Learn Software Development » Security

What are different methods and techniques used for security testing at the data base level?

ashish — Tue, 03 Apr 2012 17:10:39 +0000

Many of the traditional methods and techniques for security testing at the database level are still in use but, their efficiency has reduced somewhat. This is probably due to the increased sophistication of attacking methods and techniques, and also because of the focus of the traditional methods and techniques being reliant on the architecture of the computer networks, scanning of the ports and firewalls etc. These methods and techniques are governed by the notion of the protection of the software and networking systems from the vulnerabilities from the attacks. These methods establish this purpose by the means of identification of the bugs and defending off a recognized parameter.
It is without any doubt that the database of an application is a critical part of it, and it is also the most vulnerable part of the application. For proper safety, the web application should be subjected to rigorous security testing as well as risk analysis. There are 2 typical approaches for carrying out the security testing at the data base level:
1. Inside out approach and
2. Outside in approach.
The latter one is more prominent and makes use of a firewall. The firewall is implemented so as to protect the LAN and not let external attacks in (which have the potential of hijacking the network or individual machines in the network). It does so by blocking the different types of the traffic coming to that particular web application. This approach probes the local area network using a port scanner in order to determine which of its ports are open and what services are being generated through those ports. But, this approach has also got a drawback, or rather it is a security risk rather than calling it a drawback; and that is that the traditional services that were protected with the firewall now have to be implemented with software system having poor security. There is no such security testing technique at database level which is 100 percent efficient. Even a reasonable security has got many pitch falls.
From all the techniques, the risk based security testing technique continues to top the list. Before choosing any approach for the security testing at the database level you should first know how the following aspects of the database of that application work in accordance with the stated security objectives:
1. Data base architecture
2. Application technologies that have been used in making the software application.
3. Configurations of the different components of the software system or application.
4. Critical assets
5. Storage of sensitive data and
6. Business critical inter connections
The security testing at the data base level involves the following activities:
1. Estimating the potential attack vectors and making use of the potential documentation so that the audit activities can be focused up on the critical elements of the data base.
2. Consultation with the other team members about the business goals and security requirements and other aspects which are in a way related to the data confidentiality, availability, provability and integrity etc.
3. Knowledge about the following:
(a) Intra database data flow
(b) Key database components
(c) Database architecture
(d) Integral core technologies implemented in the software system or application
(e) Integral core operational processes
4. Preparation of the formal reporting objectives. The formal repot of the testing covers the results of the gapa analysis, mitigation road map and other relevant findings like peer group bench marking, executive summaries, root cause analysis, technical summaries and good practice benchmarking etc.
5. Deciding on the formal objectives
Database level security testing is very essential since no application can operate without having access to its database.

Handbook of Database Security	Implementing Database Security and Auditing	Database Security

What are different methods and techniques used for security testing at black box level?

ashish — Mon, 26 Mar 2012 18:27:57 +0000

As we all know, security testing is the concern about the security issues or processes to ensure a high level of security of a software system or application. But nowadays security testing means much more than just normal security check up. We mean to say that security is something much more than just being a methodology for scanning the network ports. Security is now being recognized as one of the most critical aspects of any system or software program.
In fact, one of the factors that brings down the standard of security testing is that it is often misunderstood by the testers. Security testing performed through the different methods and techniques at black box level can be way more effective than understood. Security testing at the black box level is quite simple as compared to the testing at the other levels. Security testing at the black box level is mainly performed using specialized tools for the purpose, called application security tools. This type of security testing is more effective than the functional testing that is carried out on the security structure. For making the security testing at the black box level a success, the testers need to follow an approach entirely based on the risk assessment.
This approach should extend from the actual architecture of the system to the mind set of the attacker. This strategy proves to be quite useful when it comes to adequately gauging the security of the whole software system or application. Based on the identification of the risks related to the software system or application, test cases can be created as based on those identified risks. Following this strategy, it becomes easy for the tester to focus properly on the parts of the software system which are more vulnerable to the identified risks. This approach gives better results when compared to those given by the classical black box testing since this method provides a greater assurance of the software security.
Though software security deals with the behavior of the software on the encounter of a security threat, software failures occur more frequently and that too without any intentional harm or mischief. Normal security testing is all about what will happen when the software fails, such as whether the failure is smooth, or does the failure occur in such a way that it can pose problems for the user. This technique does not focus up on the intention.
Security checking should be of the services offered by the system, information, skills of the adversaries, assurance remedies and the resources. Before carrying out the security testing at the black box level following any technique or method you need to run a risk analysis for the design of the software system in order to identify all the risks and security problems associated with the system. Vulnerability of a software system is what that is exploited by the attackers. The errors and bugs causing these vulnerabilities pose the major issue for the security of the software system. The steps as part of the process of black box security testing level to be followed are:
1. Creating cases about the security issues and security abuse.
2. List software security requirements.
3. Perform risk analysis for the architecture of the program.
4. Build test plans for security testing based on the identified risks.
5. Wield static tools for testing
6. Perform security tests.
7. Perform penetration test for a final check
8. Clean up after the security breaching.
The below mentioned 2 diverse approaches must be necessarily followed for security testing at black box level:
1. The security mechanisms should be tested thoroughly so as to ensure that their functionality is working properly and
2. The risk based security test must be performed in a way that it is a simulation of the approach followed by the attacker.

Web Security Testing Cookbook	The Art of Software Security Testing	Metasploit: The Penetration Tester’s Guide

Introduction to Database Encryption

ashish — Sat, 12 Sep 2009 06:42:34 +0000

Encryption can provide strong security for data, but is that enough ? Data in a database can be accessed by many systems, but developing a database encryption strategy must take many factors into consideration. Where should the encryption be performed, for example — in the database, or in the application where the data originates? Who should have access to the encryption keys? How much data must be encrypted to provide security? What’s an acceptable trade-off between data security and application performance?
Data encryption is a process of converting stored or transmitted data to a coded form in order to prevent it from being read by unauthorized person. It is an application of a specific algorithm to alter the appearance of data, making it incomprehensible to those who are not authorized to see the information.
There are 2 types of encryption algorithm: -
- Secret key or Symmetric key algorithm: -In this encryption algorithm, a single secret or private key is shared between the sender and receiver. The sender encrypts this using this key and receiver decrypts it using the same key. It is highly assumed that no one else knows the key.
- Public key or Asymmetric key algorithm: – In this algorithm, every sender and receiver has a pair of keys. One is made public to the network and called public key and the other is kept private to that node called private key. The pair is such made that if the data is encrypted with one of the keys in the pair, it can only be decrypted with other key in the pair. When a sender has to send, it encrypts the data with receiver’s public key & the receiver decrypts it with its private key.

Advice on how to overcome some of the challenges in database encryption:
- Regulatory drivers : Advanced security through database encryption is required across many different sectors, and increasingly to comply with regulatory mandates.
One approach that can help companies address the encryption challenges associated with regulation is the defense-in-depth principle which advocates many layers to strong security – ranging from physical security and access controls to rights assignment and network security, including firewalls and, crucially, encryption of both data at rest and in transit.
- Overcoming key management issues
It is important that database encryption be accompanied by key management; however, statistics show that this is also the main barrier to database encryption. It is well-recognized that key use should be restricted and that key backup is extremely important. An additional best practice rule of encryption is that the encrypted key should never be stored alongside the data it was used to encrypt. Placing encryption keys within the HSM enforces this policy.
- Separation of duties and dual control
Many organizations pay close attention to separation of duties and dual control, which is required to pass audits to show that there are internal controls protecting against rogue administrators or unauthorized employees and is often required by the various regulatory requirements discussed above.

Database Integrity

ashish — Fri, 11 Sep 2009 09:31:17 +0000

Database Integrity is the preservation of data correctly & implies the process of keeping the dbase away from accidental deletion or alteration.
There are following types of integrity constraints:-
• Entity integrity constraints
• Referential integrity constraints
• Domain integrity constraints

DATABASE SECURITY: – Database security is a measurement of confidence that the integrity of a system and its data will be preserved.
Database security is assigned to address the following issues:-
• Privacy of data elements
• Preserving policies of organization
• System related security level
• Maintaining integrity of the database

Data integrity can be compromised in a number of ways:
- Human errors when data is entered.
- Errors that occur when data is transmitted from one computer to another.
- Software bugs or viruses.
- Hardware malfunctions, such as disk crashes.
- Natural disasters, such as fires and floods.

There are many ways to minimize these threats to data integrity. These include:
- Backing up data regularly.
- Controlling access to data via security mechanisms.
- Designing user interfaces that prevent the input of invalid data.
- Using error detection and correction software when transmitting data.

* Declarative Ease
Define integrity constraints using SQL statements. For these reasons, declarative integrity constraints are preferable to application code and database triggers. The declarative approach is also better than using stored procedures, because the stored procedure solution to data integrity controls data access, but integrity constraints do not eliminate the flexibility of ad hoc data access.
* Centralized Rules
Integrity constraints are defined for tables (not an application) and are stored in the data dictionary. Any data entered by any application must adhere to the same integrity constraints associated with the table.
* Maximum Application Development Productivity
If a business rule enforced by an integrity constraint changes, then the administrator need only change that integrity constraint and all applications automatically adhere to the modified constraint.
* Superior Performance
The semantics of integrity constraint declarations are clearly defined, and performance optimizations are implemented for each specific declarative rule.
* Flexibility for Data Loads and Identification of Integrity Violations
You can disable integrity constraints temporarily so that large amounts of data can be loaded without the overhead of constraint checking.
* The Performance Cost of Integrity Constraints
The advantages of enforcing data integrity rules come with some loss in performance.

Overview of Database Security

ashish — Fri, 11 Sep 2009 09:17:44 +0000

Database security is the set of systems, processes, and procedures that protect a database from unintended activity. Unintended activity can be categorized as authenticated misuse, malicious attacks or inadvertent mistakes made by authorized individuals or processes. Database security is also a specialty within the broader discipline of computer security. The database is the entity where all the data is stored, so protecting it from unauthorized access and change is extremely critical.
Traditionally databases have been protected from external connections by firewalls or routers on the network perimeter with the database environment existing on the internal network opposed to being located within a demilitarized zone.
Database security can begin with the process of creation and publishing of appropriate security standards for the database environment. The standards may include specific controls for the various relevant database platforms; a set of best practices that cross over the platforms; and linkages of the standards to higher level polices and governmental regulations.
One of the easiest steps to take is regarding passwords. Default or weak passwords are still often used by enterprises to protect an online asset as important as a database, but it’s a problem that’s easy to fix. The remedy is enforcing a strong password policy; that is, passwords must be changed regularly and be at least 10 digits long and contain both alphanumeric characters and symbols.
SQL Injection attacks pose tremendous risks to web applications that depend upon a database back-end to generate dynamic content. In this type of attack, hackers manipulate a web application in an attempt to inject their own SQL commands into those issued by the database. To prevent this type of attack, it is essential to ensure that all user-supplied data is validated before letting it anywhere near your scripts, data access routines and SQL queries, and preferably use parametrized queries. Another reason to validate and clean data received from users is to prevent cross-site scripting (XSS) attacks, which can be used to compromise a database connected to a Web server.
A database security program should include the regular review of permissions granted to individually owned accounts and accounts used by automated processes. The accounts used by automated processes should have appropriate controls around password storage such as sufficient encryption and access controls to reduce the risk of compromise.
The software used for the database, for the middle layers and for all other layers should be updated regularly with patches, updates and fixes. Falling behind in this task is pretty painful if you end up exposing holes in the software to attackers (and attackers know that a number of companies do not upgrade their systems on an immediate basis).