This document discusses SQL Server security best practices. It begins by noting that data breaches are common and costly for businesses. The presenter then covers security principles of confidentiality, integrity and availability. Various attack methods are described, demonstrating how quickly an unsecured system can be compromised. The presentation recommends implementing security policies across physical, network, host, application and database layers. Specific issues like SQL injection and authentication/authorization approaches are discussed. New SQL Server 2016 security features such as Always Encrypted and row-level security are also mentioned. Resources for further information are provided.
SQL Server Security and Intrusion PreventionGabriel Villa
Is your data secured? Are you a victim of a SQL injection hack?
In this session, you'll discover some commonly overlooked practices in securing your SQL Server databases. Presenter Gabriel Villa will explain aspects on physical security, passwords, privileges and roles, and preventative best practices. He will also demonstrate auditing and look at some .Net code samples to use on your applications. He will also show the new security features in SQL Server 2012.
The Document describes the SQL server security need and securing.
Server Attack
Port Scanning
Instance Name Browsing
Exposing Database Names
Accessing administrative objects
Data threats
Data theft.
Business logic theft.
Database object change/drop
>>
Authentication
Authorization
The process of verifying that user/person claiming is genuine or not
SQL Server supports two authentication modes.
Windows authentication mode
Mixed mode.
>>
Do
Install only required components.
Disable unnecessary features and services.
Install recent fixes & service packs from Microsoft.
Enforce strong password policy,
Disable SA account or rename it.
Change default port
Hide instances
Valid every input.
Don’t use dynamic queries
>>
Don't
Don’t Install sample database on Production server.
Never Use SA account to interact application to database
Don’t remove the system databases/ system stored procedure.
Don’t use dictionary passwords.
Don’t treat input safe be valid all.
Don’t disable automatic updated for SQL server on production.
Don’t take manual backup also schedule things using scripts/ management plans
Get up to speed on the new security features in "Denali", the next version of SQL Server. Disclose the new permissions, roles and encryption added to Denali. You'll discover some commonly overlooked practices in securing your SQL Server databases. Learn about physical security, passwords, privileges and roles, and preventative best practices. I'll demonstrate auditing and .Net code samples to use on your applications to prevent vulnerabilities.
Become aware of some commonly overlooked practices in securing you SQL Server databases. Learn about physical security, passwords, privileges and roles, restricting or disabling system stored procedures and preventative best practices. And most importantly, discuss the most commonly used security threat: SQL
SQL Server Security and Intrusion PreventionGabriel Villa
Is your data secured? Are you a victim of a SQL injection hack?
In this session, you'll discover some commonly overlooked practices in securing your SQL Server databases. Presenter Gabriel Villa will explain aspects on physical security, passwords, privileges and roles, and preventative best practices. He will also demonstrate auditing and look at some .Net code samples to use on your applications. He will also show the new security features in SQL Server 2012.
The Document describes the SQL server security need and securing.
Server Attack
Port Scanning
Instance Name Browsing
Exposing Database Names
Accessing administrative objects
Data threats
Data theft.
Business logic theft.
Database object change/drop
>>
Authentication
Authorization
The process of verifying that user/person claiming is genuine or not
SQL Server supports two authentication modes.
Windows authentication mode
Mixed mode.
>>
Do
Install only required components.
Disable unnecessary features and services.
Install recent fixes & service packs from Microsoft.
Enforce strong password policy,
Disable SA account or rename it.
Change default port
Hide instances
Valid every input.
Don’t use dynamic queries
>>
Don't
Don’t Install sample database on Production server.
Never Use SA account to interact application to database
Don’t remove the system databases/ system stored procedure.
Don’t use dictionary passwords.
Don’t treat input safe be valid all.
Don’t disable automatic updated for SQL server on production.
Don’t take manual backup also schedule things using scripts/ management plans
Get up to speed on the new security features in "Denali", the next version of SQL Server. Disclose the new permissions, roles and encryption added to Denali. You'll discover some commonly overlooked practices in securing your SQL Server databases. Learn about physical security, passwords, privileges and roles, and preventative best practices. I'll demonstrate auditing and .Net code samples to use on your applications to prevent vulnerabilities.
Become aware of some commonly overlooked practices in securing you SQL Server databases. Learn about physical security, passwords, privileges and roles, restricting or disabling system stored procedures and preventative best practices. And most importantly, discuss the most commonly used security threat: SQL
Hand-coding application security adds weeks or months to your project schedule - and must be repeated for every application. We have a better idea. Discover how to secure your .NET applications without programming.
IglooConf 2019 Secure your Azure applications like a proKarl Ots
In this session, Karl will introduce Secure DevOps Kit for Azure (AzSK), a hidden gem in the Microsoft Security offering. Come and learn how you can use AzSK to improve the security of your Azure applications, regardless of how you currently use Azure.
As presented in IglooConf 2019
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
If you want to learn what are the top ten security risks that a software engineer requires to pay attention to and you want to know how to address them in your Java EE software, this session is for you. The Open Web Application Security Project (OWASP) publishes the top 10 security risks and concerns of software development periodically and the new list is published in 2013.
Developers can use Java EE provided features and functionalities to address or mitigate these risks. This presentation covers how to spot these risks in the code, how to avoid them, what are the best practices around each one of them. During the session, when application server or configuration is involved GlassFish is discussed as one of the Java EE 7 App server.
Presentation on - SQL Injection.
~ By The Avi Sharma
Presentation theme provided by - https://fppt.com
Follow and join us -
Instagram - https://instagram.com/the_avi_sharma_
WhatsApp - https://chat.whatsapp.com/LcRzPABUGdZ5otH4mG6zIP
Telegram - https://t.me/theavisharma
The OWASP Top Ten is an expert consensus of the most critical web application security threats. If properly understood, it is an invaluable framework to prioritize efforts and address flaws that expose your organization to attack.
This webcast series presents the OWASP Top 10 in an abridged format, interpreting the threats for you and providing actionable offensive and defensive best practices. It is ideal for all IT/development stakeholders that want to take a risk-based approach to Web application security.
How to Test for the OWASP Top Ten webcast focuses on tell tale markers of the OWASP Top Ten and techniques to hunt them down:
• Vulnerability anatomy – how they present themselves
• Analysis of vulnerability root cause and protection schemas
• Test procedures to validate susceptibility (or not) for each threat
Always Encrypted is a highly-touted new feature of SQL Server 2016 that promises to make encryption simple to use and transparent to applications while still protecting the data both at rest and in motion, even from high-privilege users such as developers and DBAs. Does that sound too good to be true? It isn’t – Always Encrypted is an incredible feature – but like any new technology, it does have some limitations. In this session, you’ll see how to configure Always Encrypted, and we’ll talk about when you should and shouldn’t use it in your environment.
Azure PaaS and SaaS platforms usage seem to be easy and straightforward, but it's your responsibility to keep them properly secured. I will talk about steps to secure your subscription, network, applications and storage and how Azure can help you with current challenges. Then we talk about security best practices in general, such as user isolation, encryption at rest, certificate and password management with KeyVault. The final topic will explain the basics of disaster recovery plans and why you actually need them.
ITPROCEED_WorkplaceMobility_Windows 10 in the enterpriseITProceed
During this session we will look into Windows 10 for the Enterprise.
Let’s explore the new management capabilities and choices.
Let’s understand the Windows 10 deployment infrastructure and mechanisms.
Let’s discover new Windows 10 features and improvements.
You are eager to learn about Windows 10 and want to gather early-stage info about this exciting Operating System… ?
Well you know what to do! See you there!
Hand-coding application security adds weeks or months to your project schedule - and must be repeated for every application. We have a better idea. Discover how to secure your .NET applications without programming.
IglooConf 2019 Secure your Azure applications like a proKarl Ots
In this session, Karl will introduce Secure DevOps Kit for Azure (AzSK), a hidden gem in the Microsoft Security offering. Come and learn how you can use AzSK to improve the security of your Azure applications, regardless of how you currently use Azure.
As presented in IglooConf 2019
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
If you want to learn what are the top ten security risks that a software engineer requires to pay attention to and you want to know how to address them in your Java EE software, this session is for you. The Open Web Application Security Project (OWASP) publishes the top 10 security risks and concerns of software development periodically and the new list is published in 2013.
Developers can use Java EE provided features and functionalities to address or mitigate these risks. This presentation covers how to spot these risks in the code, how to avoid them, what are the best practices around each one of them. During the session, when application server or configuration is involved GlassFish is discussed as one of the Java EE 7 App server.
Presentation on - SQL Injection.
~ By The Avi Sharma
Presentation theme provided by - https://fppt.com
Follow and join us -
Instagram - https://instagram.com/the_avi_sharma_
WhatsApp - https://chat.whatsapp.com/LcRzPABUGdZ5otH4mG6zIP
Telegram - https://t.me/theavisharma
The OWASP Top Ten is an expert consensus of the most critical web application security threats. If properly understood, it is an invaluable framework to prioritize efforts and address flaws that expose your organization to attack.
This webcast series presents the OWASP Top 10 in an abridged format, interpreting the threats for you and providing actionable offensive and defensive best practices. It is ideal for all IT/development stakeholders that want to take a risk-based approach to Web application security.
How to Test for the OWASP Top Ten webcast focuses on tell tale markers of the OWASP Top Ten and techniques to hunt them down:
• Vulnerability anatomy – how they present themselves
• Analysis of vulnerability root cause and protection schemas
• Test procedures to validate susceptibility (or not) for each threat
Always Encrypted is a highly-touted new feature of SQL Server 2016 that promises to make encryption simple to use and transparent to applications while still protecting the data both at rest and in motion, even from high-privilege users such as developers and DBAs. Does that sound too good to be true? It isn’t – Always Encrypted is an incredible feature – but like any new technology, it does have some limitations. In this session, you’ll see how to configure Always Encrypted, and we’ll talk about when you should and shouldn’t use it in your environment.
Azure PaaS and SaaS platforms usage seem to be easy and straightforward, but it's your responsibility to keep them properly secured. I will talk about steps to secure your subscription, network, applications and storage and how Azure can help you with current challenges. Then we talk about security best practices in general, such as user isolation, encryption at rest, certificate and password management with KeyVault. The final topic will explain the basics of disaster recovery plans and why you actually need them.
ITPROCEED_WorkplaceMobility_Windows 10 in the enterpriseITProceed
During this session we will look into Windows 10 for the Enterprise.
Let’s explore the new management capabilities and choices.
Let’s understand the Windows 10 deployment infrastructure and mechanisms.
Let’s discover new Windows 10 features and improvements.
You are eager to learn about Windows 10 and want to gather early-stage info about this exciting Operating System… ?
Well you know what to do! See you there!
We know it’s barely spring, but now is the time to start planning for summer activities and entertaining. With the amazing weather we enjoy here along the foothills, you’ll want to spend as much time outdoors as possible. Here are some great ideas for getting your outdoor spaces summer-fun ready!
A review of Zimbabwe's draft minerals policy by ZELA ZELA_infor
In March 2013, The Ministry of Mines and Minerals produced a draft minerals policy which seeks to provide a framework for a minerals regime for the sustainable management of the country’s mineral resources and to guide interventions by government institutions as well as other stakeholders.
The Zimbabwe Environmental Law Association (ZELA) commissioned a review of the draft Minerals Policy with a view of understanding to what extent it will help Zimbabwe unlock economic development from its vast mineral resources.
The review highlights some of the problems that are stifling the potential of Zimbabwe's mineral resource base to contribute to economic development. Chief among these problems is an archaic and colonial piece of legislation in the form of the Mines and Minerals Act, which is regarded as the weakest link.
The Act which was enacted in 1961 is oriented towards mineral resources exploitation with little or no regard to sustainable development. While mining itself can never be sustainable, it can contribute to sustainable development through the investment of generated revenue in human and physical capital. Other problems include lack of transparency and accountability, lack of access to information and lack of value addition and beneficiation.
Modern Data Security for the Enterprises – SQL Server & Azure SQL DatabaseWinWire Technologies Inc
The webinar talked about the layers of data protection, important security features, potential scenarios in which these features can be applied to limit exposure to security threats and best practices for securing business applications and data. We covered following topics on SQL Server 2016 and Azure SQL Database security features
• Access Level Control
• Data Encryption
• Monitoring
How can you significantly improve your web-app security by addressing the most common problems and incorporating the educational approach into the development process
Is your data secured? Are you a victim of SQL Injection? You'll discover some commonly overlooked practices in securing your SQL Server databases. Learn about physical security, passwords, privileges and roles, and preventative best practices. I'll demonstrate auditing and we will take a quick look at some .Net code samples to use on your applications. Get up to speed on the new security features in "Denali", the next version of SQL Server. Takeaway the 20/20 vision to identify SQL Injection and other database vulnerabilities and how to prevent them.
This presentation targets to guiding security expert and developer to protect PaaS deployment to eliminate security threats. This also introduces Threat Modeling.
For Business's Sake, Let's focus on AppSecLalit Kale
Slide-Deck for session on Application Security at Limerick DotNet-Azure User Group on 15th Feb, 2018
Event URL: https://www.meetup.com/Limerick-DotNet/events/hzctdpyxdbtb/
Security engineering 101 when good design & security work togetherWendy Knox Everette
Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go?
Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why.
She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies.
Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.
In this presentation we will describe the techniques and tools to analyze SQL Server workloads and we will introduce baselining and benchmarking techniques
Let’s face it: Best Practices are too many to really know them all and choose which ones should be applied first. Does your telephone ring all the time? Do your users ask for that “quick report” that instead takes ages and keeps changing every time you think it’s done? Have you ever thought that in dire times avoiding Worst Practices could be a good starting point and you can leave fine tuning for a better future? If the answer is “yes”, then this session is for you: we will discover together how not to torture a SQL Server instance and we will see how to avoid making choices that in the long run could turn out to be not as smart as they looked initially.
How many times did we have to spend countless hours looking for a T-SQL solution for the fancy requests of our users, to later discover our code doesn’t perform acceptably?
What can we do to improve the performance of our code?
Is there a methodology to follow in order to deliver better performance?
What are the mistakes to avoid?
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
3. Gianluca Sartori
Independent SQL Server consultant
SQL Server MVP, MCTS, MCITP, MCT
Works with SQL Server since version 7
DBA @ Scuderia Ferrari
Blog: spaghettidba.com
Twitter: @spaghettidba
5. Data Breaches are Common
Data Breaches are Costly
$450.000- $850.000 for large business
$35.000 - $65.000 for small businesses
+ Reputational damage
+ Legal risks
-- Source: UK Government
Security Matters
6. Security Matters
Security must be considered from the start
Securing afterwards is extremely costly
Poorly secured ecosystems are not always possible to fix
Security is a process, not a product
No single “magic” solution
Ongoing process
Attackers get smarter
Security must be stronger
8. Information Security Principles
Confidentiality
Information cannot be disclosed to unauthorized individuals
Integrity
Data cannot be modified in an unauthorized or undetected
manner
Availability
Information must be available when needed
9. What happens to insecure systems?
Confidentiality
Data leaks
Integrity
Unauthorized data modifications
Frauds
Availability
Outages
11. DEMO
How fast can a [poorly configured] system be
compromised?
… damn fast!
12. How can I prevent it?
Implement security policies at all levels
Physical Security
External Network
Internal Network
Host OS
Application
Database
13. Physical security
Disallow physical access to the infrastructure
Servers
Console
Ports
Disks
Clients
DBA workstation + L
What about the cloud?
Networking devices
Switches
Routers
Cables
14. Network Security
Exclude External network as far as possible
Implement proper network segmentation
vLANs separate servers in groups
Role
Sensitivity
Reduce “implied trust” relationships between servers
Users / Servers is NOT proper segmentation
Encrypt communications
15. Host OS
Regular patching
Antivirus
Configuration security best practices
Shut down unneeded services
Reduce attack surface
Permissions Least Privilege
Auditing
Logging
16. Application
Application is the most vulnerable component in
the stack
Secure from the start
Thorough design and code security review
Input validation
Authentication
Authorization
Error handling
Auditing
Logging
19. SQL Injection
Has been known for years
…yet N.1 in OWASP TOP 10 security risks
Easy to detect with automated tools (SQLmap)
…yet very common in the wild
Potentially destructive
22. SQL Injection –Fixes
Use bind parameters
Enforces parameter data type
Is not affected by regional settings
Allows complex input
Aggressive input sanitation does not
23. SQL Injection – False fixes
ORMs do not avoid it
Stored Procedures do not avoid it
Input validation is not enough
Obfuscated attacks
Headers / query strings can be manipulated
Not limited to web applications
NoSQL is vulnerable as well!
.NET’s String.Format is just plain concatenation!!!
25. What happened?
We damaged the database, the instance and the OS
because we could
Apply least privilege
At the Database level
At the Instance level
At the OS level
… at every level!
26. Authenticate the user or the application?
Prefer Windows Authentication when possible
No need to provide password
No need to store passwords in config files
SQL Authentication is less secure
Clear text < SQL2005
RC4 < SQL2012
Password policies
SQL Server Security - Authentication
27. SQL Server Security - Authentication
Passwords are problematic
Users tend to forget
Sticky Notes
Same password, multiple places
Have I been pwnd?
Use passwords that you cannot remember
Use a Password Safe
Keepass Password Safe
28. SQL Server Security - Authorization
Principle of least privilege:
Users must be granted only the privileges essential for
their work
Typical scenario:
users are granted sysadmin role
users are granted db_owner role very common!
users are granted built-in database roles
Security must be taken into account from the start!!!
29. SQL Server Security
Best Practices:
1. Create application specific roles with no privileges
2. Grant minimum needed permissions to roles
3. Add users to roles
4. Don’t grant permissions to users
5. Use application roles to enhance security
Windows groups <> database roles
NEVER, EVER grant server roles to “regular” users
30. SQL Server Security
Additional features:
TDE: Transparent Data Encryption
Encrypts database files and backup files
SSL Network Encryption
Encrypts the communications channel between SQL Server and
client computers
31. SQL Server 2016 New Security Features
Always Encrypted
Column-Level encryption
Data is encrypted both at rest and in memory
Decryption happens on the client
Row-Level Security
Filters rows available to users
Dynamic Data Masking
Obfuscates sensitive information
32. Resources
OWASP
http://www.owasp.org
Security checklist for the Database Engine
http://msdn.microsoft.com/en-us/library/ff848778(v=SQL.105).aspx
Troy Hunt’s blog
http://www.troyhunt.com
Troy Hunt’s free Pluralsight webinar: Why SQL Injection
Remains the #1 Web Security Risk Today
http://www.troyhunt.com/2015/06/free-recorded-webinar-on-
pluralsight.html
34. Stick around for RAFFLE and the AFTER EVENT!
All our volunteers and organisers do not get paid for organizing
this event – If you see them, please:
Give them a hug
Shake their hand
Say thank you
Spread the word
Get involved yourself
Don’t forget to thank the sponsors for their support
Thank the speakers for donating their time, energy and
expenses
Don’t forget the feedback!