Database and Application Security
Addison Wesley (Verlag)
978-0-13-807373-2 (ISBN)
In a time when the average cyberattack costs a company $9.48 million, organizations are desperate for qualified database administrators and software professionals. Hackers are more innovative than ever before. Increased cybercrime means front-end applications and back-end databases must be finetuned for a strong security posture. Database and Application Security: A Practitioner's Guide is the resource you need to better fight cybercrime and become more marketable in an IT environment that is short on skilled cybersecurity professionals.
In this extensive and accessible guide, Dr. R. Sarma Danturthi provides a solutions-based approach to help you master the tools, processes, and methodologies to establish security inside application and database environments. It discusses the STIG requirements for third-party applications and how to make sure these applications comply to an organization’s security posture. From securing hosts and creating firewall rules to complying with increasingly tight regulatory requirements, this book will be your go-to resource to creating an ironclad cybersecurity database.
In this guide, you'll find:
Tangible ways to protect your company from data breaches, financial loss, and reputational harm
Engaging practice questions (and answers) after each chapter to solidify your understanding
Key information to prepare for certifications such as Sec+, CISSP, and ITIL
Sample scripts for both Oracle and SQL Server software and tips to secure your code
Advantages of DB back-end scripting over front-end hard coding to access DB
Processes to create security policies, practice continuous monitoring, and maintain proactive security postures
Register your book for convenient access to downloads, updates, and/or corrections as they become available. See inside book for details.
Dr. R. Sarma Danturthi holds a PhD in Engineering from the University of Memphis (Memphis, TN) and works for the US Department of Defense. He has several years of experience with IT security, coding, databases, and project management. He holds Sec+, CISSP, and PMP certifications and is the author of the book 70 Tips and Tricks for Mastering the CISSP Exam (APress, 2020).
Foreword xvi
Introduction xvii
Part I. Security Fundamentals
Chapter 1. Basics of Cybersecurity 1
Cybersecurity 1
CIA-DAD 2
I-A-A-A 4
Defense in Depth 6
Hardware and Software Security 7
Firewalls, Access Controls, and Access Control Lists 8
Physical Security 9
Practical Example of a Server Security in an Organization 10
Summary 16
Chapter 1 Questions 17
Answers to Chapter 1 Questions 18
Chapter 2. Security Details 19
The Four Attributes: Encrypt, Compress, Index, and Archive 19
Encryption, Algorithms 22
Public Key Infrastructure 22
Email Security Example 23
Nonrepudiation, Authentication Methods (K-H-A) 25
Current and New Algorithms 26
Summary 26
Chapter 2 Questions 28
Answers to Chapter 2 Questions 29
Chapter 3. Goals of Security 31
Goals of Security—SMART/OKR 31
Who’s Who in Security: RACI 33
Creating the RACI Matrix 35
Planning—Strategic, Tactical, and Operational 36
Events and Incidents 37
Risks, Breaches, Fixes 38
Security Logs—The More the Merrier 39
Re/Engineering a Project 41
Keeping Security Up to Date 42
Summary 43
Chapter 3 Questions 44
Answers to Chapter 3 Questions 45
Part II. Database Security—The Back End
Chapter 4. Database Security Introduction 47
ACID, BASE of DB, and CIA Compliance 47
ACID, BASE, and CIA 47
Data in Transit, Data at Rest 49
DDL and DML 52
Designing a Secure Database 54
Structural Security 57
Functional Security 60
Data Security 61
Procedural Security 63
Summary 64
Chapter 4 Questions 65
Answers to Chapter 4 Questions 66
Chapter 5. Access Control of Data 67
Access Control—Roles for Individuals and Applications 67
MAC, DAC, RBAC, RuBAC 69
Passwords, Logins, and Maintenance 74
Hashing and Checksum Methods 76
Locking, Unlocking, Resetting 80
Monitoring User Accounts, System Account 82
Data Protection—Views and Materialized Views 86
PII Security—Data, Metadata, and Surrogates 90
Summary 94
Chapter 5 Questions 96
Answers to Chapter 5 Questions 97
Chapter 6. Data Refresh, Backup, and Restore 99
Data Refresh—Manual, ETL, and Script 99
ETL Jobs 102
Security in Invoking ETL Job 104
Data Pump: Exporting and Importing 106
Backup and Restore 109
Keeping Track—Daily, Weekly, Monthly 117
Summary 119
Chapter 6 Questions 120
Answers to Chapter 6 Questions 121
Chapter 7. Host Security 123
Server Connections and Separation 123
IP Selection, Proxy, Invited Nodes 126
Access Control Lists 128
Connecting to a System/DB: Passwords, Smart Cards, Certificates 131
Cron Jobs or Task Scheduler 137
Regular Monitoring and Troubleshooting 141
Summary 144
Chapter 7 Questions 145
Answers to Chapter 7 Questions 146
Chapter 8. Proactive Monitoring 149
Logs, Logs, and More Logs 149
Data Manipulation Monitoring 150
Data Structure Monitoring 156
Third-Party or Internal Audits 159
LOG File Generation 165
Summary 172
Chapter 8 Questions 173
LAB Work 173
Answers to Chapter 8 Questions 174
Chapter 9. Risks, Monitoring, and Encryption 175
Security Terms 175
Risk, Mitigation, Transfer, Avoidance, and Ignoring 177
Organized Database Monitoring 181
Encrypting the DB: Algorithm Choices 183
Automated Alerts 185
Summary 186
Chapter 9 Questions 187
Answers to Chapter 9 Questions 188
Part III. Application Security—The Front End
Chapter 10. Application Security Fundamentals 189
Coding Standards 190
The Software Development Process 195
Models and Selection 199
Cohesion and Coupling 201
Development, Test, and Production 202
Client and Server 204
Side Effects of a Bad Security in Software 213
Fixing the SQL Injection Attacks 213
Evaluate User Input 214
Do Back-End Database Checks 215
Change Management—Speaking the Same Language 215
Secure Logging In to Applications, Access to Users 217
Summary 221
Chapter 10 Questions 223
Answer to Chapter 10 Questions 224
Chapter 11. The Unseen Back End 227
Back-End DB Connections in Java/Tomcat 238
Connection Strings and Passwords in Code 241
Stored Procedures and Functions 242
File Encryption, Types, and Association 247
Implementing Public Key Infrastructure and Smart Card 250
Examples of Key Pairs on Java and Linux 251
Symmetric Encryption 253
Asymmetric Encryption 254
Vulnerabilities, Threats, and Web Security 255
Attack Types and Mitigations 256
Summary 260
Chapter 11 Questions 261
Answers to Chapter 11 Questions 262
Chapter 12. Securing Software—In-House and Vendor 263
Internal Development Versus Vendors 263
Vendor or COTS Software 264
Action Plan 265
In-House Software Development 266
Initial Considerations for In-House Software 267
Code Security Check 269
Fixing the Final Product—SAST Tools 271
Fine-tuning the Product—Testing and Release 277
Patches and Updates 278
Product Retirement/Decommissioning 280
Summary 282
Chapter 12 Questions 283
Answers to Chapter 12 Questions 284
Part IV. Security Administration
Chapter 13. Security Administration 287
Least Privilege, Need to Know, and Separation of Duties 287
Who Is Who and Why 290
Scope or User Privilege Creep 292
Change Management 294
Documenting the Process 296
Legal Liabilities 308
Software Analysis 312
Network Analysis 312
Hardware or a Device Analysis 313
Be Proactive—Benefits and Measures 314
Summary 318
Chapter 13 Questions 319
Answers to Chapter 13 Questions 320
Chapter 14. Follow a Proven Path for Security 323
Advantages of Security Administration 323
Penetration Testing 325
Penetration Test Reports 334
Audits—Internal and External and STIG Checking 337
OPSEC—The Operational Security 344
Digital Forensics—Software Tools 346
Lessons Learned/Continuous Improvement 349
Summary 350
Chapter 14 Questions 352
Answers to Chapter 14 Questions 353
Chapter 15. Mobile Devices and Application Security 355
Authentication 356
Cryptography 359
Code Quality and Injection Attacks 360
User Privacy on the Device 360
Descriptive Claims 361
Secure Software Development Claims 361
Sandboxing 363
Mobile Applications Security Testing 364
NIST’s Directions for Mobile Device Security 366
Summary 370
Chapter 15 Questions 372
Answers to Chapter 15 Questions 373
Chapter 16. Corporate Security in Practice 375
Case # 1: A Person Is Joining an Organization as a New Employee 378
Case # 2: An Employee Is Fired or Is Voluntarily Leaving the Organization 382
Case # 3: An Existing Employee Wants to Renew Their Credentials 383
Case # 4: An Existing Employee’s Privileges Are Increased/Decreased 383
Case # 5: A Visitor/Vendor to the Organizational Facility 384
Physical Security of DB and Applications 385
Business Continuity and Disaster Recovery 388
Attacks and Loss—Recognizing and Remediating 390
Recovery and Salvage 393
Getting Back to Work 394
Lessons Learned from a Ransomware Attack—Example from a ISC2 Webinar 399
Summary 403
Chapter 16 Questions 404
Answers to Chapter 16 Questions 405
References 407
Index 411
Erscheinungsdatum | 16.01.2024 |
---|---|
Verlagsort | Boston |
Sprache | englisch |
Maße | 190 x 235 mm |
Gewicht | 790 g |
Themenwelt | Informatik ► Netzwerke ► Sicherheit / Firewall |
ISBN-10 | 0-13-807373-2 / 0138073732 |
ISBN-13 | 978-0-13-807373-2 / 9780138073732 |
Zustand | Neuware |
Haben Sie eine Frage zum Produkt? |
aus dem Bereich