Securing Databases is an essential training course for DBAs and developers who need to produce secure database applications and manage secure databases. Data, databases, and related resources are at the heart of most IT infrastructures. Data, databases, and related resources are at the heart of most IT infrastructures. These assets can have high value from a business, regulatory, and liability perspective. They must be protected accordingly. In this course, demonstrations repeatedly attack and then defend various assets associated with a fully-functional database. This approach illustrates the mechanics of how to secure databases in the most practical of terms.
Students who attend Securing Databases will leave the course armed with the skills required to recognize actual and potential database vulnerabilities, implement defenses for those vulnerabilities, and test those defenses for sufficiency.
This course introduces you to the most common security vulnerabilities faced by databases today. Each vulnerability is examined from a database perspective through a process of describing the threat and attack mechanisms, recognizing associated vulnerabilities, and, finally, designing, implementing, and testing effective defenses. Multiple practical demonstrations reinforce these concepts with real vulnerabilities and attacks. You will learn how to design and implement the layered defenses you will need in defending your own databases.
Throughout the course, attendees will learn to:
- Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
- Test databases with various attack techniques to determine the existence of and effectiveness of layered defenses
- Prevent and defend the many potential vulnerabilities associated with untrusted data
- Understand the concepts and terminology behind supporting, designing, and deploying secure databases
- Appreciate the magnitude of the problems associated with data security and the potential risks associated with those problems
- Understand the currently accepted best practices for supporting the many security needs of databases.
- Understand the vulnerabilities associated with authentication and authorization within the context of databases and database applications
- Detect, attack, and implement defenses for authentication and authorization functionality
- Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
- Detect, attack, and implement defenses against XSS and Injection attacks
- Understand the concepts and terminology behind defensive, secure database configuration and operation
- Understand the use of Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
- Perform both static reviews and dynamic database testing to uncover vulnerabilities
- Design and develop strong, robust authentication and authorization implementations
- Understand the fundamentals of Digital Signatures as well as how it can be used as part of the defensive infrastructure for data
- Understand the fundamentals of Encryption as well as how it can be used as part of the defensive infrastructure for data
Need different skills or topics? If your team requires different topics or tools, additional skills or custom approach, this course may be further adjusted to accommodate. We offer additional application development, secure coding, secure software development, hacking, database security, bug hunting and other related topics that may be blended with this course for a track that best suits your needs. Our team will collaborate with you to understand your needs and will target the course to focus on your specific learning objectives and goals.
This is an intermediate -level database course, designed for those who wish to get up and running on developing well defended database applications. This course may be customized to suit your team’s unique objectives.
Familiarity with databases is required and real world experience is highly recommended. Ideally, you should have approximately 6 months to a year of database working knowledge.
Please see the Related Courses Tab for Pre-Requisite course specifics and links, links to similar courses you might review as an alternative, as well as suggested Next-Step Follow-On Courses and Learning Path recommendations.
Please note that this list of topics is based on our standard course offering, evolved from typical industry uses and trends. We’ll work with you to tune this course and level of coverage to target the skills you need most. Topics, agenda and labs are subject to change, and may adjust during live delivery based on audience interests, skill-level and participation.
Session: Foundation for Securing Databases
Lesson: Why Hunt Bugs?
- Security and Insecurity
- Dangerous Assumptions
- Attack Vectors
Lesson: Fingerprinting Databases
- Fingerprinting Infrastructures and Databases
- Finding the Databases
- Scanning Databases for Vulnerabilities
- Scanning Applications and Operating Systems
Lesson: Principles of Information Security
- Security Is a Lifecycle Issue
- Minimize Attack Surface Area
- Layers of Defense: Tenacious D
- Consider All Application States
- Do NOT Trust the Untrusted
Session: Database Security Vulnerabilities
Lesson: Database Security Concerns
- Data at Rest and in Motion
- Privilege management
- Boundary Defenses
- Continuity of Service
- Trusted Recovery
Lesson: Vulnerabilities and Databases
- Unvalidated Input
- Broken Authentication
- Cross Site Scripting (XSS/CSRF)
- Injection Flaws
- Error Handling, Logging, and Information Leakage
- Insecure Storage
- Direct Object Access
- XML Vulnerabilities
Lesson: Database Security
- Design and Configuration
- Identification and Authentication
- Computing Environment
- Database Auditing
- Boundary Defenses
- Continuity of Service
- Vulnerability and Incident Management
Session: Moving Forward with Database Security
Lesson: Databases: What Next?
- Open Web Application Security Project (OWASP)
- OWASP Top Ten Overview
- Web Application Security Consortium
- CERT Secure Coding Standards
- Bug Hunting Mistakes to Avoid
- Tools and Resources
Session: Secure Development Lifecycle (SDL)
Lesson: SDL Overview
- Attack/Defense Basics
- Types of Security Controls
- Attack Phases: Offensive Actions and Defensive Controls
- Secure Software Development Processes
- Shifting Left
- Actionable Items Moving Forward
Lesson: SDL In Action
- Risk Escalators
- Risk Escalator Mitigation
- SDL Phases
- Actions for each SDL Phase
- SDL Best Practices
Session: Taking Action Now for Securing Databases
Lesson: Database Asset Analysis
- Targets: Data/Entity Assets
- Targets: Functional/Service Assets
- Classifying Based on Value and Risk Escalation
- Asset Inventory and Analysis
Lesson: Making Application Security Real
- Cost of Continually Reinventing
- Paralysis by Analysis
- Actional Application Security
- Additional Tools for the Toolbox
Additional Topics: Time Permitting
Lesson: Cryptography Overview
- Strong Encryption
- Message Digests
- Keys and Key Management
- NIST Recommendation
Hands-on Setup Made Simple! All course materials, data sets, course software (limited version, for course use only), course notes and related resources (as applicable) are provided for attendees in our easy access, no installation required, remote lab environment for the duration of the course. In most cases, we can also offer local (non-cloud) set up as an alternative. Our tech team will help set up, test and verify lab access for each attendee prior to the course start date, ensuring a smooth start to class and successful hands-on course experience for all participants.
Every-Course Extras = High-Value & Long-Term Learning Support! Most courses also include our unique EveryCourse Extras package (Post-Course Resource Site access, Review Labs, Live Instructor Follow-on Support, Free *Live* Course Refresh Re-Takes, early access to Special Offers, Free Courses & more). Please ask for details.