SlideShare a Scribd company logo

Sql server security in an insecure world

Download as PPTX, PDF
Gianluca Sartori
Gianluca Sartori

This document discusses SQL Server security best practices. It begins by noting that data breaches are common and costly for businesses. The presenter then covers security principles of confidentiality, integrity and availability. Various attack methods are described, demonstrating how quickly an unsecured system can be compromised. The presentation recommends implementing security policies across physical, network, host, application and database layers. Specific issues like SQL injection and authentication/authorization approaches are discussed. New SQL Server 2016 security features such as Always Encrypted and row-level security are also mentioned. Resources for further information are provided.

Technology
1 of 34
SQL Server Security in an Insecure World Gianluca Sartori @spaghettidba sqlconsulting.it
Say thank you to our Sponsors :
Gianluca Sartori  Independent SQL Server consultant  SQL Server MVP, MCTS, MCITP, MCT  Works with SQL Server since version 7  DBA @ Scuderia Ferrari  Blog: spaghettidba.com  Twitter: @spaghettidba
Agenda  Security Matters  What should I protect?  How can I prevent attacks?
 Data Breaches are Common  Data Breaches are Costly  $450.000- $850.000 for large business  $35.000 - $65.000 for small businesses  + Reputational damage  + Legal risks -- Source: UK Government Security Matters
Security Matters  Security must be considered from the start  Securing afterwards is extremely costly  Poorly secured ecosystems are not always possible to fix  Security is a process, not a product  No single “magic” solution  Ongoing process  Attackers get smarter  Security must be stronger
Information Security Principles CIA triad
Information Security Principles  Confidentiality  Information cannot be disclosed to unauthorized individuals  Integrity  Data cannot be modified in an unauthorized or undetected manner  Availability  Information must be available when needed
What happens to insecure systems?  Confidentiality  Data leaks  Integrity  Unauthorized data modifications  Frauds  Availability  Outages
Attack Methodology 1. Scan for Vulnerabilities / Access 2. Gain Access 3. Escalate Privileges 4. Maintain Access 5. Cover Tracks Looks complicated? It’s not!
DEMO How fast can a [poorly configured] system be compromised? … damn fast!
How can I prevent it? Implement security policies at all levels  Physical Security  External Network  Internal Network  Host OS  Application  Database
Physical security  Disallow physical access to the infrastructure  Servers  Console  Ports  Disks  Clients  DBA workstation   + L  What about the cloud?  Networking devices  Switches  Routers  Cables
Network Security  Exclude External network as far as possible  Implement proper network segmentation  vLANs separate servers in groups  Role  Sensitivity  Reduce “implied trust” relationships between servers  Users / Servers is NOT proper segmentation  Encrypt communications
Host OS  Regular patching  Antivirus  Configuration  security best practices  Shut down unneeded services  Reduce attack surface  Permissions  Least Privilege  Auditing  Logging
Application Application is the most vulnerable component in the stack  Secure from the start  Thorough design and code security review  Input validation  Authentication  Authorization  Error handling  Auditing  Logging
SQL Injection
SQL Injection
SQL Injection  Has been known for years  …yet N.1 in OWASP TOP 10 security risks  Easy to detect with automated tools (SQLmap)  …yet very common in the wild  Potentially destructive
Injection techniques  OR-based injection  Stacked queries injection  UNION-based injection  Error-based injection  Boolean-based blind injection  Time-based blind injection
DEMO Let’s sneak in!!
SQL Injection –Fixes  Use bind parameters  Enforces parameter data type  Is not affected by regional settings  Allows complex input  Aggressive input sanitation does not
SQL Injection – False fixes  ORMs do not avoid it  Stored Procedures do not avoid it  Input validation is not enough  Obfuscated attacks  Headers / query strings can be manipulated  Not limited to web applications  NoSQL is vulnerable as well!  .NET’s String.Format is just plain concatenation!!!
DEMO Let’s break things!!
What happened?  We damaged the database, the instance and the OS because we could  Apply least privilege  At the Database level  At the Instance level  At the OS level  … at every level!
 Authenticate the user or the application?  Prefer Windows Authentication when possible  No need to provide password  No need to store passwords in config files  SQL Authentication is less secure  Clear text < SQL2005  RC4 < SQL2012  Password policies SQL Server Security - Authentication
SQL Server Security - Authentication  Passwords are problematic  Users tend to forget  Sticky Notes  Same password, multiple places  Have I been pwnd?  Use passwords that you cannot remember  Use a Password Safe  Keepass Password Safe
SQL Server Security - Authorization Principle of least privilege:  Users must be granted only the privileges essential for their work  Typical scenario:  users are granted sysadmin role  users are granted db_owner role  very common!  users are granted built-in database roles  Security must be taken into account from the start!!!
SQL Server Security Best Practices: 1. Create application specific roles with no privileges 2. Grant minimum needed permissions to roles 3. Add users to roles 4. Don’t grant permissions to users 5. Use application roles to enhance security  Windows groups <> database roles  NEVER, EVER grant server roles to “regular” users
SQL Server Security Additional features:  TDE: Transparent Data Encryption Encrypts database files and backup files  SSL Network Encryption Encrypts the communications channel between SQL Server and client computers
SQL Server 2016 New Security Features  Always Encrypted Column-Level encryption Data is encrypted both at rest and in memory Decryption happens on the client  Row-Level Security Filters rows available to users  Dynamic Data Masking Obfuscates sensitive information
Resources  OWASP http://www.owasp.org  Security checklist for the Database Engine http://msdn.microsoft.com/en-us/library/ff848778(v=SQL.105).aspx  Troy Hunt’s blog http://www.troyhunt.com  Troy Hunt’s free Pluralsight webinar: Why SQL Injection Remains the #1 Web Security Risk Today http://www.troyhunt.com/2015/06/free-recorded-webinar-on- pluralsight.html
Q&A Questions?
Stick around for RAFFLE and the AFTER EVENT!  All our volunteers and organisers do not get paid for organizing this event – If you see them, please:  Give them a hug  Shake their hand  Say thank you  Spread the word  Get involved yourself  Don’t forget to thank the sponsors for their support  Thank the speakers for donating their time, energy and expenses  Don’t forget the feedback!

Recommended

SQL Server: Security
SQL Server: SecuritySQL Server: Security
SQL Server: Security
LearnNowOnline
 
SQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion PreventionSQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion Prevention
Gabriel Villa
 
SQL Server 2012 Security Task
SQL Server 2012 Security TaskSQL Server 2012 Security Task
SQL Server 2012 Security TaskYaakub Idris
 
SQL Server Security
SQL Server SecuritySQL Server Security
SQL Server Security
sunitkanyan
 
Denali Sql Server Security
Denali Sql Server SecurityDenali Sql Server Security
Denali Sql Server Security
Gabriel Villa
 
Securing you SQL Server - Denver, RMTT
Securing you SQL Server - Denver, RMTTSecuring you SQL Server - Denver, RMTT
Securing you SQL Server - Denver, RMTT
Gabriel Villa
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
Lorenzo Barbieri
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)
Ravindra Singh Rathore
 

Recommended

SQL Server: Security
SQL Server: SecuritySQL Server: Security
SQL Server: Security
LearnNowOnline
 
SQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion PreventionSQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion Prevention
Gabriel Villa
 
SQL Server 2012 Security Task
SQL Server 2012 Security TaskSQL Server 2012 Security Task
SQL Server 2012 Security TaskYaakub Idris
 
SQL Server Security
SQL Server SecuritySQL Server Security
SQL Server Security
sunitkanyan
 
Denali Sql Server Security
Denali Sql Server SecurityDenali Sql Server Security
Denali Sql Server Security
Gabriel Villa
 
Securing you SQL Server - Denver, RMTT
Securing you SQL Server - Denver, RMTTSecuring you SQL Server - Denver, RMTT
Securing you SQL Server - Denver, RMTT
Gabriel Villa
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
Lorenzo Barbieri
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)
Ravindra Singh Rathore
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
Iron Speed
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
Alert Logic
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a pro
Karl Ots
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host Security
Eng Teong Cheah
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server Security
Vinod Kumar
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
vivekbhat
 
Sql injection
Sql injectionSql injection
Sql injection
The Avi Sharma
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
Understanding SQL Server 2016 Always Encrypted
Understanding SQL Server 2016 Always EncryptedUnderstanding SQL Server 2016 Always Encrypted
Understanding SQL Server 2016 Always Encrypted
Ed Leighton-Dick
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
OWASP
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
Cheah Eng Soon
 
Azure security basics
Azure security basicsAzure security basics
Azure security basics
Stas Lebedenko
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
Alert Logic
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
ITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITPROCEED_WorkplaceMobility_Windows 10 in the enterpriseITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITProceed
 
Stroke mimics
Stroke mimicsStroke mimics
Stroke mimics
Dr Pradip Mate
 
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based ManagementEvaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
John Sterrett
 

More Related Content

What's hot

Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
Iron Speed
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
Alert Logic
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a pro
Karl Ots
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host Security
Eng Teong Cheah
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server Security
Vinod Kumar
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
vivekbhat
 
Sql injection
Sql injectionSql injection
Sql injection
The Avi Sharma
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
Madhu Akula
 
Understanding SQL Server 2016 Always Encrypted
Understanding SQL Server 2016 Always EncryptedUnderstanding SQL Server 2016 Always Encrypted
Understanding SQL Server 2016 Always Encrypted
Ed Leighton-Dick
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
OWASP
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
Cheah Eng Soon
 
Azure security basics
Azure security basicsAzure security basics
Azure security basics
Stas Lebedenko
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
Alert Logic
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
ITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITPROCEED_WorkplaceMobility_Windows 10 in the enterpriseITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITProceed
 

What's hot (20)

Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a pro
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host Security
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server Security
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
 
Sql injection
Sql injectionSql injection
Sql injection
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Understanding SQL Server 2016 Always Encrypted
Understanding SQL Server 2016 Always EncryptedUnderstanding SQL Server 2016 Always Encrypted
Understanding SQL Server 2016 Always Encrypted
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
 
Azure security basics
Azure security basicsAzure security basics
Azure security basics
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
ITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITPROCEED_WorkplaceMobility_Windows 10 in the enterpriseITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
ITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
 

Viewers also liked

Stroke mimics
Stroke mimicsStroke mimics
Stroke mimics
Dr Pradip Mate
 
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based ManagementEvaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
John Sterrett
 
Approach to a patient with stroke - Pathophysiology of stroke
Approach to a patient with stroke - Pathophysiology of strokeApproach to a patient with stroke - Pathophysiology of stroke
Approach to a patient with stroke - Pathophysiology of stroke
Ashwin Haridas
 
The Tipping Point - Final Presentation
The Tipping Point - Final PresentationThe Tipping Point - Final Presentation
The Tipping Point - Final Presentation
Camilh
 
Wilson chemicals ltd
Wilson chemicals ltdWilson chemicals ltd
Wilson chemicals ltd
Camilh
 
Learn software development
Learn software developmentLearn software development
Learn software development
Eduonix Learning Solutions
 
Ultimate android app development course
Ultimate android app development course Ultimate android app development course
Ultimate android app development course
Eduonix Learning Solutions
 
6 Summer Projects You'll Love
6 Summer Projects You'll Love6 Summer Projects You'll Love
6 Summer Projects You'll Love
Melton Design Build
 
A review of Zimbabwe's draft minerals policy by ZELA
A review of Zimbabwe's draft minerals policy by ZELA A review of Zimbabwe's draft minerals policy by ZELA
A review of Zimbabwe's draft minerals policy by ZELA
ZELA_infor
 
Multilevel Marketing Success Suggestion : Averting Burnout And Dissatisfaction
Multilevel Marketing Success Suggestion : Averting Burnout And DissatisfactionMultilevel Marketing Success Suggestion : Averting Burnout And Dissatisfaction
Multilevel Marketing Success Suggestion : Averting Burnout And Dissatisfaction
znsaja
 
Learn angularjs step by step
Learn angularjs step by stepLearn angularjs step by step
Learn angularjs step by step
Eduonix Learning Solutions
 
Jason Tomas by Ryan
Jason Tomas by RyanJason Tomas by Ryan
Jason Tomas by RyanJolinspeeps
 
ASLGConf2014LizDandDonnaOD 2016
ASLGConf2014LizDandDonnaOD 2016ASLGConf2014LizDandDonnaOD 2016
ASLGConf2014LizDandDonnaOD 2016Liz Dore
 
Codflorestal port digital
Codflorestal port digitalCodflorestal port digital
Codflorestal port digital
Liliane Almeida
 
Joshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TN
Joshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TNJoshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TN
Joshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TNjnash2012
 

Viewers also liked (18)

Stroke mimics
Stroke mimicsStroke mimics
Stroke mimics
 
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based ManagementEvaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
 
BRAIN CT SCAN
BRAIN CT SCANBRAIN CT SCAN
BRAIN CT SCAN
 
Approach to a patient with stroke - Pathophysiology of stroke
Approach to a patient with stroke - Pathophysiology of strokeApproach to a patient with stroke - Pathophysiology of stroke
Approach to a patient with stroke - Pathophysiology of stroke
 
The Tipping Point - Final Presentation
The Tipping Point - Final PresentationThe Tipping Point - Final Presentation
The Tipping Point - Final Presentation
 
Wilson chemicals ltd
Wilson chemicals ltdWilson chemicals ltd
Wilson chemicals ltd
 
Pregunta de investigacion
Pregunta de investigacionPregunta de investigacion
Pregunta de investigacion
 
Learn software development
Learn software developmentLearn software development
Learn software development
 
Ultimate android app development course
Ultimate android app development course Ultimate android app development course
Ultimate android app development course
 
6 Summer Projects You'll Love
6 Summer Projects You'll Love6 Summer Projects You'll Love
6 Summer Projects You'll Love
 
A review of Zimbabwe's draft minerals policy by ZELA
A review of Zimbabwe's draft minerals policy by ZELA A review of Zimbabwe's draft minerals policy by ZELA
A review of Zimbabwe's draft minerals policy by ZELA
 
Multilevel Marketing Success Suggestion : Averting Burnout And Dissatisfaction
Multilevel Marketing Success Suggestion : Averting Burnout And DissatisfactionMultilevel Marketing Success Suggestion : Averting Burnout And Dissatisfaction
Multilevel Marketing Success Suggestion : Averting Burnout And Dissatisfaction
 
Topdown parsing
Topdown parsingTopdown parsing
Topdown parsing
 
Learn angularjs step by step
Learn angularjs step by stepLearn angularjs step by step
Learn angularjs step by step
 
Jason Tomas by Ryan
Jason Tomas by RyanJason Tomas by Ryan
Jason Tomas by Ryan
 
ASLGConf2014LizDandDonnaOD 2016
ASLGConf2014LizDandDonnaOD 2016ASLGConf2014LizDandDonnaOD 2016
ASLGConf2014LizDandDonnaOD 2016
 
Codflorestal port digital
Codflorestal port digitalCodflorestal port digital
Codflorestal port digital
 
Joshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TN
Joshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TNJoshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TN
Joshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TN
 

Similar to Sql server security in an insecure world

Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL DatabaseModern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
WinWire Technologies Inc
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
Eoin Keary
 
Database security issues
Database security issuesDatabase security issues
Database security issues
n|u - The Open Security Community
 
Shields up - improving web application security
Shields up - improving web application securityShields up - improving web application security
Shields up - improving web application security
Konstantin Mirin
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
Muhammad Shehata
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
Nicholas Davis
 
SqlSa94
SqlSa94SqlSa94
SqlSa94
Gabriel Villa
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
baoyin
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Database security2 adebiaye
Database security2 adebiayeDatabase security2 adebiaye
Database security2 adebiaye
DR RICHMOND ADEBIAYE
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
siti829412
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
Thuan Ng
 
Database security
Database securityDatabase security
Database security
Arpana shree
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudKoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
Tobias Koprowski
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
Clint Edmonson
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Safe Internet Banking Cyber Security
Safe Internet Banking Cyber SecuritySafe Internet Banking Cyber Security
Safe Internet Banking Cyber Security
Kushantha Gunawardana
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
llangit
 

Similar to Sql server security in an insecure world (20)

Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL DatabaseModern Data Security for the Enterprises – SQL Server & Azure SQL Database
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Security testing
Security testingSecurity testing
Security testing
 
Database security issues
Database security issuesDatabase security issues
Database security issues
 
Shields up - improving web application security
Shields up - improving web application securityShields up - improving web application security
Shields up - improving web application security
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
SqlSa94
SqlSa94SqlSa94
SqlSa94
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Database security2 adebiaye
Database security2 adebiayeDatabase security2 adebiaye
Database security2 adebiaye
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
Database security
Database securityDatabase security
Database security
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudKoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Safe Internet Banking Cyber Security
Safe Internet Banking Cyber SecuritySafe Internet Banking Cyber Security
Safe Internet Banking Cyber Security
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 

More from Gianluca Sartori

Benchmarking like a pro
Benchmarking like a proBenchmarking like a pro
Benchmarking like a pro
Gianluca Sartori
 
Sql server infernals
Sql server infernalsSql server infernals
Sql server infernals
Gianluca Sartori
 
SQL Server 2016 New Security Features
SQL Server 2016 New Security FeaturesSQL Server 2016 New Security Features
SQL Server 2016 New Security Features
Gianluca Sartori
 
Responding to extended events in near real time
Responding to extended events in near real timeResponding to extended events in near real time
Responding to extended events in near real time
Gianluca Sartori
 
SQL Server Worst Practices - EN
SQL Server Worst Practices - ENSQL Server Worst Practices - EN
SQL Server Worst Practices - EN
Gianluca Sartori
 
TSQL Advanced Query Techniques
TSQL Advanced Query TechniquesTSQL Advanced Query Techniques
TSQL Advanced Query Techniques
Gianluca Sartori
 
My Query is slow, now what?
My Query is slow, now what?My Query is slow, now what?
My Query is slow, now what?
Gianluca Sartori
 
SQL Server Benchmarking, Baselining and Workload Analysis
SQL Server Benchmarking, Baselining and Workload AnalysisSQL Server Benchmarking, Baselining and Workload Analysis
SQL Server Benchmarking, Baselining and Workload Analysis
Gianluca Sartori
 
A performance tuning methodology
A performance tuning methodologyA performance tuning methodology
A performance tuning methodology
Gianluca Sartori
 
SQL Server Worst Practices
SQL Server Worst PracticesSQL Server Worst Practices
SQL Server Worst Practices
Gianluca Sartori
 

More from Gianluca Sartori (10)

Benchmarking like a pro
Benchmarking like a proBenchmarking like a pro
Benchmarking like a pro
 
Sql server infernals
Sql server infernalsSql server infernals
Sql server infernals
 
SQL Server 2016 New Security Features
SQL Server 2016 New Security FeaturesSQL Server 2016 New Security Features
SQL Server 2016 New Security Features
 
Responding to extended events in near real time
Responding to extended events in near real timeResponding to extended events in near real time
Responding to extended events in near real time
 
SQL Server Worst Practices - EN
SQL Server Worst Practices - ENSQL Server Worst Practices - EN
SQL Server Worst Practices - EN
 
TSQL Advanced Query Techniques
TSQL Advanced Query TechniquesTSQL Advanced Query Techniques
TSQL Advanced Query Techniques
 
My Query is slow, now what?
My Query is slow, now what?My Query is slow, now what?
My Query is slow, now what?
 
SQL Server Benchmarking, Baselining and Workload Analysis
SQL Server Benchmarking, Baselining and Workload AnalysisSQL Server Benchmarking, Baselining and Workload Analysis
SQL Server Benchmarking, Baselining and Workload Analysis
 
A performance tuning methodology
A performance tuning methodologyA performance tuning methodology
A performance tuning methodology
 
SQL Server Worst Practices
SQL Server Worst PracticesSQL Server Worst Practices
SQL Server Worst Practices
 

Recently uploaded

Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 

Recently uploaded (20)

Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 

Sql server security in an insecure world

  • 1. SQL Server Security in an Insecure World Gianluca Sartori @spaghettidba sqlconsulting.it
  • 2. Say thank you to our Sponsors :
  • 3. Gianluca Sartori  Independent SQL Server consultant  SQL Server MVP, MCTS, MCITP, MCT  Works with SQL Server since version 7  DBA @ Scuderia Ferrari  Blog: spaghettidba.com  Twitter: @spaghettidba
  • 4. Agenda  Security Matters  What should I protect?  How can I prevent attacks?
  • 5.  Data Breaches are Common  Data Breaches are Costly  $450.000- $850.000 for large business  $35.000 - $65.000 for small businesses  + Reputational damage  + Legal risks -- Source: UK Government Security Matters
  • 6. Security Matters  Security must be considered from the start  Securing afterwards is extremely costly  Poorly secured ecosystems are not always possible to fix  Security is a process, not a product  No single “magic” solution  Ongoing process  Attackers get smarter  Security must be stronger
  • 8. Information Security Principles  Confidentiality  Information cannot be disclosed to unauthorized individuals  Integrity  Data cannot be modified in an unauthorized or undetected manner  Availability  Information must be available when needed
  • 9. What happens to insecure systems?  Confidentiality  Data leaks  Integrity  Unauthorized data modifications  Frauds  Availability  Outages
  • 10. Attack Methodology 1. Scan for Vulnerabilities / Access 2. Gain Access 3. Escalate Privileges 4. Maintain Access 5. Cover Tracks Looks complicated? It’s not!
  • 11. DEMO How fast can a [poorly configured] system be compromised? … damn fast!
  • 12. How can I prevent it? Implement security policies at all levels  Physical Security  External Network  Internal Network  Host OS  Application  Database
  • 13. Physical security  Disallow physical access to the infrastructure  Servers  Console  Ports  Disks  Clients  DBA workstation   + L  What about the cloud?  Networking devices  Switches  Routers  Cables
  • 14. Network Security  Exclude External network as far as possible  Implement proper network segmentation  vLANs separate servers in groups  Role  Sensitivity  Reduce “implied trust” relationships between servers  Users / Servers is NOT proper segmentation  Encrypt communications
  • 15. Host OS  Regular patching  Antivirus  Configuration  security best practices  Shut down unneeded services  Reduce attack surface  Permissions  Least Privilege  Auditing  Logging
  • 16. Application Application is the most vulnerable component in the stack  Secure from the start  Thorough design and code security review  Input validation  Authentication  Authorization  Error handling  Auditing  Logging
  • 19. SQL Injection  Has been known for years  …yet N.1 in OWASP TOP 10 security risks  Easy to detect with automated tools (SQLmap)  …yet very common in the wild  Potentially destructive
  • 20. Injection techniques  OR-based injection  Stacked queries injection  UNION-based injection  Error-based injection  Boolean-based blind injection  Time-based blind injection
  • 22. SQL Injection –Fixes  Use bind parameters  Enforces parameter data type  Is not affected by regional settings  Allows complex input  Aggressive input sanitation does not
  • 23. SQL Injection – False fixes  ORMs do not avoid it  Stored Procedures do not avoid it  Input validation is not enough  Obfuscated attacks  Headers / query strings can be manipulated  Not limited to web applications  NoSQL is vulnerable as well!  .NET’s String.Format is just plain concatenation!!!
  • 25. What happened?  We damaged the database, the instance and the OS because we could  Apply least privilege  At the Database level  At the Instance level  At the OS level  … at every level!
  • 26.  Authenticate the user or the application?  Prefer Windows Authentication when possible  No need to provide password  No need to store passwords in config files  SQL Authentication is less secure  Clear text < SQL2005  RC4 < SQL2012  Password policies SQL Server Security - Authentication
  • 27. SQL Server Security - Authentication  Passwords are problematic  Users tend to forget  Sticky Notes  Same password, multiple places  Have I been pwnd?  Use passwords that you cannot remember  Use a Password Safe  Keepass Password Safe
  • 28. SQL Server Security - Authorization Principle of least privilege:  Users must be granted only the privileges essential for their work  Typical scenario:  users are granted sysadmin role  users are granted db_owner role  very common!  users are granted built-in database roles  Security must be taken into account from the start!!!
  • 29. SQL Server Security Best Practices: 1. Create application specific roles with no privileges 2. Grant minimum needed permissions to roles 3. Add users to roles 4. Don’t grant permissions to users 5. Use application roles to enhance security  Windows groups <> database roles  NEVER, EVER grant server roles to “regular” users
  • 30. SQL Server Security Additional features:  TDE: Transparent Data Encryption Encrypts database files and backup files  SSL Network Encryption Encrypts the communications channel between SQL Server and client computers
  • 31. SQL Server 2016 New Security Features  Always Encrypted Column-Level encryption Data is encrypted both at rest and in memory Decryption happens on the client  Row-Level Security Filters rows available to users  Dynamic Data Masking Obfuscates sensitive information
  • 32. Resources  OWASP http://www.owasp.org  Security checklist for the Database Engine http://msdn.microsoft.com/en-us/library/ff848778(v=SQL.105).aspx  Troy Hunt’s blog http://www.troyhunt.com  Troy Hunt’s free Pluralsight webinar: Why SQL Injection Remains the #1 Web Security Risk Today http://www.troyhunt.com/2015/06/free-recorded-webinar-on- pluralsight.html
  • 34. Stick around for RAFFLE and the AFTER EVENT!  All our volunteers and organisers do not get paid for organizing this event – If you see them, please:  Give them a hug  Shake their hand  Say thank you  Spread the word  Get involved yourself  Don’t forget to thank the sponsors for their support  Thank the speakers for donating their time, energy and expenses  Don’t forget the feedback!