SlideShare a Scribd company logo

Open Source Databases Security

Serge Frezefond
Serge Frezefond

Open Source Databases Security. at 2013 "Linux and Free/Open Source Solution" Paris Conference by Serge Frezefond

TechnologyEducation
1 of 27
Download to read offline
Open Sources Databases Security Serge Frezefond @sfrezefond http://Serge.frezefond.com 29 / 05 / 2013 Serge Frezefond - Databases Security
Companies are under permanent attacks •  Stealing  valuable  data     -  Customer  base   •  Deny  Of  Service   -  Make  your  database  unresponsive   •  Corrup;on  of  data   -  Totally  or  par;ally   •  Doing  transac;ons  /  money  transfers  on  behalf  of  X       Cost  of  a@acks  is  in  millions  of  $     May 28th 2013 2 Serge Frezefond - Databases Security
Recent attacks are not sophisticated SQL injection On  March  27,  2011,  mysql.com,  the  official  homepage  for  MySQL,   was  compromised  by  a  hacker  using  SQL  blind  injec;on   On  June  1,  2011,  "hack;vists"  of  the  group  LulzSec  were  accused  of   using  SQLI  to  steal  coupons,  download  keys,  and  passwords  that   were  stored  in  plaintext  on  Sony's  website,  accessing  the   personal  informa;on  of  a  million  users.   In  July  2012  a  hacker  group  was  reported  to  have  stolen  450,000   login  creden;als  from  Yahoo!.  The  logins  were  stored  in  plain  text   and  were  allegedly  taken  from  a  Yahoo  subdomain,  Yahoo!   Voices.  The  group  breached  Yahoo's  security  by  using  a  "union-­‐ based  SQL  injec;on  technique".   May 28th 2013 3 Serge Frezefond - Databases Security
Many companies have major lacks in security •  Most  use  basic  authen;ca;on  :  User  /  Password   •  Database  open  to  IP  with  no  origin  check  (  Firewall  )     •  No  strong  authen;fica;on   •  No  data  encryp;on   •  No  traffic  encryp;on  SSL   •  No  true  audi;ng   -  Rarely  database  ac;vity  audit  (too  costly)   •  IDS  rarely  used     •  Many  of  them  lack  a  security  officer  understanding  the   cri;city  of  databases   May 28th 2013 4 Serge Frezefond - Databases Security
Some companies need to fullfill extra security obligations •  PCI  DSS   •  SOX   •  HIPAA  /    HITECH   •  EU  Data    Protec;on  Direc;ve  (  Right  to  Privacy  )   •  -­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐   •  Fullfilling  these  rules  is  not  enough  to  be  secure   May 28th 2013 5 Serge Frezefond - Databases Security
Inside vs Outside is not a meaningful differenciation •  Many  subcrontactors   •  Not  always  happy  /  honest  employees   •  Network  open  to  third  par;es  to  ease  processes  :   -  Partners,  Customers,  Suppliers   •  Most  internal  databases  are  very  cri;cal  /  valuable   assets  (  even  if  not  part  of  a  web  exposed  applica;on)   •  BYOD  policy  introduces  risk.   May 28th 2013 6 Serge Frezefond - Databases Security
Open source is a building block of Secure Architectures •  Open  SSL  /  YASSL   •  Open  SSH   •  Open  radius   •  Open  LDAP   •  PAM   •  PKI  (EJBCA,  OPENCA)   •  Key  management  (StrongAuth)   •  2  factors  authen;ca;on  /  OTP   •  IDS  (Suricata)   May 28th 2013 7 Serge Frezefond - Databases Security
Database is a key part of an architecture   •  When  Data  is  destroyed  or  corrupted  it  is  very  difficult   or  impossible  to  restore.   •  The  impact  on  image  is  important   -  Many  companies  prefer  silence   •  Data  need  anyway  to  be  exposed  :  to  be  manipulated  /   shared  /  saved  /  tested  /  audited    Financial  impact  of  this  kind  of  a;ack  is  huge   May 28th 2013 8 Serge Frezefond - Databases Security
All Open Source Databases are vulnerable •  PostgreSQL  :     -  Has  suffered  major  issues  recently  (April  2013)   •  MySQL  :   -  Has  suffered  major  issues  recently   •  SQLite  :  no  real  security  model  as  target  is  embeded   -  Cipher  solu;ons  availables   •  NoSQL  database  Big  Data  :  very  weak  security  models   May 28th 2013 9 Serge Frezefond - Databases Security
MySQL Vulnerabilities •  CVE  2012  5613    (  a  0day  Exploit  )   •  MySQL  5.5.19  and  …,  when  configured  to  assign  the   FILE  privilege  to  users  who  should  not  have   administra;ve  privileges,  allows  remote  authen;cated   users  to  gain  privileges  by  leveraging  the  FILE  privilege   to  create  files  as  the  MySQL  administrator.     create  a  user  with  FULL  ACCESS  to  database     May 28th 2013 10 Serge Frezefond - Databases Security
MySQL Vulnerabilities •  CVE  2012  5611     •  Stack-­‐based  buffer  overflow  in  the  acl_get  func;on  in   Oracle  MySQL  5.5.19  and  other  versions    ...  allows   remote  authen;cated  users  to  execute  arbitrary  code   via  a  long  argument  to  the  GRANT  FILE  command.   Execute  any  arbitrary  code   May 28th 2013 11 Serge Frezefond - Databases Security
MySQL Vulnerabilities •  CVE  2012  2122  a  simple  loop  give  root  access  :   •  $  for  i  in  `seq  1  1000`;  do  mysql  -­‐u  root  -­‐-­‐password=bad   -­‐h  127.0.0.1  2>/dev/null;  done   •  mysql>     •  assump;on  that  the  memcmp()  func;on  would  always   return  a  value  within  the  range  -­‐128  to  127   Able  to  login  root  to  the  database   May 28th 2013 12 Serge Frezefond - Databases Security
PostgreSQL Major Vulnerability “Any  system  that  allows  unrestricted  access  to  the   PostgreSQL  network  port,  such  as  users  running   PostgreSQL  on  a  public  cloud,  is  especially  vulnerable”   •  PostgreSQL  team  Locked  down  the  Repository     -  Fear  that  code  work  lead  to  0day  exploit   •  All  linux  distribu;ons  need  to  released  patch   simultaneously   •  Plavorm  As  a  ServiceS  HEROKU  was  exposed  and   received  patch  before  other  :   -  Controversy  regarding  open  source  principles   May 28th 2013 13 Serge Frezefond - Databases Security
MySQL Vulnerabilities : What to do ? •  Follow  them  systema;cally  in  a  ;mely  manner   •  Patch  your  system  /  upgrade  version   •  0Days  exploit  should  trigger  major  alert   •  Apply  best  prac;ce   •  Most  vulnerabili;es  do  not  apply  in  all  cases   -   database  not  open  to  network  ,   -  -­‐-­‐secure-­‐file-­‐priv  op;on     May 28th 2013 14 Serge Frezefond - Databases Security
Authentication •  Standard  authen;ca;on  :  user/password   •  Authen;ca;on  plugin     -  SHA256  (5.6)   -  PAM   -  Windows   -  Mul;  factor  authen;ca;on  /  use  hardware  token   •  Do  not  expose  passwords  on  command  line  or  in  conf   files  (5.6)   May 28th 2013 15 Serge Frezefond - Databases Security
Data traffic encryption •  SSL  based     •  keys  &  cer;ficates  for  both  server  and  client     •  OpenSSL  or  yaSSL  as  SSL  library   May 28th 2013 16 Serge Frezefond - Databases Security
Stored Data Encryption •  Encrypt  Column  through  func;on  call   •  Encrypt  at  the  File  system  level   -  zNcrypt   •  Specialized  storage  Engine  can  do  encryp;on   -  MyDiamo   •  No  Transparent  Data  Encryp;on  in  MySQL     -  No  declara;ve  way  to  say  that  a  column  is  encrypted   •  Data  Masking  :  keep  your  data  secure  for  tests   May 28th 2013 17 Serge Frezefond - Databases Security
MySQL backup secured ? •  Backups  are  a  vulnerable  point   -  Very  easy  to  reuse   •  They  should  be  crypted   •  Xtrabackup  can  encrypt  backup  with  AES256   -  Key  in  keyfile   •  Symetric  key  ?  Stored  where  ?  Pvk  /  PbK   May 28th 2013 18 Serge Frezefond - Databases Security
Security model for developpers •  No  grant  to  access  the  data  through  select   •  Restrict  Access  to  :     -  Stored  proc   -  Triggers   -  Views   May 28th 2013 19 Serge Frezefond - Databases Security
Database Proxy / Firewall •  Used  to  audit  or  implement  policies  at  the  client/server   protocol  level  by  being  true  proxy  or  sniffing  the   protocol   -  MySQL  proxy   -  GreenSQL  /  closed  source   -  Oracle  Database  firewall   •  Usefull  to  filter  traffic   •  They  can  be  bypassed  ;-­‐)   May 28th 2013 20 Serge Frezefond - Databases Security
Database auditing •  A  mandatory  requirement  for  compliance   •  MySQL  audit  API  available  (improved  by  MariaDB)   •  Used  by  :   -  MacFee  audit  plugin   -  Oracle  Audit  plugin   -  MariaDB  Audit  Plugin  (  work  in  progress  )   •  Associated  with  Database  Ac;vity  Monitoring  Solu;ons   May 28th 2013 21 Serge Frezefond - Databases Security
Do not neglect SQL injections •  The  applica;on  is  the  weak  point  by  allowing   unpredicted  queries  to  be  run   •  F5  router  hacking  through  embeded  MySQL  (now   solved)   •  To  avoid  it  :   -  Sane;zing  the  input   -  Use  Prepared  statements   May 28th 2013 22 Serge Frezefond - Databases Security
MySQL & PHP : SQL injection $query  =  "SELECT  *  FROM  customers  WHERE  username  =   '$name'";     $name_bad  =  "'  OR  1'";   $name_evil  =  "';  DELETE  FROM  customers  WHERE  1  or   username  =  '";         Normal:  SELECT  *  FROM  customers  WHERE  username  =   ';mmy'   Injec;on:  SELECT  *  FROM  customers  WHERE  username  =  ''   OR  1''   May 28th 2013 23 Serge Frezefond - Databases Security
Best practice •  Have  you  architecture  audited  by  third  party   -  Do  not  believe  in  self  evalua;on   -  Do  regular  internal  pen  test   •  Keep  informed  about  vulnerabili;es  of  all  your   components.   •  Train  people  that  remain  the  weakest  point   •  Keep  up  to  date  with  best  pra;ces  (BYOD,    …)     May 28th 2013 24 Serge Frezefond - Databases Security
Is you database more secure in the cloud ? •  AWS  /  HP  CLOUD  /  AZURE  /  …   •  The  same  principle  applies  except  :   -  You  have  no  clear  idea  of  how  it  is  internally   architectured  and  operated   -  Quality  of  isola;on    is  not  clear   •  You  have  to  have  confidence  in  your  cloud  provider   and/or  be  more  carefull  :     -  Full  encryp;on  of  filesystem  and  backup  files   -  Key  management  outside  the  cloud     May 28th 2013 25 Serge Frezefond - Databases Security
If you detect a security breach •  Take  a  snapshot  of  the  whole  system   -  Including  key  elements  of  the  architecture   •  Be  sure  your  logs  are  safe   •  When  did  it  first  started   •  Who  did  it  :  do  not  loose  evidences   May 28th 2013 26 Serge Frezefond - Databases Security
May 28th 2013 27 Serge Frezefond - Databases Security Thanks Q&A Serge.Frezefond@skysql.com @sfrezefond http://Serge.frezefond.com

Recommended

ION Krakow - DNSSEC Panel Introduction
ION Krakow - DNSSEC Panel IntroductionION Krakow - DNSSEC Panel Introduction
ION Krakow - DNSSEC Panel IntroductionDeploy360 Programme (Internet Society)
 
$HOME Sweet $HOME
$HOME Sweet $HOME$HOME Sweet $HOME
$HOME Sweet $HOMEXavier Mertens
 
Secure Web Coding
Secure Web CodingSecure Web Coding
Secure Web CodingXavier Mertens
 
Malware Analysis Using Free Software
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free SoftwareXavier Mertens
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleMajor Hayden
 
$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015Xavier Mertens
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE EditionXavier Mertens
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 

Recommended

ION Krakow - DNSSEC Panel Introduction
ION Krakow - DNSSEC Panel IntroductionION Krakow - DNSSEC Panel Introduction
ION Krakow - DNSSEC Panel IntroductionDeploy360 Programme (Internet Society)
 
$HOME Sweet $HOME
$HOME Sweet $HOME$HOME Sweet $HOME
$HOME Sweet $HOMEXavier Mertens
 
Secure Web Coding
Secure Web CodingSecure Web Coding
Secure Web CodingXavier Mertens
 
Malware Analysis Using Free Software
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free SoftwareXavier Mertens
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleMajor Hayden
 
$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015Xavier Mertens
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE EditionXavier Mertens
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsMajor Hayden
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsOlivier DASINI
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhAurélie Henriot
 
MySQL Day Paris 2018 - Introduction & The State of the Dolphin
MySQL Day Paris 2018 - Introduction & The State of the DolphinMySQL Day Paris 2018 - Introduction & The State of the Dolphin
MySQL Day Paris 2018 - Introduction & The State of the DolphinOlivier DASINI
 
MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0
MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0
MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0Olivier DASINI
 
12 steps to_cloud_security
12 steps to_cloud_security12 steps to_cloud_security
12 steps to_cloud_securityWisecube AI
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkPriyanka Aash
 
Michael Jones-Resume-OCT2015
Michael Jones-Resume-OCT2015Michael Jones-Resume-OCT2015
Michael Jones-Resume-OCT2015Michael Jones, CCIE, CISSP, PMP
 
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...Olivier DASINI
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPRISMA CSI
 
MySQL 8.0.16 New Features Summary
MySQL 8.0.16 New Features SummaryMySQL 8.0.16 New Features Summary
MySQL 8.0.16 New Features SummaryOlivier DASINI
 
ION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network OperatorsION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network OperatorsDeploy360 Programme (Internet Society)
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?
MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?
MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?Olivier DASINI
 
Five years of Persistent Threats
Five years of Persistent ThreatsFive years of Persistent Threats
Five years of Persistent ThreatsMaarten Van Horenbeeck
 
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL TeamMySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL TeamOlivier DASINI
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016Teri Radichel
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 

More Related Content

What's hot

Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsMajor Hayden
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsOlivier DASINI
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhAurélie Henriot
 
MySQL Day Paris 2018 - Introduction & The State of the Dolphin
MySQL Day Paris 2018 - Introduction & The State of the DolphinMySQL Day Paris 2018 - Introduction & The State of the Dolphin
MySQL Day Paris 2018 - Introduction & The State of the DolphinOlivier DASINI
 
MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0
MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0
MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0Olivier DASINI
 
12 steps to_cloud_security
12 steps to_cloud_security12 steps to_cloud_security
12 steps to_cloud_securityWisecube AI
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkPriyanka Aash
 
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...Olivier DASINI
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPRISMA CSI
 
MySQL 8.0.16 New Features Summary
MySQL 8.0.16 New Features SummaryMySQL 8.0.16 New Features Summary
MySQL 8.0.16 New Features SummaryOlivier DASINI
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?
MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?
MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?Olivier DASINI
 
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL TeamMySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL TeamOlivier DASINI
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016Teri Radichel
 

What's hot (19)

Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack Clouds
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
 
MySQL Day Paris 2018 - Introduction & The State of the Dolphin
MySQL Day Paris 2018 - Introduction & The State of the DolphinMySQL Day Paris 2018 - Introduction & The State of the Dolphin
MySQL Day Paris 2018 - Introduction & The State of the Dolphin
 
MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0
MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0
MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0
 
12 steps to_cloud_security
12 steps to_cloud_security12 steps to_cloud_security
12 steps to_cloud_security
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
 
Michael Jones-Resume-OCT2015
Michael Jones-Resume-OCT2015Michael Jones-Resume-OCT2015
Michael Jones-Resume-OCT2015
 
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber Security
 
MySQL 8.0.16 New Features Summary
MySQL 8.0.16 New Features SummaryMySQL 8.0.16 New Features Summary
MySQL 8.0.16 New Features Summary
 
ION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network OperatorsION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network Operators
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?
MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?
MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?
 
Five years of Persistent Threats
Five years of Persistent ThreatsFive years of Persistent Threats
Five years of Persistent Threats
 
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL TeamMySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016
 

Similar to Open Source Databases Security

Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Presentation (6).pptx
Presentation (6).pptxPresentation (6).pptx
Presentation (6).pptxMSMuthu5
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudKoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudTobias Koprowski
 
MobileDBSecurity.pptx
MobileDBSecurity.pptxMobileDBSecurity.pptx
MobileDBSecurity.pptxmissionsk81
 
MySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 SecurityMySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 SecurityMark Swarbrick
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
Database Security Presentation Why database Security is important
Database Security Presentation Why database Security is importantDatabase Security Presentation Why database Security is important
Database Security Presentation Why database Security is importantKamruzzamansohel2
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...M Mehdi Ahmadian
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgEric Vanderburg
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!MarketingArrowECS_CZ
 

Similar to Open Source Databases Security (20)

Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Presentation (6).pptx
Presentation (6).pptxPresentation (6).pptx
Presentation (6).pptx
 
Encrypted Databases for Untrusted Cloud
Encrypted Databases for Untrusted CloudEncrypted Databases for Untrusted Cloud
Encrypted Databases for Untrusted Cloud
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudKoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
 
MobileDBSecurity.pptx
MobileDBSecurity.pptxMobileDBSecurity.pptx
MobileDBSecurity.pptx
 
MySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 SecurityMySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 Security
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
MySQL Security
MySQL SecurityMySQL Security
MySQL Security
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Let's Discuss Security with SFWelly
Let's Discuss Security with SFWellyLet's Discuss Security with SFWelly
Let's Discuss Security with SFWelly
 
Data security
Data securityData security
Data security
 
Database Security Presentation Why database Security is important
Database Security Presentation Why database Security is importantDatabase Security Presentation Why database Security is important
Database Security Presentation Why database Security is important
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric Vanderburg
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!
 
Encryption in the Cloud
Encryption in the CloudEncryption in the Cloud
Encryption in the Cloud
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

Open Source Databases Security

  • 1. Open Sources Databases Security Serge Frezefond @sfrezefond http://Serge.frezefond.com 29 / 05 / 2013 Serge Frezefond - Databases Security
  • 2. Companies are under permanent attacks •  Stealing  valuable  data     -  Customer  base   •  Deny  Of  Service   -  Make  your  database  unresponsive   •  Corrup;on  of  data   -  Totally  or  par;ally   •  Doing  transac;ons  /  money  transfers  on  behalf  of  X       Cost  of  a@acks  is  in  millions  of  $     May 28th 2013 2 Serge Frezefond - Databases Security
  • 3. Recent attacks are not sophisticated SQL injection On  March  27,  2011,  mysql.com,  the  official  homepage  for  MySQL,   was  compromised  by  a  hacker  using  SQL  blind  injec;on   On  June  1,  2011,  "hack;vists"  of  the  group  LulzSec  were  accused  of   using  SQLI  to  steal  coupons,  download  keys,  and  passwords  that   were  stored  in  plaintext  on  Sony's  website,  accessing  the   personal  informa;on  of  a  million  users.   In  July  2012  a  hacker  group  was  reported  to  have  stolen  450,000   login  creden;als  from  Yahoo!.  The  logins  were  stored  in  plain  text   and  were  allegedly  taken  from  a  Yahoo  subdomain,  Yahoo!   Voices.  The  group  breached  Yahoo's  security  by  using  a  "union-­‐ based  SQL  injec;on  technique".   May 28th 2013 3 Serge Frezefond - Databases Security
  • 4. Many companies have major lacks in security •  Most  use  basic  authen;ca;on  :  User  /  Password   •  Database  open  to  IP  with  no  origin  check  (  Firewall  )     •  No  strong  authen;fica;on   •  No  data  encryp;on   •  No  traffic  encryp;on  SSL   •  No  true  audi;ng   -  Rarely  database  ac;vity  audit  (too  costly)   •  IDS  rarely  used     •  Many  of  them  lack  a  security  officer  understanding  the   cri;city  of  databases   May 28th 2013 4 Serge Frezefond - Databases Security
  • 5. Some companies need to fullfill extra security obligations •  PCI  DSS   •  SOX   •  HIPAA  /    HITECH   •  EU  Data    Protec;on  Direc;ve  (  Right  to  Privacy  )   •  -­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐   •  Fullfilling  these  rules  is  not  enough  to  be  secure   May 28th 2013 5 Serge Frezefond - Databases Security
  • 6. Inside vs Outside is not a meaningful differenciation •  Many  subcrontactors   •  Not  always  happy  /  honest  employees   •  Network  open  to  third  par;es  to  ease  processes  :   -  Partners,  Customers,  Suppliers   •  Most  internal  databases  are  very  cri;cal  /  valuable   assets  (  even  if  not  part  of  a  web  exposed  applica;on)   •  BYOD  policy  introduces  risk.   May 28th 2013 6 Serge Frezefond - Databases Security
  • 7. Open source is a building block of Secure Architectures •  Open  SSL  /  YASSL   •  Open  SSH   •  Open  radius   •  Open  LDAP   •  PAM   •  PKI  (EJBCA,  OPENCA)   •  Key  management  (StrongAuth)   •  2  factors  authen;ca;on  /  OTP   •  IDS  (Suricata)   May 28th 2013 7 Serge Frezefond - Databases Security
  • 8. Database is a key part of an architecture   •  When  Data  is  destroyed  or  corrupted  it  is  very  difficult   or  impossible  to  restore.   •  The  impact  on  image  is  important   -  Many  companies  prefer  silence   •  Data  need  anyway  to  be  exposed  :  to  be  manipulated  /   shared  /  saved  /  tested  /  audited    Financial  impact  of  this  kind  of  a;ack  is  huge   May 28th 2013 8 Serge Frezefond - Databases Security
  • 9. All Open Source Databases are vulnerable •  PostgreSQL  :     -  Has  suffered  major  issues  recently  (April  2013)   •  MySQL  :   -  Has  suffered  major  issues  recently   •  SQLite  :  no  real  security  model  as  target  is  embeded   -  Cipher  solu;ons  availables   •  NoSQL  database  Big  Data  :  very  weak  security  models   May 28th 2013 9 Serge Frezefond - Databases Security
  • 10. MySQL Vulnerabilities •  CVE  2012  5613    (  a  0day  Exploit  )   •  MySQL  5.5.19  and  …,  when  configured  to  assign  the   FILE  privilege  to  users  who  should  not  have   administra;ve  privileges,  allows  remote  authen;cated   users  to  gain  privileges  by  leveraging  the  FILE  privilege   to  create  files  as  the  MySQL  administrator.     create  a  user  with  FULL  ACCESS  to  database     May 28th 2013 10 Serge Frezefond - Databases Security
  • 11. MySQL Vulnerabilities •  CVE  2012  5611     •  Stack-­‐based  buffer  overflow  in  the  acl_get  func;on  in   Oracle  MySQL  5.5.19  and  other  versions    ...  allows   remote  authen;cated  users  to  execute  arbitrary  code   via  a  long  argument  to  the  GRANT  FILE  command.   Execute  any  arbitrary  code   May 28th 2013 11 Serge Frezefond - Databases Security
  • 12. MySQL Vulnerabilities •  CVE  2012  2122  a  simple  loop  give  root  access  :   •  $  for  i  in  `seq  1  1000`;  do  mysql  -­‐u  root  -­‐-­‐password=bad   -­‐h  127.0.0.1  2>/dev/null;  done   •  mysql>     •  assump;on  that  the  memcmp()  func;on  would  always   return  a  value  within  the  range  -­‐128  to  127   Able  to  login  root  to  the  database   May 28th 2013 12 Serge Frezefond - Databases Security
  • 13. PostgreSQL Major Vulnerability “Any  system  that  allows  unrestricted  access  to  the   PostgreSQL  network  port,  such  as  users  running   PostgreSQL  on  a  public  cloud,  is  especially  vulnerable”   •  PostgreSQL  team  Locked  down  the  Repository     -  Fear  that  code  work  lead  to  0day  exploit   •  All  linux  distribu;ons  need  to  released  patch   simultaneously   •  Plavorm  As  a  ServiceS  HEROKU  was  exposed  and   received  patch  before  other  :   -  Controversy  regarding  open  source  principles   May 28th 2013 13 Serge Frezefond - Databases Security
  • 14. MySQL Vulnerabilities : What to do ? •  Follow  them  systema;cally  in  a  ;mely  manner   •  Patch  your  system  /  upgrade  version   •  0Days  exploit  should  trigger  major  alert   •  Apply  best  prac;ce   •  Most  vulnerabili;es  do  not  apply  in  all  cases   -   database  not  open  to  network  ,   -  -­‐-­‐secure-­‐file-­‐priv  op;on     May 28th 2013 14 Serge Frezefond - Databases Security
  • 15. Authentication •  Standard  authen;ca;on  :  user/password   •  Authen;ca;on  plugin     -  SHA256  (5.6)   -  PAM   -  Windows   -  Mul;  factor  authen;ca;on  /  use  hardware  token   •  Do  not  expose  passwords  on  command  line  or  in  conf   files  (5.6)   May 28th 2013 15 Serge Frezefond - Databases Security
  • 16. Data traffic encryption •  SSL  based     •  keys  &  cer;ficates  for  both  server  and  client     •  OpenSSL  or  yaSSL  as  SSL  library   May 28th 2013 16 Serge Frezefond - Databases Security
  • 17. Stored Data Encryption •  Encrypt  Column  through  func;on  call   •  Encrypt  at  the  File  system  level   -  zNcrypt   •  Specialized  storage  Engine  can  do  encryp;on   -  MyDiamo   •  No  Transparent  Data  Encryp;on  in  MySQL     -  No  declara;ve  way  to  say  that  a  column  is  encrypted   •  Data  Masking  :  keep  your  data  secure  for  tests   May 28th 2013 17 Serge Frezefond - Databases Security
  • 18. MySQL backup secured ? •  Backups  are  a  vulnerable  point   -  Very  easy  to  reuse   •  They  should  be  crypted   •  Xtrabackup  can  encrypt  backup  with  AES256   -  Key  in  keyfile   •  Symetric  key  ?  Stored  where  ?  Pvk  /  PbK   May 28th 2013 18 Serge Frezefond - Databases Security
  • 19. Security model for developpers •  No  grant  to  access  the  data  through  select   •  Restrict  Access  to  :     -  Stored  proc   -  Triggers   -  Views   May 28th 2013 19 Serge Frezefond - Databases Security
  • 20. Database Proxy / Firewall •  Used  to  audit  or  implement  policies  at  the  client/server   protocol  level  by  being  true  proxy  or  sniffing  the   protocol   -  MySQL  proxy   -  GreenSQL  /  closed  source   -  Oracle  Database  firewall   •  Usefull  to  filter  traffic   •  They  can  be  bypassed  ;-­‐)   May 28th 2013 20 Serge Frezefond - Databases Security
  • 21. Database auditing •  A  mandatory  requirement  for  compliance   •  MySQL  audit  API  available  (improved  by  MariaDB)   •  Used  by  :   -  MacFee  audit  plugin   -  Oracle  Audit  plugin   -  MariaDB  Audit  Plugin  (  work  in  progress  )   •  Associated  with  Database  Ac;vity  Monitoring  Solu;ons   May 28th 2013 21 Serge Frezefond - Databases Security
  • 22. Do not neglect SQL injections •  The  applica;on  is  the  weak  point  by  allowing   unpredicted  queries  to  be  run   •  F5  router  hacking  through  embeded  MySQL  (now   solved)   •  To  avoid  it  :   -  Sane;zing  the  input   -  Use  Prepared  statements   May 28th 2013 22 Serge Frezefond - Databases Security
  • 23. MySQL & PHP : SQL injection $query  =  "SELECT  *  FROM  customers  WHERE  username  =   '$name'";     $name_bad  =  "'  OR  1'";   $name_evil  =  "';  DELETE  FROM  customers  WHERE  1  or   username  =  '";         Normal:  SELECT  *  FROM  customers  WHERE  username  =   ';mmy'   Injec;on:  SELECT  *  FROM  customers  WHERE  username  =  ''   OR  1''   May 28th 2013 23 Serge Frezefond - Databases Security
  • 24. Best practice •  Have  you  architecture  audited  by  third  party   -  Do  not  believe  in  self  evalua;on   -  Do  regular  internal  pen  test   •  Keep  informed  about  vulnerabili;es  of  all  your   components.   •  Train  people  that  remain  the  weakest  point   •  Keep  up  to  date  with  best  pra;ces  (BYOD,    …)     May 28th 2013 24 Serge Frezefond - Databases Security
  • 25. Is you database more secure in the cloud ? •  AWS  /  HP  CLOUD  /  AZURE  /  …   •  The  same  principle  applies  except  :   -  You  have  no  clear  idea  of  how  it  is  internally   architectured  and  operated   -  Quality  of  isola;on    is  not  clear   •  You  have  to  have  confidence  in  your  cloud  provider   and/or  be  more  carefull  :     -  Full  encryp;on  of  filesystem  and  backup  files   -  Key  management  outside  the  cloud     May 28th 2013 25 Serge Frezefond - Databases Security
  • 26. If you detect a security breach •  Take  a  snapshot  of  the  whole  system   -  Including  key  elements  of  the  architecture   •  Be  sure  your  logs  are  safe   •  When  did  it  first  started   •  Who  did  it  :  do  not  loose  evidences   May 28th 2013 26 Serge Frezefond - Databases Security
  • 27. May 28th 2013 27 Serge Frezefond - Databases Security Thanks Q&A Serge.Frezefond@skysql.com @sfrezefond http://Serge.frezefond.com