Database and Application Security: A Practitioner’s Guide 9780138073725

Table of contents :
Cover Page
Title Page
Contents
Table of Contents
Preface
Introduction
Who Should Read This Book?
How This Book Is Organized
Part I: Security Fundamentals
Chapter 1. The Basics of Cybersecurity
Cybersecurity
CIA-DAD
I-A-A-A
Defense in Depth
Hardware and Software Security
Firewalls, Access Controls, and Access Control Lists
Physical Security
Practical Example of a Server Security in an Organization
Summary
Chapter 1 Questions
Answers to Chapter 1 Questions
Chapter 2. Security Details
The Four Attributes: Encrypt, Compress, Index, and Archive
Encryption, Algorithms
Public Key Infrastructure
Email Security Example
Non-Repudiation, Authentication Methods (K-H-A)
Current and New Algorithms
Summary
Chapter 2 Questions
Answers to Chapter 2 Questions
Chapter 3. Goals of Security
Goals of Security—SMART/OKR
Who’s Who in Security: RACI
Creating the RACI Matrix
Planning—Strategic, Tactical, and Operational
Events and Incidents
Risks, Breaches, Fixes
Security Logs—The More the Merrier
Re/Engineering a Project
Keeping Security Up to Date
Summary
Chapter 3 Questions
Answers to Chapter 3 Questions
Part II: Database Security--The Back End
Chapter 4. Database Security Introduction
ACID, BASE of DB, and CIA Compliance
ACID, BASE and CIA
Data in Transit, Data at Rest
DDL and DML
Designing a Secure Database
Structural Security
Functional Security
Data Security
Procedural Security
Summary
Chapter 4 Questions
Answers to Chapter 4 Questions
Chapter 5. Access Control of Data
Access Control—Roles for Individuals and Applications
MAC, DAC, RBAC, RuBAC
Passwords, Logins, and Maintenance
Hashing and Checksum Methods
Locking, Unlocking, Resetting
Monitoring User Accounts, System Account
Data Protection—Views and Materialized Views
PII Security—Data, Metadata, and Surrogates
Summary
Chapter 5 Questions
Answers to Chapter 5 Questions
Chapter 6. Data Refresh, Backup, and Restore
Data Refresh—Manual, ETL, and Script
ETL Jobs
Security in Invoking ETL Job
Data Pump: Exporting and Importing
Backup and Restore
Keeping Track—Daily, Weekly, Monthly
Summary
Chapter 6 Questions
Answers to Chapter 6 Questions
Chapter 7. Host Security
Server Connections and Separation
IP Selection, Proxy, Invited Nodes
Access Control Lists
Connecting to a System/DB: Passwords, Smart Cards, Certificates
Cron Jobs or Task Scheduler
Regular Monitoring and Troubleshooting
Summary
Chapter 7 Questions
Answers to Chapter 7 Questions
Chapter 8. Proactive Monitoring
Logs, Logs, and More Logs
Data Manipulation Monitoring
Data Structure Monitoring
Third-Party or Internal Audits
LOG File Generation
Summary
Chapter 8 Questions
LAB Work
Answers to Chapter 8 Questions
Chapter 9. Risk, Monitoring, and Encryption
Security Terms
Risk, Mitigation, Transfer, Avoidance, and Ignoring
Organized Database Monitoring
Encrypting the DB: Algorithm Choices
Automated Alerts
Summary
Chapter 9 Questions
Answers to Chapter 9 Questions
Part III: Application Security--The Front End
Chapter 10. Application Security Fundamentals
Coding Standards
The Software Development Process
Models and Selection
Cohesion and Coupling
Development, Test, and Production
Client and Server
Side Effects of a Bad Security in Software
Fixing the SQL Injection Attacks
Evaluate User Input
Do Back-End Database Checks
Change Management—Speaking the Same Language
Secure Logging In to Applications, Access to Users
Summary
Chapter 10 Questions
Answer to Chapter 10 Questions
Chapter 11. The Unseen Back End
Back-End DB Connections in Java/Tomcat
Connection Strings and Passwords in Code
Stored Procedures and Functions
File Encryption, Types, and Association
Implementing Public Key Infrastructure and Smart Card
Examples of Key Pairs on Java and Linux
Symmetric Encryption
Asymmetric Encryption
Vulnerabilities, Threats, and Web Security
Attack Types and Mitigations
Summary
Chapter 11 Questions
Answers to Chapter 11 Questions
Chapter 12. Securing Software--In-House and Vendor
Internal Development Versus Vendors
Vendor or COTS Software
Action Plan
In-House Software Development
Initial Considerations for In-House Software
Code Security Check
Fixing the Final Product—SAST Tools
Fine-tuning the Product—Testing and Release
Patches and Updates
Product Retirement/Decommissioning
Summary
Chapter 12 Questions
Answers to Chapter 12 Questions
Part IV: Security Administration
Chapter 13. Security Administration
Least Privilege, Need to Know, and Separation of Duties
Who Is Who and Why
Scope or User Privilege Creep
Change Management
Documenting the Process
Legal Liabilities
Software Analysis
Network Analysis
Hardware or a Device Analysis
Be Proactive—Benefits and Measures
Summary
Chapter 13 Questions
Answers to Chapter 13 Questions
Chapter 14. Follow a Proven Path for Security
Advantages of Security Administration
Penetration Testing
Penetration Test Reports
Audits—Internal and External and STIG Checking
OPSEC—The Operational Security
Digital Forensics—Software Tools
Lessons Learned/Continuous Improvement
Summary
Chapter 14 Questions
Answers to Chapter 14 Questions
Chapter 15. Mobile Devices and Application Security
Authentication
Cryptography
Code Quality and Injection Attacks
User Privacy on the Device
Sandboxing
Mobile Applications Security Testing
NIST’s Directions for Mobile Device Security
Summary
Chapter 15 Questions
Answers to Chapter 15 Questions
Chapter 16. Corporate Security in Practice
Case # 1: A Person Is Joining an Organization as a New Employee
Case # 2: An Employee Is Fired or Is Voluntarily Leaving the Organization
Case # 3: An Existing Employee Wants to Renew His Credentials
Case # 4: An Existing Employee Privileges Are Increased/Decreased
Case # 5: A Visitor/Vendor to the Organizational Facility
Physical Security of DB and Applications
Business Continuity and Disaster Recovery
Attacks and Loss—Recognizing and Remediating
Recovery and Salvage
Getting Back to Work
Lessons Learned from a Ransomware Attack—Example from a ISC2 Webinar
Summary
Chapter 16 Questions
Answers to Chapter 16 Questions
Author Bio