Garage4hackers Forum - Blogs - Anant Shrivastava http://www.garage4hackers.com/blogs/598/ This is a discussion forum releated to Hacking, Security, network and system security http://www.garage4hackers.com en Wed, 19 Jun 2013 21:19:10 GMT vBulletin 60 http://www.garage4hackers.com/images/misc/rss.jpg Garage4hackers Forum - Blogs - Anant Shrivastava http://www.garage4hackers.com/blogs/598/ Database protection Techniques : a different prespective http://www.garage4hackers.com/blogs/598/database-protection-techniques-different-prespective-141/ Tue, 28 Jun 2011 12:29:22 GMT Tips for Db Security Disclaimer : This post keeps in mind the web frontends and web applications based attacks on DB Servers in mind. 1. ...
Tips for Db Security

Disclaimer : This post keeps in mind the web frontends and web applications based attacks on DB Servers in mind.
  1. Any Userid used for web application connectivity should be clipped to specific ip addresses that could be localhost in case of same server usage for Db and App server. If two separate servers are used then clip the user id (s) with the application server ip address / hostname. Keep a strick log of who access the id and when.
  2. 1st entry in user /password data base should be a dummy entry with zero privilege and could be used to act as honeypot too.
  3. Default accounts to be removed / blocked.
  4. User Input validation should be a 3 step process.
    1. Web Page / Client Side validation : Jscript.
    2. Server (Application) : OWASP ESAPI or custom functions ocould be used.
    3. DB: use PL/SQL functions to strip input data.
  5. Another good utility to keep in mind is DBA_USERS_WITH_DEFPWD : contains list of users with default passwords, and with 11g all default accounts are locked.
  6. Web application developers should be provided with 3 different user level access to be used inside web application.
    1. Read Access : user with access to select query only.
    2. Write access: User with select update and delete access
    3. App_mod : access to write access plus drop and trunk.
    Developers need to make sure the proper user access is used as and when required.
  7. Note : I know a large number of developers might start crying on this that this will increase their headache but then in long run this could turn out to be a life saver.
Please post comments and suggestions on my main blog here
http://blog.anantshri.info/database-...t-prespective/ ]]> Anant Shrivastava http://www.garage4hackers.com/blogs/598/database-protection-techniques-different-prespective-141/