Securing Databases | Database Security

Learn to Attack and Defend Assets Critical Database Assets, and How to Build Secure Databases from the Ground Up

Course Code: TT8700

Skill Level: Intermediate

Duration: 2 Days

Course Overview

From ransomware and constant data breaches to state-sponsored attacks, we are under constant and increasing pressure. Retailers, financial institutions, government agencies, high-tech companies, and many others are paying the price for poor application security - financial losses and eroding trust. The developer community must take ownership of these problems and change our perspective of defensive measures and how we design, development, and maintain software applications.

Securing Databases is an essential training course for DBAs and developers who need to produce secure database applications and manage secure databases. Data, databases, and related resources are at the heart of most IT infrastructures. These assets can have high value from a business, regulatory, and liability perspective, and must be protected accordingly. This course showcases demonstrations on how to repeatedly attack and then defend various assets associated with a fully functional database. This approach illustrates the mechanics of how to secure databases in the most practical of terms.

This course introduces the most common security vulnerabilities faced by databases today. Throughout the course, you’ll examine each vulnerability from a database perspective through a process of describing the threat and attack mechanisms, recognizing associated vulnerabilities, and then designing, implementing, and testing effective defenses. Multiple practical demonstrations reinforce these concepts with real vulnerabilities and attacks. You’ll also learn how to design and implement the layered defenses needed to defend your own databases. You’ll exit this course with the skills required to recognize actual and potential database vulnerabilities, implement defenses for those vulnerabilities, and test those defenses for sufficiency.

Course Objectives

Throughout the course, you will learn to:

Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
Establish the first axiom in security analysis of ALL web applications for this course and beyond
Establish the first axiom in addressing ALL security concerns for this course and beyond
Test databases with various attack techniques to determine the existence of and effectiveness of layered defenses
Prevent and defend the many potential vulnerabilities associated with untrusted data
Understand the concepts and terminology behind supporting, designing, and deploying secure databases
Appreciate the magnitude of the problems associated with data security and the potential risks associated with those problems
Understand the currently accepted best practices for supporting the many security needs of databases.
Understand the vulnerabilities associated with authentication and authorization within the context of databases and database applications
Detect, attack, and implement defenses for authentication and authorization functionality
Understand the dangers and mechanisms behind Injection attacks
Understand the concepts and terminology behind defensive, secure database configuration and operation
Understand the use of Threat Modeling as a tool in identifying software vulnerabilities based on realistic threats against meaningful assets
Perform both static reviews and dynamic database testing to uncover vulnerabilities
Design and develop strong, robust authentication and authorization implementations
Understand the fundamentals of Digital Signatures as well as how it can be used as part of the defensive infrastructure for data
Understand the fundamentals of Encryption as well as how it can be used as part of the defensive infrastructure for data
Identify resources to use for ongoing threat intelligence
Plan next steps after completion of this training

Need different skills or topics? If your team requires different topics or tools, additional skills or custom approach, this course may be further adjusted to accommodate. We offer additional application development, secure coding, secure software development, hacking, database security, bug hunting and other related topics that may be blended with this course for a track that best suits your needs. Our team will collaborate with you to understand your needs and will target the course to focus on your specific learning objectives and goals.

Course Prerequisites

This is an introduction to database security course for intermediate skilled team members. Attendees might include DBAs, system administrators, developers and other enterprise team members. Ideally, students should have approximately 6 months to a year of database working knowledge.

Please see the Related Courses Tab for Pre-Requisite course specifics and links, links to similar courses you might review as an alternative, as well as suggested Next-Step Follow-On Courses and Learning Path recommendations.

Course Agenda

Please note that this list of topics is based on our standard course offering, evolved from typical industry uses and trends. We’ll work with you to tune this course and level of coverage to target the skills you need most. Topics, agenda and labs are subject to change, and may adjust during live delivery based on audience interests, skill-level and participation.

Session: Foundation for Securing Databases

Lesson: Why Hunt Bugs?
The Language of Cybersecurity
The Changing Cybersecurity Landscape
AppSec Dissection of SolarWinds
The Human Perimeter
Interpreting the 2021 Verizon Data Breach Investigation Report
First Axiom in Web Application Security Analysis
First Axiom in Addressing ALL Security Concerns

Lesson: Fingerprinting Databases
Fingerprinting Infrastructures and Databases
Finding the Databases
Scanning Databases for Vulnerabilities
Scanning Applications and Operating Systems

Lesson: Principles of Information Security
Security Is a Lifecycle Issue
Minimize Attack Surface Area
Layers of Defense: Tenacious D
Compartmentalize
Consider All Application States
Do NOT Trust the Untrusted
AppSec Dissection of the Verkada Exploit

Session: Database Security Vulnerabilities

Lesson: Database Security Concerns
Data at Rest and in Motion
Privilege management
Boundary Defenses
Continuity of Service
Trusted Recovery

Lesson: Common Vulnerabilities and Databases
Unvalidated Input
Elevation of Privileges
Identifying Protection Needs
Evolving Privacy Considerations
Options for Protecting Data
Transport/Message Level Security
SQL Injection Flaws
Drill Down on Stored Procedures
Quality and Protection of Authentication Data
Proper hashing of passwords
Handling Passwords on Server Side
Managing Updates: Balancing Risk and Timeliness
Detecting Threats and Active Attacks
Best Practices for Determining What to Log
Safe Logging in Support of Forensics
System Hardening
Risks with Internet-Connected Resources (Servers to Cloud)
Segmentation with Containers and Cloud

Lesson: Database Security
Design and Configuration
Identification and Authentication
Computing Environment
Database Auditing
Boundary Defenses
Continuity of Service
Vulnerability and Incident Management

Session: Moving Forward with Database Security

Lesson: Databases: What Next?
Common Vulnerabilities and Exposures
Strength Training: Project Teams/Developers
Strength Training: IT Organizations

Session: Secure Development Lifecycle (SDL)

Lesson: SDL Overview
Attack Phases: Offensive Actions and Defensive Controls
Secure Software Development Processes
Shifting Left
Actionable Items Moving Forward

Lesson: SDL In Action
Risk Escalators
Risk Escalator Mitigation
SDL Phases
Actions for each SDL Phase
SDL Best Practices

Session: Taking Action Now for Securing Databases

Lesson: Database Asset Analysis
Targets: Data/Entity Assets
Targets: Functional/Service Assets
Classifying Based on Value and Risk Escalation
Asset Inventory and Analysis

Lesson: Making Application Security Real
Cost of Continually Reinventing
Leveraging Common AppSec Practices and Control
Paralysis by Analysis
Actional Application Security
Additional Tools for the Toolbox

Bonus Topics: Time Permitting

Lesson: Cryptography Overview
Strong Encryption
Message Digests
Encryption/Decryption
Keys and Key Management
NIST Recommendations

Course Materials

All course materials, data sets, course software (limited version, for course use only), course notes and related resources (as applicable) are provided for attendees in our easy access, no installation required, remote lab environment for the duration of the course. In most cases, we can also offer local (non-cloud) set up as an alternative. Our tech team will help set up, test and verify lab access for each attendee prior to the course start date, ensuring a smooth start to class and successful hands-on course experience for all participants.

Raise the bar for advancing technology skills

Attend a Class!

Live scheduled classes are listed below or browse our full course catalog anytime

Special Offers

We regulary offer discounts for individuals, groups and corporate teams. Contact us

Custom Team Training

Check out custom training solutions planned around your unique needs and skills.

EveryCourse Extras

Exclusive materials, ongoing support and a free live course refresh with every class.

Mix, Match & Master!
2FOR1: Two Courses, One Price!
Enroll in *any* two public courses (for 2023 *OR* 2024 dates!) by December 31, for one price! Learn something new, or share the promo!

Click for Details & Additional Offers

Learn. Explore. Advance!

Extend your training investment! Recorded sessions, free re-sits and after course support included with Every Course

Gain the skills you need with less time in the classroom with our short course, live-online hands-on events

Trivera QuickSkills: Free Courses and Webinars

Training on us! Keep your skills current with free live events, courses & webinars

Trivera AfterCourse: Coaching and Support

Expert level after-training support to help organizations put new training skills into practice on the job

The voices of our customers speak volumes

First time in my life I have attended remote class and I find it great. Personally I don't feel there is any area which require improvement!

Rishi M

A very good balance of teaching time to lab time. I've done other courses that I found to be much lighter on content and heavy on labs to waste time. This was a refreshing change of pace.

Adam G

Excellent training. Even though it was online, I did not have any issues understanding or getting the answers for the questions I had. The lab exercises are interesting to apply what was learnt. Overall very good training. Thank you!

Anitha

Instructor was beyond phenomenal. He had an in depth knowledge of the course material and always ensured that everyone understood what was being discussed. I really enjoyed the mix of theory and practical examples of each part of the course.

Cillian M

Best programming class I've ever been in, head and shoulders above any thing I took in college as part of a computer science degree. The instructor was thorough and very detailed, he was very good abut explaining all possible scenarios a situation would apply to. The way the albs were structured and the class was conducted was very good for interaction and hand on learning.

Danish J

Great job overall. Great communicator and explained complex concepts in a simple, easier to understand format.

Jeremy G

Both the instructor and the course material were very thorough - the course material has many helpful references - the labs were well laid out, making it easy to learn from and get done on time

Steve C.

The instructor was clearly knowledgeable about Java and programming in general. He was very attentive to every student's individual needs and constantly encouraged questions, concerns, student issues to be raised and addressed each one thoroughly.

Mark M

Excellent detail about the Spring framework which directly relates to my role as a senior engineer. I found the content and style to be very enjoyable, and would encourage me to ask questions where previously I might not have paid much attention, eg. pom version numbers / spring starters being imported. The focus on the different styles of unit testing was also excellent and I would plan to incorporate in day to day work.

Edward K

Special Offers
Limited Offer for most courses.

SAVE 50%

Learn More