Securing Databases | Database Security

Description

From ransomware and constant data breaches to state-sponsored attacks, we are under constant and increasing pressure. Retailers, financial institutions, government agencies, high-tech companies, and many others are paying the price for poor application security - financial losses and eroding trust. The developer community must take ownership of these problems and change our perspective of defensive measures and how we design, development, and maintain software applications.

Securing Databases is an essential training course for DBAs and developers who need to produce secure database applications and manage secure databases. Data, databases, and related resources are at the heart of most IT infrastructures.  These assets can have high value from a business, regulatory, and liability perspective, and must be protected accordingly.  This course showcases demonstrations on how to repeatedly attack and then defend various assets associated with a fully functional database.  This approach illustrates the mechanics of how to secure databases in the most practical of terms.

This course introduces the most common security vulnerabilities faced by databases today. Throughout the course, you’ll examine each vulnerability from a database perspective through a process of describing the threat and attack mechanisms, recognizing associated vulnerabilities, and then designing, implementing, and testing effective defenses.  Multiple practical demonstrations reinforce these concepts with real vulnerabilities and attacks.  You’ll also learn how to design and implement the layered defenses needed to defend your own databases. You’ll exit this course with the skills required to recognize actual and potential database vulnerabilities, implement defenses for those vulnerabilities, and test those defenses for sufficiency.

 Objectives

• Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
• Establish the first axiom in securirty analysis of ALL web applications for this course and beyond
• Establish the first axiom in addressing ALL security concerns for this course and beyond
• Test databases with various attack techniques to determine the existence of and effectiveness of layered defenses
• Prevent and defend the many potential vulnerabilities associated with untrusted data
• Understand the concepts and terminology behind supporting, designing, and deploying secure databases
• Appreciate the magnitude of the problems associated with data security and the potential risks associated with those problems
• Understand the currently accepted best practices for supporting the many security needs of databases.
• Understand the vulnerabilities associated with authentication and authorization within the context of databases and database applications
• Detect, attack, and implement defenses for authentication and authorization functionality
• Understand the dangers and mechanisms behind Injection attacks
• Understand the concepts and terminology behind defensive, secure database configuration and operation
• Understand the use of Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
• Perform both static reviews and dynamic database testing to uncover vulnerabilities
• Design and develop strong, robust authentication and authorization implementations
• Understand the fundamentals of Digital Signatures as well as how it can be used as part of the defensive infrastructure for data
• Understand the fundamentals of Encryption as well as how it can be used as part of the defensive infrastructure for data
• Identify resources to use for ongoing threat intelligence
• Plan next steps after completion of this training

This is an introduction to database security course for intermediate skilled team members.  Attendees might include DBAs, system administrators, developers and other enterprise team members.  Ideally, students should have approximately 6 months to a year of database working knowledge.