Database and Application Security: A Practitioners Guide, 1st edition
Published by Addison-Wesley Professional (March 12, 2024) © 2024
- R Sarma Danturthi
- A print text (hardcover or paperback)Â
- Free shipping
- Also available for purchase as an ebook from all major ebook resellers, including InformIT.com
An all-encompassing guide to securing your database and applications against costly cyberattacks!
In a time when the average cyberattack costs a company $9.48 million, organizations are desperate for qualified database administrators and software professionals. Hackers are more innovative than ever before. Increased cybercrime means front-end applications and back-end databases must be finetuned for a strong security posture. Database and Application Security: A Practitioner's Guide is the resource you need to better fight cybercrime and become more marketable in an IT environment that is short on skilled cybersecurity professionals.
In this extensive and accessible guide, Dr. R. Sarma Danturthi provides a solutions-based approach to help you master the tools, processes, and methodologies to establish security inside application and database environments. It discusses the STIG requirements for third-party applications and how to make sure these applications comply to an organization’s security posture. From securing hosts and creating firewall rules to complying with increasingly tight regulatory requirements, this book will be your go-to resource to creating an ironclad cybersecurity database.
In this guide, you'll find:
- Tangible ways to protect your company from data breaches, financial loss, and reputational harm
- Engaging practice questions (and answers) after each chapter to solidify your understanding
- Key information to prepare for certifications such as Sec+, CISSP, and ITIL
- Sample scripts for both Oracle and SQL Server software and tips to secure your code
- Advantages of DB back-end scripting over front-end hard coding to access DB
- Processes to create security policies, practice continuous monitoring, and maintain proactive security postures
Foreword    xvi
Introduction     xvii
Â
Part I. Security Fundamentals
Â
Chapter 1. Basics of Cybersecurity     1
Cybersecurity     1
CIA-DAD Â Â Â Â 2
I-A-A-A Â Â Â Â 4
Defense in Depth     6
Hardware and Software Security     7
Firewalls, Access Controls, and Access Control Lists     8
Physical Security     9
Practical Example of a Server Security in an Organization     10
Summary     16
Chapter 1 Questions     17
Answers to Chapter 1 Questions     18
Â
Chapter 2. Security Details     19
The Four Attributes: Encrypt, Compress, Index, and Archive     19
Encryption, Algorithms     22
Public Key Infrastructure     22
Email Security Example     23
Nonrepudiation, Authentication Methods (K-H-A) Â Â Â Â Â 25
Current and New Algorithms     26
Summary     26
Chapter 2 Questions     28
Answers to Chapter 2 Questions     29
Â
Chapter 3. Goals of Security     31
Goals of Security—SMART/OKR     31
Who’s Who in Security: RACI     33
Creating the RACI Matrix     35
Planning—Strategic, Tactical, and Operational     36
Events and Incidents     37
Risks, Breaches, Fixes     38
Security Logs—The More the Merrier     39
Re/Engineering a Project     41
Keeping Security Up to Date     42
Summary     43
Chapter 3 Questions     44
Answers to Chapter 3 Questions     45
Â
Part II. Database Security—The Back End
Â
Chapter 4. Database Security Introduction     47
ACID, BASE of DB, and CIA Compliance     47
ACID, BASE, and CIA Â Â Â Â 47
Data in Transit, Data at Rest     49
DDL and DML Â Â Â Â 52
Designing a Secure Database     54
Structural Security     57
Functional Security     60
Data Security     61
Procedural Security     63
Summary     64
Chapter 4 Questions     65
Answers to Chapter 4 Questions     66
Â
Chapter 5. Access Control of Data     67
Access Control—Roles for Individuals and Applications     67
MAC, DAC, RBAC, RuBAC Â Â Â Â 69
Passwords, Logins, and Maintenance     74
Hashing and Checksum Methods     76
Locking, Unlocking, Resetting     80
Monitoring User Accounts, System Account     82
Data Protection—Views and Materialized Views     86
PII Security—Data, Metadata, and Surrogates     90
Summary     94
Chapter 5 Questions     96
Answers to Chapter 5 Questions     97
Â
Chapter 6. Data Refresh, Backup, and Restore     99
Data Refresh—Manual, ETL, and Script     99
ETL Jobs     102
Security in Invoking ETL Job     104
Data Pump: Exporting and Importing     106
Backup and Restore     109
Keeping Track—Daily, Weekly, Monthly     117
Summary     119
Chapter 6 Questions     120
Answers to Chapter 6 Questions     121
Â
Chapter 7. Host Security     123
Server Connections and Separation     123
IP Selection, Proxy, Invited Nodes     126
Access Control Lists     128
Connecting to a System/DB: Passwords, Smart Cards, Certificates     131
Cron Jobs or Task Scheduler     137
Regular Monitoring and Troubleshooting     141
Summary     144
Chapter 7 Questions     145
Answers to Chapter 7 Questions     146
Â
Chapter 8. Proactive Monitoring     149
Logs, Logs, and More Logs     149
Data Manipulation Monitoring     150
Data Structure Monitoring     156
Third-Party or Internal Audits     159
LOG File Generation     165
Summary     172
Chapter 8 Questions     173
LAB Work     173
Answers to Chapter 8 Questions     174
Â
Chapter 9. Risks, Monitoring, and Encryption     175
Security Terms     175
Risk, Mitigation, Transfer, Avoidance, and Ignoring     177
Organized Database Monitoring     181
Encrypting the DB: Algorithm Choices     183
Automated Alerts     185
Summary     186
Chapter 9 Questions     187
Answers to Chapter 9 Questions     188
Â
Part III. Application Security—The Front End
Â
Chapter 10. Application Security Fundamentals     189
Coding Standards     190
The Software Development Process     195
Models and Selection     199
Cohesion and Coupling     201
Development, Test, and Production     202
Client and Server     204
Side Effects of a Bad Security in Software     213
Fixing the SQL Injection Attacks     213
Evaluate User Input     214
Do Back-End Database Checks     215
Change Management—Speaking the Same Language     215
Secure Logging In to Applications, Access to Users     217
Summary     221
Chapter 10 Questions     223
Answer to Chapter 10 Questions     224
Â
Chapter 11. The Unseen Back End     227
Back-End DB Connections in Java/Tomcat     238
Connection Strings and Passwords in Code     241
Stored Procedures and Functions     242
File Encryption, Types, and Association     247
Implementing Public Key Infrastructure and Smart Card     250
Examples of Key Pairs on Java and Linux     251
Symmetric Encryption     253
Asymmetric Encryption     254
Vulnerabilities, Threats, and Web Security     255
Attack Types and Mitigations     256
Summary     260
Chapter 11 Questions     261
Answers to Chapter 11 Questions     262
Â
Chapter 12. Securing Software—In-House and Vendor     263
Internal Development Versus Vendors     263
Vendor or COTS Software     264
Action Plan     265
In-House Software Development     266
Initial Considerations for In-House Software     267
Code Security Check     269
Fixing the Final Product—SAST Tools     271
Fine-tuning the Product—Testing and Release     277
Patches and Updates     278
Product Retirement/Decommissioning     280
Summary     282
Chapter 12 Questions     283
Answers to Chapter 12 Questions     284
Â
Part IV. Security Administration
Â
Chapter 13. Security Administration     287
Least Privilege, Need to Know, and Separation of Duties     287
Who Is Who and Why     290
Scope or User Privilege Creep     292
Change Management     294
Documenting the Process     296
Legal Liabilities     308
Software Analysis     312
Network Analysis     312
Hardware or a Device Analysis     313
Be Proactive—Benefits and Measures     314
Summary     318
Chapter 13 Questions     319
Answers to Chapter 13 Questions     320
Â
Chapter 14. Follow a Proven Path for Security     323
Advantages of Security Administration     323
Penetration Testing     325
Penetration Test Reports     334
Audits—Internal and External and STIG Checking     337
OPSEC—The Operational Security     344
Digital Forensics—Software Tools     346
Lessons Learned/Continuous Improvement     349
Summary     350
Chapter 14 Questions     352
Answers to Chapter 14 Questions     353
Â
Chapter 15. Mobile Devices and Application Security     355
Authentication     356
Cryptography     359
Code Quality and Injection Attacks     360
User Privacy on the Device     360
Descriptive Claims     361
Secure Software Development Claims     361
Sandboxing     363
Mobile Applications Security Testing     364
NIST’s Directions for Mobile Device Security     366
Summary     370
Chapter 15 Questions     372
Answers to Chapter 15 Questions     373
Â
Chapter 16. Corporate Security in Practice     375
Case # 1: A Person Is Joining an Organization as a New Employee     378
Case # 2: An Employee Is Fired or Is Voluntarily Leaving the Organization     382
Case # 3: An Existing Employee Wants to Renew Their Credentials     383
Case # 4: An Existing Employee’s Privileges Are Increased/Decreased     383
Case # 5: A Visitor/Vendor to the Organizational Facility     384
Physical Security of DB and Applications     385
Business Continuity and Disaster Recovery     388
Attacks and Loss—Recognizing and Remediating     390
Recovery and Salvage     393
Getting Back to Work     394
Lessons Learned from a Ransomware Attack—Example from a ISC2 Webinar     399
Summary     403
Chapter 16 Questions     404
Answers to Chapter 16 Questions     405
Â
References  407
Â
Index   411
Dr. R. Sarma Danturthi holds a PhD in Engineering from the University of Memphis (Memphis, TN) and works for the US Department of Defense. He has several years of experience with IT security, coding, databases, and project management. He holds Sec+, CISSP, and PMP certifications and is the author of the book 70 Tips and Tricks for Mastering the CISSP Exam (APress, 2020).
Need help? Get in touch