Overview
This course equips participants with the skills they need to recognize actual and potential database vulnerabilities, implement defenses against them, and also test if those defenses are sufficient. During the course, participants are introduced to common security vulnerabilities faced by databases, and each of these vulnerabilities is examined from a database perspective. The course discusses the threat and attack mechanisms, how to recognize associated vulnerabilities and how to design, implement and test effective defenses. The course encompasses practical demonstrations and exercises to ensure that participants get a thorough understanding of the concepts discusses in the course.
What You'll Learn
- Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
- Test databases with various attack techniques to determine the existence of and effectiveness of layered defenses Prevent and defend the many potential vulnerabilities associated with untrusted data
- Understand the concepts and terminology behind supporting, designing, and deploying secure databases
- Appreciate the magnitude of the problems associated with data security and the potential risks associated with those problems
- Understand the currently accepted best practices for supporting the many security needs of databases.
- Understand the vulnerabilities associated with authentication and authorization within the context of databases and database applications
- Detect, attack, and implement defenses for authentication and authorization functionality
- Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
- Detect, attack, and implement defenses against XSS and Injection attacks
- Understand the concepts and terminology behind defensive, secure, coding
- Understand the use of Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
- Perform both static reviews and dynamic database testing to uncover vulnerabilities
- Design and develop strong, robust authentication and authorization implementations
- Understand the fundamentals of Digital Signatures as well as how it can be used as part of the defensive infrastructure for data
- Understand the fundamentals of Encryption as well as how it can be used as part of the defensive infrastructure for data
Curriculum
- Who is safe?
- The assumptions we make
- Security: The complete picture
- Anthem, Sony, Target, Heartland and TJX Debriefs
- Verizon’s 2017 data breach report
- Attack patterns and recommendations
- Security concepts
- Motivations: Costs and standards
- Open web application security project
- Web application security consortium
- CERT secure coding standards
- Microsoft SDL
- Assets and trust boundaries
- Threat modelling
- Principles of information security
- Security is a lifecycle issue
- Minimize attack surface area
- Layers of defense: Tenacious D
- Compartmentalize
- Consider all application states
- Do not trust the Untrusted
- Database security concerns
- Data at rest and in motion
- Privilege management
- Boundary defenses
- Continuity of service
- Trusted recovery
- Vulnerabilities
- Unvalidated input
- Broken authentication
- Cross site scripting (XSS/CSRF)
- Injection flaws
- Error handling, logging and information leakage
- Insecure storage
- Direct object access
- XML vulnerabilities
- Web services vulnerabilities
- Ajax vulnerabilities
- Cryptography overview
- Strong encryption
- Message directs
- Keys and key management
- Certificate management
- Encryption/Decryption
- Database security
- Design and configuration
- Identification and authentication
- Computing environment
- Database auditing
- Boundary defenses
- Continuity of service
- Vulnerability and incident management
- Understanding what’s important
- Common vulnerabilities and exposures
- OWASP 2017 top 10
- CWE/SANS Top 25 most dangerous SW errors
- Monster mitigations
- Strength training: Project teams/developers
- Strength training: IT organizations
- SDL process overview
- Types of security controls
- Phases of typical data-oriented attack
- Phases: Offensive actions and defensive controls
- Security lifecycle activities
- Applying processes and practices
- Threat modeling process
- Modeling assets and trust boundaries
- Modeling data flows
- Risk analysis
- Identifying threats
- Relating threats to models
- Mitigating threats
- Reviewing the application
- Testing tools and processes
- Security testing principles
- Dynamic analyzers
- Static code analyzers
- Criteria for selecting static analyzers
- Testing practices
- OWASP web app penetration testing
- Authentication testing
- Session management testing
- Data validation testing
- Denial of service testing
- Web service testing
- Ajax testing
Who should attend
- Database technical support engineers
- Database administrators
- Security consultants
- Database developers
- Database engineers
- Security analysts
- Software engineers