Chapter 5: Database Security
|
|
- Maude Walters
- 6 years ago
- Views:
Transcription
1 i Chapter 5: Comp Sci 3600
2 Outline i 1 2 i 3 4 5
3 Outline i 1 2 i 3 4 5
4 What is a i Structured collection of data stored for use by one or more applications Contains the relationships between data items and groups of data items Can sometimes contain sensitive data that needs to be secured Query language provides a uniform interface to the database management system () Suite of programs for constructing and maintaining the database Offers ad hoc query facilities to multiple users and applications
5 Management System i utilities DDL processor description tables Authorization tables User applications DDL = data definition language DML = data manipulation language User queries DML and query language processor Transaction File manager manager Physical database Concurrent access tables Figure 5.1 Architecture
6 Outline i 1 2 i 3 4 5
7 Relational s i Table of data consisting of rows and columns Each column holds a particular type of data Each row contains a specific value for each column Ideally has one column where all values are unique, forming an identifier/key for that row Enables the creation of multiple tables linked together by a unique identifier that is present in all tables Use a relational query language to access the database Allows the user to request data that fit a given set of criteria
8 Multi-table with Unifying Primary Key i CALLER ID TABLE PhoneNumber Has service? (Y/N) BILLING HISTORY TABLE PhoneNumber Date Transaction type Transaction amount PRIMARY TABLE PhoneNumber Last name First name address ADDITIONAL SUBSCRIBER TABLE PhoneNumber List of subscribers CURRENT BILL TABLE PhoneNumber Current date Previous balance Current charges Date of last payment Amount of last payment Figure 5.2 Example Relational Model. A relational database uses multiple tables related to one another by a designated key; in this case the key is the PhoneNumber field.
9 Relational Elements i Primary key Uniquely identifies a row Consists of one or more column names Foreign key Links one table to attributes in another View/virtual table Result of a query that returns selected rows and columns from one or more tables
10 Relational i Records Attributes A 1 A j A M 1 x 11 x 1j x 1M i x i1 x ij x im N x N1 x Nj x NM Figure 5.3 Abstract Model of a Relational
11 View on a i Did Dname Dacctno Ename Did Salarycode Eid Ephone 4 human resources Robin education Neil accounts Jasmine public relations Cody services Holly primary key Department Table Robin Smith foreign key (a) Two tables in a relational database Dname Ename Eid Ephone human resources Jasmine education Holly education Robin accounts Smith public relations Neil services Robin services Cody (b) A view derived from the database Employee Table primary key Figure 5.4 Relational Example
12 Outline i 1 2 i 3 4 5
13 Structured Query Language () i Standardized language to define schema, manipulate, and query data in a relational database Several similar versions of ANSI/ISO standard All follow the same basic syntax and semantics statements can be used to: Create tables Insert and delete data in tables Create views Retrieve data with query statements
14 Table Creation i CREATE TABLE department ( Did INTEGER PRIMARY KEY, Dname CHAR ( 3 0 ), Dacctno CHAR ( 6 ) )
15 Table Creation i CREATE TABLE employee ( Ename CHAR ( 3 0 ), Did INTEGER, S a l a r y C o d e INTEGER, E i d INTEGER PRIMARY KEY, Ephone CHAR ( 1 0 ), FOREIGN KEY ( Did ) REFERENCES department ( Did ) )
16 Retrieving Information i The basic command for retrieving information is the SELECT statement SELECT Ename, Eid, Ephone FROM Employee WHERE Did = 15 This query returns the Ename, Eid, and Ephone fields from the Employee table for all employees assigned to department 15
17 View Creation i The view in Figure 5.4(b) is created using the following statement: CREATE VIEW n e w t a b l e (Dname, Ename, Eid, Ephone ) AS SELECT D. Dname E. Ename, E. Eid, E. Ephone FROM Department D Employee E WHERE E. Did = D. Did
18 (i) i One of the most prevalent and dangerous network-based security threats Designed to exploit the nature of Web application pages Sends malicious commands to the database server Most common attack goal is bulk extraction of data Depending on the environment, injection can also be exploited to: Modify or delete data Execute arbitrary operating system commands Launch denial-of-service (DoS) attacks
19 i overview i Internet Legend:. Data exchanged between hacker and servers Two-way traffic between hacker and Web server Credit card data is retrieved from database Router Firewall Web servers servers Switch Wireless access point Web application server Figure 5.5 Typical Attack
20 Outline i 1 2 i 3 4 5
21 Technique i The i attack typically works by prematurely terminating a text string and appending a new command Because the inserted command may have additional strings appended to it before it is executed, the attacker terminates the injected string with a comment mark - - Subsequent text is ignored at execution time
22 Example i As a simple example, consider a script that build an query by combining predefined strings with text entered by a user: var Shipcity; ShipCity = Request.form ( ShipCity ); var sql = select * from OrdersTable where ShipCity = + ShipCity + ; The intention of the script s designer is that a user will enter the name of a city
23 Example i When the script is executed, the user is prompted to enter a city, and if the user enters Redmond, then the following query is generated: SELECT * FROM OrdersTable WHERE ShipCity = Redmond Suppose, however, the user enters the following: Redmond ; DROP table OrdersTable- - This results in the following query: SELECT * FROM OrdersTable WHERE ShipCity = Redmond ; DROP table OrdersTable- - The semicolon is an indicator that separates two commands, and the double dash is an indicator that the remaining text of the current line is a comment and not to be executed
24 i Attack Avenues i User input: Attackers inject commands by providing suitable crafted user input Server variables: Attackers can forge the values that are placed in HTTP and network headers and exploit this vulnerability by placing data directly into the headers Second-order injection: A malicious user could rely on data already present in the system or database to trigger an injection attack, so when the attack occurs, the input that modifies the query to cause an attack does not come from the user, but from within the system itself Cookies: An attacker could alter cookies such that when the application server builds an query based on the cookie s content, the structure and function of the query is modified Physical user input: Applying user input that constructs an attack outside the realm of web requests
25 Outline i 1 2 i 3 4 5
26 i Inband Inferential Out-of-band
27 Inband i Uses the same communication channel for injecting code and retrieving results The retrieved data are presented directly in application Web page Include: Tautology: This form of attack injects code in one or more conditional statements so that they always evaluate to true End-of-line comment: After injecting code into a particular field, legitimate code that follows are nullified through usage of end of line comments Piggybacked queries: The attacker adds additional queries beyond the intended query, piggy-backing the attack on top of a legitimate request
28 Tautology Example i Consider the following script, whose intent is to require the user to enter a valid name and password: $query = SELECT info FROM user WHERE name = $ GET [ name ] AND pwd = $ GET [ pwd ] ; Suppose the attacker submits OR 1 = 1 for the name field. The resulting query would look like this: SELECT info FROM users WHERE name = OR 1 = 1 AND pwpd = The injected code disables the password check (due to the comment indicator - -) and turns the entire WHERE clause into a tautology The database uses the conditional as the basis for evaluating each row and deciding which ones to return The conditional is a tautology, the query evaluates to true for each row in the table and returns all
29 Inferential Attack i There is no actual transfer of data, but the attacker is able to reconstruct the information by sending particular requests and observing the resulting behavior of the Website/database server Illegal/logically incorrect queries This attack lets an attacker gather important information about the type and structure of the backend database of a Web application The attack is considered a preliminary, information-gathering step for other attacks Blind injection Allows attackers to infer the data present in a database system even when the system is sufficiently secure to not display any erroneous information back to the attacker
30 Out-of-Band Attack i Data are retrieved using a different channel This can be used when there are limitations on information retrieval, but outbound connectivity from the database server is lax
31 Outline i 1 2 i 3 4 5
32 i i Defensive coding Run-time prevention
33 Defensive Coding i Manual defensive coding practices: a common vulnerability exploited by i attacks is insufficient input validation One solution is to apply defensive coding practices Input type checking: e.g., to check that inputs that match the expected types and formats Performs pattern matching to try to distinguish normal input from abnormal input Parameterized query insertion: Allowing developers to more accurately specify the structure of an query Passing the parameters separately such that any unsanitary user input is not allowed to modify the query structure DOM: A set of classes that enables automated data type validation and escaping This approach uses encapsulation of database queries to provide a safe and reliable way to access databases
34 i Signature based This attempts to match specific attack patterns Must be constantly updated and may not work against self- modifying attacks Anomaly based Define normal behavior and then detect behavior patterns outside the normal range There is a training phase, in which the system learns the range of normal behavior, followed by the actual detection Code analysis Using a test suite to detect i vulnerabilities The test suite is designed to generate a wide range of i attacks and assess the response of the system
35 Run-time Prevention i Check queries at runtime to see if they conform to a model of expected queries Various automated tools are available for this purpose
36 i access control system determines: If the user has access to the entire database or just portions of it What access rights the user has (create, insert, delete, update, read, write) Can support a range of administrative policies Centralized administration: Small number of privileged users may grant and revoke access rights Ownership-based administration: The creator of a table may grant and revoke access rights to the table Decentralized administration: The owner of the table may grant and revoke authorization rights to other users, allowing them to grant and revoke access rights to the table
37 Outline i 1 2 i 3 4 5
38 i Two commands for managing access rights: 1 Grant: Used to grant one or more access rights or can be used to assign a user to a role 2 Revoke: Revokes the access rights Typical access rights are: Select Insert Update Delete References
39 The Grant Command i GRANT [ON TO [IDENTIFIED BY [WITH {privileges role} table] {user role PUBLIC} password] GRANT OPTION] Example GRANT SELECT ON ANY TABLE TO ricflair
40 The Revoke Command i REVOKE [ON FROM {privileges role} table] {user role PUBLIC} Example REVOKE SELECT ON ANY TABLE FROM ricflair
41 Cascading Authorizations i The grant option enables an access right to cascade through a number of users The revocation of privileges also cascaded
42 Privilege Revocation i t = 10 Ann David t = 60 Frank t = 20 Bob Chris t = 30 t = 50 t = 40 Ellen t = 70 Jim t = 10 Bob Ann David t = 60 Frank t = 20 Chris t = 50 Figure 5.6 Bob Revokes Privilege from David
43 Outline i 1 2 i 3 4 5
44 Role-Based (RBAC) i access control eases administrative burden and improves security A database RBAC needs to provide the following capabilities: Create and delete roles Define permissions for a role Assign and cancel assignment of users to roles
45 Categories of Users i Application owner: An end user who owns database objects as part of an application End user: An end user who operates on database objects via a particular application but does not own any of the database objects Administrator: User who has administrative responsibility for part or all of the database
46 Microsoft Server Roles i
47 Outline i 1 2 i 3 4 5
48 What is an Attack? i The process of performing authorized queries and deducing unauthorized information from the legitimate responses received The inference problem arises when the combination of a number of data items is more sensitive than the individual items, or when a combination of data items can be used to infer data of a higher sensitivity
49 i Nonsensitive data Sensitive data Metadata Authorized access Unauthorized access Figure 5.7 Indirect Information Via Channel
50 Example of an Attack on (Salary-Name) i Name Position Salary ($) Department Dept. Manager Andy senior 43,000 strip Cathy Calvin junior 35,000 strip Cathy Cathy senior 48,000 strip Cathy Dennis junior 38,000 panel Herman Herman senior 55,000 panel Herman Ziggy senior 67,000 panel Herman (a) Employee table Position Salary ($) Name Department senior 43, 000 Andy strip junior 35,000 Calvin strip senior 48,000 Cathy strip (b) Two views Name Position Salary ($) Department Andy senior 43,000 strip Calvin junior 35,000 strip Cathy senior 48,000 strip (c) Table derived from combining query answers Figure 5.8 Example
51 Outline i 1 2 i 3 4 5
52 i detection during database design Approach removes an inference channel by altering the database structure or by changing the access control regime to prevent inference Techniques in this category often result in unnecessarily stricter access controls that reduce availability detection at query time Approach seeks to eliminate an inference channel violation during a query or series of queries If an inference channel is detected, the query is denied or altered Some inference detection algorithm is needed for either of these approaches Progress has been made in devising specific inference detection s for multilevel secure databases and statistical databases
53 Outline i 1 2 i 3 4 5
54 i The database is typically the most valuable information resource for any organization Protected by multiple layers of security Firewalls, authentication, general access control systems, DB access control systems, database encryption becomes the last line of defense in database security Can be applied to the entire database, at the record level, the attribute level, or level of the individual field Disadvantages to encryption: Key management: Authorized users must have access to the decryption key for the data for which they have access Inflexibility: When part or all of the database is encrypted it becomes more difficult to perform record searching
55 How to Process Encrypted Query i 1 The user issues an query for fields from one or more records with a specific value of the primary key 2 The query processor at the client encrypts the primary key, modifies the query accordingly, and transmits the query to the server 3 The server processes the query using the encrypted value of the primary key and returns the appropriate record or records 4 The query processor decrypts the data and returns the results
56 : Decrypt only Locally i User Client Meta Data 4. Plaintext result 1. Original query Query Processor Encrypt/ Decrypt metadata 2. Transformed query 3. Encrypted result Data owner Query Executor Server Meta Data Encrypted database Figure 5.9 A Scheme
57 Encrypted Query i SELECT Ename, Eid, Ephone FROM Employee WHERE Did = 15 SELECT Ename, Eid, Ephone FROM Employee WHERE Did =
58 Outline i 1 2 i 3 4 5
59 on Encrypted Data i can Improve Usability for However, it can provide information for inference attacks E(k, B 1 ) I 11 I 1j I 1M E(k, B i ) I i1 I ij I im E(k, B N ) I N1 I Nj I NM B i = (x i1 x i2 x im ) Figure 5.10 Scheme for of Figure 5.3
COMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (5 th Week) 5. Database and Cloud Security 5.Outline The Need for Database Security Database Management Systems Relational Databases SQL Injection
More informationACS-3921/ Computer Security And Privacy. Chapter 5 Database and Data Centre Security
ACS-3921/4921-001 Computer Security And Privacy Chapter 5 Database and Data Centre Security ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been adopted
More informationCS419 Spring Computer Security. Vinod Ganapathy Lecture 15. Chapter 5: Database security
CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 15 Chapter 5: Database security Database Security Relational Databases constructed from tables of data each column holds a particular type of
More informationIntroduction To Security and Privacy Einführung in die IT-Sicherheit I
Introduction To Security and Privacy Einführung in die IT-Sicherheit I Prof. Dr. rer. nat. Doğan Kesdoğan Institut für Wirtschaftsinformatik kesdogan@fb5.uni-siegen.de http://www.uni-siegen.de/fb5/itsec/
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 5 Database Security First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Database Security 2 Relational Databases constructed
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 12: Database Security Department of Computer Science and Engineering University at Buffalo 1 Review of Access Control Types We previously studied four types
More informationW e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s
W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications
More informationChapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao
Chapter 9: Database Security: An Introduction Nguyen Thi Ai Thao thaonguyen@cse.hcmut.edu.vn Spring- 2016 Outline Introduction to Database Security Issues Types of Security Threats to databases Database
More informationI n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures:
This time Continuing with Software Security Getting insane with I n p u t sanitization ); drop table slides New attacks and countermeasures: SQL injection Background on web architectures A very basic web
More informationAccess Control. Protects against accidental and malicious threats by
Access Control 1 Access Control Access control: ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects: system resources for which protection
More informationSecure Programming Lecture 8++: SQL Injection
Secure Programming Lecture 8++: SQL Injection David Aspinall, Informatics @ Edinburgh 9th February 2016 Outline Overview Other past attacks More examples Classification Injection route and motive Forms
More informationThis slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in
1 This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in terms of prevalence (how much the vulnerability is widespread),
More informationAccess Control. Access control: ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions
Access Control 1 Access Control Access control: ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects: system resources for which protection
More informationIntegrity and Security
C H A P T E R 6 Integrity and Security This chapter presents several types of integrity constraints, including domain constraints, referential integrity constraints, assertions and triggers, as well as
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationCSCE 548 Building Secure Software SQL Injection Attack
CSCE 548 Building Secure Software SQL Injection Attack Professor Lisa Luo Spring 2018 Previous class DirtyCOW is a special type of race condition problem It is related to memory mapping We learned how
More informationIntroduction The SELECT statement: basics Nested queries Set operators Update commands Table management
Databases Unit 3 DB M B G Introduction The SELECT statement: basics Nested queries Set operators Update commands Table management D B M G 2 2013 Politecnico di Torino 1 Introduction DB M B G Introduction
More informationSample Question Paper
Sample Question Paper Marks : 70 Time:3 Hour Q.1) Attempt any FIVE of the following. a) List any four applications of DBMS. b) State the four database users. c) Define normalization. Enlist its type. d)
More informationWEB SECURITY: SQL INJECTION
WEB SECURITY: SQL INJECTION CMSC 414 FEB 15 2018 A very basic web architecture Client Server A very basic web architecture Client Server A very basic web architecture Client Server A very basic web architecture
More informationDetecting Insider Attacks on Databases using Blockchains
Detecting Insider Attacks on Databases using Blockchains Shubham Sharma, Rahul Gupta, Shubham Sahai Srivastava and Sandeep K. Shukla Department of Computer Science and Engineering Indian Institute of Technology,
More informationApplication and Data Security with F5 BIG-IP ASM and Oracle Database Firewall
F5 White Paper Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall Organizations need an end-to-end web application and database security solution to protect data, customers,
More informationNetworks and security Data bases
Networks and security Data bases Networks Concepts Threats Controls Firewalls Protocols A protocol abstracts the communication to a higher level. A layered architecture, a so called protocol stack is used:
More informationCHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS
180 CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 8.1 SUMMARY This research has focused on developing a Web Applications Secure System from Code Injection Vulnerabilities through Web Services (WAPS-CIVS),
More informationCIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
More informationDatabase Systems Concepts *
OpenStax-CNX module: m28156 1 Database Systems Concepts * Nguyen Kim Anh This work is produced by OpenStax-CNX and licensed under the Creative Commons Attribution License 3.0 Abstract This module introduces
More informationData about data is database Select correct option: True False Partially True None of the Above
Within a table, each primary key value. is a minimal super key is always the first field in each table must be numeric must be unique Foreign Key is A field in a table that matches a key field in another
More informationDetecting SQLIA using execution plans
Graduate Theses and Dissertations Graduate College 2016 Detecting SQLIA using execution plans Sriram Nagarajan Iowa State University Follow this and additional works at: http://lib.dr.iastate.edu/etd Part
More informationEngineering Your Software For Attack
Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationSQL Injection Attack & Its Prevention
e-issn 2455 1392 Volume 2 Issue 6, June 2016 pp. 349 354 Scientific Journal Impact Factor : 3.468 http://www.ijcter.com SQL Injection Attack & Its Prevention Amey Anil Patil L.B.H.S.S.T s Institute Of
More informationCourse Outline and Objectives: Database Programming with SQL
Introduction to Computer Science and Business Course Outline and Objectives: Database Programming with SQL This is the second portion of the Database Design and Programming with SQL course. In this portion,
More informationAutomated SQL Ownage Techniques. OWASP October 30 th, The OWASP Foundation
Automated SQL Ownage Techniques October 30 th, 2009 Sebastian Cufre Developer Core Security Technologies sebastian.cufre@coresecurity.com Copyright The Foundation Permission is granted to copy, distribute
More informationWeb Gate Keeper: Detecting Encroachment in Multi-tier Web Application
Web Gate Keeper: Detecting Encroachment in Multi-tier Web Application Sanaz Jafari Prof.Dr.Suhas H. Patil (GUIDE) ABSTRACT The Internet services and different applications become vital part of every person
More informationDenial of Service (DoS)
Flood Denial of Service (DoS) Comp Sci 3600 Security Outline Flood 1 2 3 4 5 Flood 6 7 8 Denial-of-Service (DoS) Attack Flood The NIST Computer Security Incident Handling Guide defines a DoS attack as:
More informationSQL Injection Attack: Detection in a Web Application Environment
SQL Injection Attack: Detection in a Web Application Environment Table of Contents 1 Foreword... 1 2 Background... 2 2.1 Web Application Environment... 2 2.2 SQL Attack Overview... 2 2.3 Applications Open
More informationANALYSIS OF VARIOUS LEVELS OF PENETRATION BY SQL INJECTION TECHNIQUE THROUGH DVWA
ANALYSIS OF VARIOUS LEVELS OF PENETRATION BY SQL INJECTION TECHNIQUE THROUGH DVWA By Ashish Kumar, Dr. Swapnesh Taterh 1st AIIT, Amity University, Rajasthan. 2nd Asst Prof, AIIT, Amity University, Rajasthan.
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationEssay Question: Explain 4 different means by which constrains are represented in the Conceptual Data Model (CDM).
Question 1 Essay Question: Explain 4 different means by which constrains are represented in the Conceptual Data Model (CDM). By specifying participation conditions By specifying the degree of relationship
More informationPreventing Injection Vulnerabilities through Context-Sensitive String Evaluation (CSSE)
IBM Zurich Research Laboratory Preventing Injection Vulnerabilities through Context-Sensitive String Evaluation (CSSE) Tadeusz Pietraszek Chris Vanden Berghe RAID
More informationQuestion No: 2 Which identifier is used to describe the application or process that submitted a log message?
Volume: 65 Questions Question No: 1 Which definition of a fork in Linux is true? A. daemon to execute scheduled commands B. parent directory name of a file pathname C. macros for manipulating CPU sets
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationSQL Injection Attacks and Defense
SQL Injection Attacks and Defense Justin Clarke Lead Author and Technical Editor Rodrigo Marcos Alvarez Dave Hartley Joseph Hemler Alexander Kornbrust Haroon Meer Gary O'Leary-Steele Alberto Revelli Marco
More informationLAB 3 Notes. Codd proposed the relational model in 70 Main advantage of Relational Model : Simple representation (relationstables(row,
LAB 3 Notes The Relational Model Chapter 3 In the previous lab we discussed the Conceptual Database Design Phase and the ER Diagram. Today we will mainly discuss how to convert an ER model into the Relational
More informationConfiguring User Defined Patterns
The allows you to create customized data patterns which can be detected and handled according to the configured security settings. The uses regular expressions (regex) to define data type patterns. Custom
More informationChapter 6: Integrity and Security.! Domain Constraints! Referential Integrity! Assertions! Triggers! Security! Authorization! Authorization in SQL
Chapter 6: Integrity and Security! Domain Constraints! Referential Integrity! Assertions! Triggers! Security! Authorization! Authorization in SQL 6.1 Domain Constraints! Integrity constraints guard against
More informationSECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER
SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER INFLUENCER @RESPONSIBLE CYBER 1 AGENDA 1. Introduction: What is security? How much
More informationInjection attacks use specially crafted inputs to subvert the intended operation of applications.
Secure Programming Lecture 8: SQL Injection David Aspinall, Informatics @ Edinburgh 8th February 2018 Recap Injection attacks use specially crafted inputs to subvert the intended operation of applications.
More informationSecurity Philosophy. Humans have difficulty understanding risk
Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy
More informationD B M G. SQL language: basics. Managing tables. Creating a table Modifying table structure Deleting a table The data dictionary Data integrity
SQL language: basics Creating a table Modifying table structure Deleting a table The data dictionary Data integrity 2013 Politecnico di Torino 1 Creating a table Creating a table (1/3) The following SQL
More informationNET 311 INFORMATION SECURITY
NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationChapter 4. Basic SQL. Copyright 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley
Chapter 4 Basic SQL Copyright 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 4 Outline SQL Data Definition and Data Types Specifying Constraints in SQL Basic Retrieval Queries
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationSlides by: Ms. Shree Jaswal
Slides by: Ms. Shree Jaswal A trigger is a statement that is executed automatically by the system as a side effect of a modification to the database. To design a trigger mechanism, we must: Specify the
More informationCS352 Lecture: Integrity and Security Constraints revised 9/8/06
CS352 Lecture: Integrity and Security Constraints revised 9/8/06 Materials: 1. Handout of SQL statements for creating example library database, showing entity and referential integrity constraints. (Students
More informationWebapps Vulnerability Report
Webapps Vulnerability Report Tuesday, January 12, 2010 Introduction This report provides detailed information of every vulnerability that was found and successfully exploited by CORE IMPACT during this
More informationMULTILEVEL POLICY BASED SECURITY IN DISTRIBUTED DATABASE
MULTILEVEL POLICY BASED SECURITY IN DISTRIBUTED DATABASE CHAPTER 8 Addressing security demands under fixed budgets and deadline constraints are becoming extremely challenging, time consuming and resource
More informationRelational Data Structure and Concepts. Structured Query Language (Part 1) The Entity Integrity Rules. Relational Data Structure and Concepts
Relational Data Structure and Concepts Structured Query Language (Part 1) Two-dimensional tables whose attributes values are atomic. At every row-and-column position within the table, there always exists
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationDB Creation with SQL DDL
DB Creation with SQL DDL Outline SQL Concepts Data Types Schema/Table/View Creation Transactions and Access Control Objectives of SQL Ideally, database language should allow user to: create the database
More informationSQL Injection. EECS Introduction to Database Management Systems
SQL Injection EECS3421 - Introduction to Database Management Systems Credit "Foundations of Security: What Every Programmer Needs To Know" (Chapter 8) by Neil Daswani, Christoph Kern, and Anita Kesavan
More informationDefine information security Define security as process, not point product.
CSA 223 Network and Web Security Chapter One What is information security. Look at: Define information security Define security as process, not point product. Define information security Information is
More informationDatabase Security Overview. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Database Security Overview Murat Kantarcioglu Topics The access control model of System R Extensions to the System R model Views and content-based
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationPost-Class Quiz: Access Control Domain
1. In order to perform data classification process, what must be present? A. A data classification policy. B. A data classification standard. C. A data classification procedure. D. All of the above. 2.
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More informationTautology based Advanced SQL Injection Technique A Peril to Web Application
IJIRST National Conference on Latest Trends in Networking and Cyber Security March 2017 Tautology based Advanced SQL Injection Technique A Peril to Web Application Kritarth Jhala 1 Shukla Umang D 2 2 Department
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationReal Application Security Administration
Oracle Database Real Application Security Administration Console (RASADM) User s Guide 12c Release 2 (12.2) E85615-01 June 2017 Real Application Security Administration Oracle Database Real Application
More informationMastering Transact-SQL An Overview of SQL Server 2000 p. 3 SQL Server's Networked Architecture p. 4 SQL Server's Basic Components p.
Acknowledgments p. xxiii Introduction p. xxv Mastering Transact-SQL An Overview of SQL Server 2000 p. 3 SQL Server's Networked Architecture p. 4 SQL Server's Basic Components p. 8 Transact-SQL p. 9 SQL
More informationToday Learning outcomes LO2
2015 2016 Phil Smith Today Learning outcomes LO2 On successful completion of this unit you will: 1. Be able to design and implement relational database systems. 2. Requirements. 3. User Interface. I am
More informationSpecialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting
More informationNetDefend Firewall UTM Services
NetDefend Firewall UTM Services Unified Threat Management D-Link NetDefend UTM firewalls (DFL-260/860/1660/2560/2560G) integrate an Intrusion Prevention System (IPS), gateway AntiVirus (AV), and Web Content
More informationCT13 DATABASE MANAGEMENT SYSTEMS DEC 2015
Q.1 a. Explain the role of concurrency control software in DBMS with an example. Answer: Concurrency control software in DBMS ensures that several users trying to update the same data do so in a controlled
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationAn Oracle White Paper September Security and the Oracle Database Cloud Service
An Oracle White Paper September 2012 Security and the Oracle Database Cloud Service 1 Table of Contents Overview... 3 Security architecture... 4 User areas... 4 Accounts... 4 Identity Domains... 4 Database
More informationINNOV-09 How to Keep Hackers Out of your Web Application
INNOV-09 How to Keep Hackers Out of your Web Application Michael Solomon, CISSP PMP CISM Solomon Consulting Inc. www.solomonconsulting.com What is a Web Application? Any access to your data via the Internet
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationWeb Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationThe Top 6 WAF Essentials to Achieve Application Security Efficacy
The Top 6 WAF Essentials to Achieve Application Security Efficacy Introduction One of the biggest challenges IT and security leaders face today is reducing business risk while ensuring ease of use and
More informationIs Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection
Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are
More informationCOSC 304 Introduction to Database Systems. Views and Security. Dr. Ramon Lawrence University of British Columbia Okanagan
COSC 304 Introduction to Database Systems Views and Security Dr. Ramon Lawrence University of British Columbia Okanagan ramon.lawrence@ubc.ca Views A view is a named query that is defined in the database.
More informationERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016
Abstract The Mirai botnet struck the security industry in three massive attacks that shook traditional DDoS protection paradigms, proving that the Internet of Things (IoT) threat is real and the grounds
More informationOverview of Information Security
Overview of Information Security Lecture By Dr Richard Boateng, UGBS, Ghana Email: richard@pearlrichards.org Original Slides by Elisa Bertino CERIAS and CS &ECE Departments, Pag. 1 and UGBS Outline Information
More informationDatabase Security Lecture 10
Database Security Lecture 10 Database security Grant-Revoke Model Elisa Bertino bertino@cs.purdue.edu Access Control in Commercial DBMSs Most commercial systems adopt DAC Current discretionary authorization
More informationVisualizing Access Control Policies in Databases. Jared Chandler. Comp 116 Fall 2015
Visualizing Access Control Policies in Databases Jared Chandler Comp 116 Fall 2015 To the Community I chose this topic because it is something I have an interest in improving. SQL databases are widespread
More informationSQL Injection Attacks: Detection in a Web Application Environment
SQL Injection Attacks: Detection in a Web Application Environment Table of Contents 1 Foreword... 1 2 Background... 2 2.1 Web Application Environment... 2 2.2 SQL Attack Overview... 2 2.3 Applications
More informationKishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009
Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application
More informationISO/IEC Common Criteria. Threat Categories
ISO/IEC 15408 Common Criteria Threat Categories 2005 Bar Biszick-Lockwood / QualityIT Redmond, WA 2003 Purpose This presentation introduces you to the threat categories contained in ISO/IEC 15408, used
More informationThreat Modeling. Bart De Win Secure Application Development Course, Credits to
Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,
More informationSOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management
SOLUTION BRIEF CA API MANAGEMENT Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management 2 SOLUTION BRIEF ENABLE AND PROTECT YOUR WEB APPLICATIONS WITH CA API MANAGEMENT ca.com
More informationInstructor: Jinze Liu. Fall 2008
Instructor: Jinze Liu Fall 2008 http://www.securityfocus.com/news/11455 Jinze Liu @ University of Kentucky 9/22/2008 2 Source: http://www.gocsi.com/ Database Security - Farkas 3 Almost all corporate/organizational
More informationEbook : Overview of application development. All code from the application series books listed at:
Ebook : Overview of application development. All code from the application series books listed at: http://www.vkinfotek.com with permission. Publishers: VK Publishers Established: 2001 Type of books: Develop
More informationThe Relational Model. Outline. Why Study the Relational Model? Faloutsos SCS object-relational model
The Relational Model CMU SCS 15-415 C. Faloutsos Lecture #3 R & G, Chap. 3 Outline Introduction Integrity constraints (IC) Enforcing IC Querying Relational Data ER to tables Intro to Views Destroying/altering
More informationTechnology White Paper of SQL Injection Attacks and Prevention
Technology White Paper of SQL Injection Attacks and Prevention Keywords: SQL injection, SQL statement, feature identification Abstract: SQL injection attacks are common attacks that exploit database vulnerabilities.
More informationn Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network
Always Remember Chapter #1: Network Device Configuration There is no 100 percent secure system, and there is nothing that is foolproof! 2 Outline Learn about the Security+ exam Learn basic terminology
More informationOracle Database 10g: Introduction to SQL
ORACLE UNIVERSITY CONTACT US: 00 9714 390 9000 Oracle Database 10g: Introduction to SQL Duration: 5 Days What you will learn This course offers students an introduction to Oracle Database 10g database
More information