SY306 Web and Databases for Cyber Operations.

Published byRegina Lucas Modified over 8 years ago

Similar presentations

Presentation on theme: "Slide Set #24: Database security SY306 Web and Databases for Cyber Operations."— Presentation transcript:

1 Slide Set #24: Database security SY306 Web and Databases for Cyber Operations

2 2 DBMS Security DBMS products provide security facilities They limit certain actions on certain objects to certain users or groups (also called roles) Privilege: Right to perform a particular action on a particular object and is associated with a particular user Principle of least privilege Example? MIDS Database

3 3 GRANT and REVOKE Command GRANT: grants privileges REVOKE: removes priviledges Privileges: –SELECT –INSERT, DELETE, UPDATE –CREATE, ALTER, DROP

4 4 GRANT Syntax GRANT privileges ON object TO user [IDENTIFIED BY 'password'] [WITH GRANT OPTION] Example: GRANT ALL ON le.* TO user IDENTIFIED BY ‘userpword’ GRANT Select ON le.products TO user IDENTIFIED BY ‘userpword’

5 5 REVOKE Syntax REVOKE priv_type ON object FROM user [, user] Example: REVOKE ALL ON le.* FROM user1 REVOKE Insert ON le.products FROM user1, user2

6 ICE: DB User Security Use MySQL workbench to connect to your database on mope With a partner: 1.Try to select all shipments from your partner’s SHIPMENT table (from Lab10) 1.Select * from mYYYYYY.SHIPMENT 2.Did it work? 2.Ask partner to grant you select privileges on his SHIPMENT table 1.Try again the select statement. Did it work? 3.Ask partner to revoke your privileges on their table 4.Switch roles with your partner, so you can grant/revoke privileges for him/her

7 7 Changing the Password SET PASSWORD [FOR ‘username’@’host’] = PASSWORD('newpass'); Example: SET PASSWORD=PASSWORD(‘newpword’) While logged into DB:

8 8 Application Security If DBMS security features are inadequate, additional security code could be written in application program Use the DBMS security features first –Native DBMS security features are faster, cheaper, and probably result in higher quality results than developing your own

9 Application Users Passwords –Enforce Strong password policies –Never store passwords in plain text! –Hash passwords and store it

10 10 Making your MySQL Database Secure - Server Do not run MySQL (mysqld) as system’s root! –Set up a user just for running the server –Make directories accessible just to this user Run MySQL server behind a firewall

11 11 Making your MySQL Database Secure - Passwords Make sure all users have strong passwords Connecting from Python: –Have the user and password stored in a file and include this file when needed –Store config.py outside web tree –Store passwords only in.py files (not.inc,.txt, etc.) Do not store application passwords in plain text. Use hashing. Use salt Iterate

12 12 Making your MySQL Database Secure – User Privileges Use principle of least privilege: –Grant only the privileges actually needed to each user –Grant access only from the host(s) that they will be connecting from

13 13 Making your MySQL Database Secure – Web Issues Check all data coming from user (SQL Injection Attacks!!) Use parametrized queries

Download ppt "Slide Set #24: Database security SY306 Web and Databases for Cyber Operations."

Similar presentations

PHP SQL. Connection code:- mysql_connect(server, username, password); Connect to the Database Server with the authorised user and password. Eg $connect.

PHP SQL. Connection code:- mysql_connect("server", "username", "password"); Connect to the Database Server with the authorised user and password. Eg $connect.
MySQL Access Privilege System

MySQL Access Privilege System
Basic SQL Introduction Presented by: Madhuri Bhogadi.

Basic SQL Introduction Presented by: Madhuri Bhogadi.
Understand Database Security Concepts

Understand Database Security Concepts
What is MySQL? MySQL is a relational database management system (A relational database stores data in separate tables rather than putting all the data.

What is MySQL? MySQL is a relational database management system (A relational database stores data in separate tables rather than putting all the data.
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.

Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.
Concepts of Database Management Sixth Edition

Concepts of Database Management Sixth Edition
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Security and Integrity

Security and Integrity
PHP Security.

PHP Security.
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
SQL HW1 Turn in as a hardcopy at the start of next class period. You may work this assignment in groups.

SQL HW1 Turn in as a hardcopy at the start of next class period. You may work this assignment in groups.
PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.

PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.
Mass user creation On our servers is used the convention, that each of user has only one database, which has the same name, as the user itself. This method.

Mass user creation On our servers is used the convention, that each of user has only one database, which has the same name, as the user itself. This method.
Chapter 4 The Relational Model 3: Advanced Topics Concepts of Database Management Seventh Edition.

Chapter 4 The Relational Model 3: Advanced Topics Concepts of Database Management Seventh Edition.
Database Programming Sections 13–Creating, revoking objects privileges.

Database Programming Sections 13–Creating, revoking objects privileges.

Similar presentations

Ads by Google