Categories

A sample text widget

Etiam pulvinar consectetur dolor sed malesuada. Ut convallis euismod dolor nec pretium. Nunc ut tristique massa.

Nam sodales mi vitae dolor ullamcorper et vulputate enim accumsan. Morbi orci magna, tincidunt vitae molestie nec, molestie at mi. Nulla nulla lorem, suscipit in posuere in, interdum non magna.

What are different methods and techniques used for security testing at the data base level?

Many of the traditional methods and techniques for security testing at the database level are still in use but, their efficiency has reduced somewhat. This is probably due to the increased sophistication of attacking methods and techniques, and also because of the focus of the traditional methods and techniques being reliant on the architecture of the computer networks, scanning of the ports and firewalls etc. These methods and techniques are governed by the notion of the protection of the software and networking systems from the vulnerabilities from the attacks. These methods establish this purpose by the means of identification of the bugs and defending off a recognized parameter.
It is without any doubt that the database of an application is a critical part of it, and it is also the most vulnerable part of the application. For proper safety, the web application should be subjected to rigorous security testing as well as risk analysis. There are 2 typical approaches for carrying out the security testing at the data base level:
1. Inside out approach and
2. Outside in approach.
The latter one is more prominent and makes use of a firewall. The firewall is implemented so as to protect the LAN and not let external attacks in (which have the potential of hijacking the network or individual machines in the network). It does so by blocking the different types of the traffic coming to that particular web application. This approach probes the local area network using a port scanner in order to determine which of its ports are open and what services are being generated through those ports. But, this approach has also got a drawback, or rather it is a security risk rather than calling it a drawback; and that is that the traditional services that were protected with the firewall now have to be implemented with software system having poor security. There is no such security testing technique at database level which is 100 percent efficient. Even a reasonable security has got many pitch falls.
From all the techniques, the risk based security testing technique continues to top the list. Before choosing any approach for the security testing at the database level you should first know how the following aspects of the database of that application work in accordance with the stated security objectives:
1. Data base architecture
2. Application technologies that have been used in making the software application.
3. Configurations of the different components of the software system or application.
4. Critical assets
5. Storage of sensitive data and
6. Business critical inter connections
The security testing at the data base level involves the following activities:
1. Estimating the potential attack vectors and making use of the potential documentation so that the audit activities can be focused up on the critical elements of the data base.
2. Consultation with the other team members about the business goals and security requirements and other aspects which are in a way related to the data confidentiality, availability, provability and integrity etc.
3. Knowledge about the following:
(a) Intra database data flow
(b) Key database components
(c) Database architecture
(d) Integral core technologies implemented in the software system or application
(e) Integral core operational processes
4. Preparation of the formal reporting objectives. The formal repot of the testing covers the results of the gapa analysis, mitigation road map and other relevant findings like peer group bench marking, executive summaries, root cause analysis, technical summaries and good practice benchmarking etc.
5. Deciding on the formal objectives
Database level security testing is very essential since no application can operate without having access to its database.

Handbook of Database Security Implementing Database Security and Auditing Database Security

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>