Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Server and Application Security for Developers

Published byShonda Warren Modified over 9 years ago

Similar presentations

Presentation on theme: "SQL Server and Application Security for Developers"— Presentation transcript:

1 SQL Server and Application Security for Developers
Mladen Prajdić SQL Server MVP @MladenPrajdic

2 About me Welcome to Slovenia The sunny side of alps!

3 Security Usability Price
Pick two

4 Company Attack Vectors
Website SQL Injection XSS, CSRF DDOS Other Social Engineering People impersonation Direct person interaction Others that I haven’t thought of GCHQ, NSA, CIA, etc 

5 SQL Injection

6 SQL Injection 83% of hacks 2005+ Stats by FireHost.com

7 SQL Injection

8 SQL Injection Website attack with malicious SQL Error based
Union based Blind Data destruction Data stealing Spam Redirects

9 SQL Injection - Prevention Tries
Stored procedures Because they have parameters, right? CREATE PROC spIAmVerySafe @TableName varchar(256) AS EXEC('SELECT * FROM ' GO; CREATE PROC spNowIAmSafe @ID int AS SELECT ID, FirstName, LastName FROM Person WHERE ID GO;

10 SQL Injection - Prevention Tries
Input validation Usually server and client keywords blacklists Replace all single quotes to 2 single quotes ‘ ->’’ They are all USELESS! VARCHAR(MAX) = CONVERT(VARCHAR(MAX), 0x53454C A F4D E C6573); SELECT * FROM sys.tables

11 SQL Injection - The Only Protection
SQL Parameters Use them properly! SqlCommand cmd = new SqlCommand(sqlText, sqlConnection); System.Data.SqlDbType.Int); = 6; SqlDataReader reader = cmd.ExecuteReader();

12 Cross-Site Scripting (XSS)
Exploits the trust a user has for a particular site Perfect attack vector to use with SQL Injection Since 2007 about 84% of all client attacks About 70% of all websites are likely open to it Inject javascript into Web pages viewed by other users Various JS client libraries bugs HTML, JS, Attribute encode/decode everything

13 Cross-Site Request Forgery (CSRF)
Exploits the trust that a site has in a user's browser Attacks extremely under-reported Involve sites that rely on a user's identity Bank Exploit the site's trust in that identity Stored Cookie of the person you’re attacking Trick browser to send HTTP request to a target site Cookie authenticates and goes to the bank Involve HTTP requests that have side effects Withdraw money

14 DEMO

15 Distributed Denial Of Service (DDOS)
Exploits the resources of your computer On average at least 1 person in your extended family is unknowingly working for the Russian mafia Extortion, Political agenda Feedly, Evernote Code Spaces Out of business

16 Amateurs hack systems, professionals hack people

17 Social Engineering Exploits a person’s kindness and willingness to help Investment in security awareness in non-IT employees: Minimal It is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system (Kevin Mitnick)

18 Social Engineering - Profiling

19 Social Engineering – Contact
Calling employees Call centers, pretending to be support or customer, … Getting various system information OS, Broswer, VPN client, WiFi, Anti-virus,… Phishing with XSS and CSRF included Giving away information not perceived to be important Smart small talk Advanced target level Hot women in bars “Forgotten” or free USB sticks

20 Social Engineering - Prevention
Stanley Mark Rifkin defrauded the Security Pacific National bank in Los Angeles managed to steal $10,200,000 in a single social engineering attack In 1978! Educate people Use two-factor authentication

21 Social Engineering Success rate? 100%

22 Clean up cost for company between $25,000 and $100,000 per incident
Social Engineering Clean up cost for company between $25,000 and $100,000 per incident

23 Securing SQL Server for Developers
So how can we as developers protect our Applications and SQL Servers?

24 Security Mechanisms Overview
Run the SQL Server under a special domain account Create a new “SqlRunner” user in AD Give it minimal permission to the domain and computer Use it to run SQL Server DBA realm Transparent DB encryption SQL Server Audit Reducing the possible surface attack vector

25 Security Mechanisms Overview
Securables Objects that can be secured with permissions Principals People/Processes that access securables GRANT, DENY, REVOKE DENY always has priority Various Cryptographic functions EncryptBy*, DecryptBy*, SignBy*, HASHBYTES, …

26 Permissions Hierarchy - Principals
Windows Server Database Windows Group SQL Server Login Database User Windows Domain Login Fixed Server Role Fixed Database Role Windows Local Login User-defined Fixed Server Role User-defined Database Role

27 Permissions Hierarchy - Securables
Server Database SQL Server Login Schema Endpoint User, Certificate, Role, … Database Table, View, Function, Stored Procedure, Type, …

28 Permissions Hierarchy - Example
Windows Domain Login Database User User Permissions Maps 1:1 OR Depending on permissions from User Roles SQL Server Login Treat the database access objects as an interface Certificates Return data from Object Access Schema

29 DEMO

30 SET TRUSTWORTHY ON “hole”
If DB is trustworthy If DB owner login is a sysadmin If YourAppLogin’s user is member of db_owner role YourAppLogin can elevate himself to sysadmin Let’s secure it properly: YourAppLogin with no default permissions DB owner’s login in public role only No users in database in db_owner role

31 DEMO

32 Things to Remember - SQL
Use login/user with least privileges Run SQL Server service with a custom account Use SQL parameters No SysAdmin (SA) or SET TRUSTWORTHY ON No sysadmin database owners Treat the database access objects as secure interface

33 Things to Remember - .Net
Machine.config Web.config Redirect to custom error pages HTML encode/decode all traffic from/to DB Microsoft Web Protection Library (AntiXSS) Nuget Also part of the Microsoft SDL tools <system.web> <deployment retail="true" /> </system.web> <customErrors mode="On" defaultRedirect="defaultURL" > <error statusCode="404" redirect="url" /> </customErrors>

34 Things to Remember - Social
Watch out for hot blondes in the bar Split your security budget 80%: sysadmin education 20%: people education Metasploit Social-Engineer Toolkit (SET)

35 The less data you store the safer you are

Download ppt "SQL Server and Application Security for Developers"

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.

Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Similar presentations

Ads by Google