STIG Security | Database Security (DISA STIG Training)

Learn to Attack and Defend Critical Database Assets and How to Build Secure Databases from the Ground Up (within STIGs)



3 Days

Course Overview

DISA’s Database STIG, in conjunction with both generic and product-specific checklists, provides a comprehensive listing of requirements and needs for improving and maintaining the security of Database Management Systems within the Department of Defense.   This course fills in the context, background, and best practices for fulfilling those requirements and needs.  As with all of our courses, we maintain tight synchronization between the latest DISA releases and our materials.   The close ties between this STIG and the Applications Security and Development STIG are reflected in the coverage of application issues within the context of this course. A key component to our coverage of DISA’s Security Technical Implementation Guides (STIGS), this course is a companion course with several developer-oriented courses and seminars

Database Security is an intense database security training course essential for DBAs, QA, Testing, and other personnel who need to deliver secure database applications and manage secure databases within the DoD.  In addition to teaching basic skills, this course digs deep into sound processes and practices that apply to the entire software development lifecycle.  Perhaps just as significantly, students learn about current, real examples that illustrate the potential consequences of not following these best practices.   

Data, databases, and related resources are at the heart of the DoD’s IT infrastructures, and must be protected accordingly.  In this course, students repeatedly attack and then defend various assets associated with a fully-functional database.  This approach illustrates the mechanics of how to secure databases in the most practical of terms.

Course Objectives

Students who attend Database Security (STIG) will leave the course armed with the skills required to recognize actual and potential database vulnerabilities, implement defenses for those vulnerabilities, and test those defenses for sufficiency. This course quickly introduces students to the most common security vulnerabilities faced by databases today. Each vulnerability is examined from a database perspective through a process of describing the threat and attack mechanisms, recognizing associated vulnerabilities, and, finally, designing, implementing, and testing effective defenses. 

Working in a dynamic learning environment attendees will learn to:

  • Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
  • Be able to review and test databases to determine the existence of and effectiveness of layered defenses and required checks
  • Prevent and defend the many potential vulnerabilities associated with untrusted data
  • Understand the concepts and terminology behind supporting, designing, and deploying secure databases
  • Appreciate the magnitude of the problems associated with data security and the potential risks associated with those problems
  • Understand the currently accepted best practices for supporting the many security needs of databases.
  • Understand the vulnerabilities associated with authentication and authorization within the context of databases and database applications
  • Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
  • Perform both static reviews and dynamic database testing to uncover vulnerabilities
  • Design and develop strong, robust authentication and authorization implementations
  • Understand the fundamentals of Encryption as well as how it can be used as part of the defensive infrastructure for data

Need different skills or topics?  If your team requires different topics or tools, additional skills or custom approach, this course may be further adjusted to accommodate.  We offer additional STIG, application security, secure coding, secure software development, hacking, database security, bug hunting and other related topics that may be blended with this course for a track that best suits your needs. Our team will collaborate with you to understand your needs and will target the course to focus on your specific learning objectives and goals.

Course Prerequisites

This is an introduction to database security course for intermediate skilled team members.  Attendees might include DBAs, system administrators, developers and other enterprise team members.  Ideally, students should have approximately 6 months to a year of database working knowledge.

Course Agenda

Session: Securing Databases Foundation

Lesson: DISA’s Security Technical Implementation Guides (STIGS)

  • Purpose
  • Process
  • Areas Covered
  • Checklists
  • Scripts (SRRs)
  • Resources

Lesson: Fingerprinting Databases

  • Reconnaissance Goals
  • Data Collection Techniques
  • Fingerprinting the Environment
  • Enumerating Web Applications
  • Spidering, Dorks, and Other Tools

Lesson: Principles of Information Security

  • Security Is a Lifecycle Issue
  • Minimize Attack Surface Area
  • Layers of Defense: Tenacious D
  • Compartmentalize
  • Consider All Application States
  • Do NOT Trust the Untrusted

Session: Database Security Vulnerabilities

Lesson: Database Security Concerns

  • Data at Rest and in Motion
  • Privilege management
  • Boundary Defenses
  • Continuity of Service
  • Trusted Recovery

Lesson: Vulnerabilities

  • Unvalidated Input
  • Broken Authentication
  • Cross Site Scripting (XSS/CSRF)
  • Injection Flaws
  • Error Handling, Logging, and Information Leakage
  • Insecure Storage
  • Direct Object Access
  • XML Vulnerabilities
  • Web Services Vulnerabilities
  • Ajax Vulnerabilities

Lesson: Cryptography Overview

  • Strong Encryption
  • Message digests
  • Keys and key management
  • Certificate management
  • Encryption/Decryption

Lesson: Database Security

  • Design and Configuration
  • Identification and Authentication
  • Computing Environment
  • Database Auditing
  • Boundary Defenses
  • Continuity of Service
  • Vulnerability and Incident Management

Session: Moving Forward

Lesson: STIG Database Security Requirements

  • Identification and Authentication
  • Group and Individual
  • Key Management Practices
  • Token and Certificates Practices
  • Enclave/Computing Environment
  • Auditing Mechanics and Best Practices
  • Data Changes and Controls
  • Encryption
  • Privilege Management
  • Additional Controls and Practices
  • Enclave Boundary Defenses
  • Continuity of Service
  • Defending Backup/Restoration Assets
  • Data and Software Backups
  • Trusted Recovery
  • Vulnerability and Incident Management

Session: Secure Development Lifecycle (SDL)

Lesson: SDL Process Overview

  • Revisiting Attack/Defense Basics
  • Types of Security Controls
  • Attack Phases: Offensive Actions and Defensive Controls
  • Secure Software Development Processes
  • Shifting Left
  • Actionable Items Moving Forward

Session: Taking Action Now

Lesson: Database Checklists

  • Checklist Overview, Conventions, and Best Practices
  • Generic Database Checks and Procedures
  • SQL Server Checks and Procedures (Optional)
  • Installation Checks
  • Database Checks
  • Database Checks and Procedures (Optional)
  • Database Automated Checks
  • Database Interview Checks
  • Database Manual Checks
  • Database Verify Checks
  • Home Automated Checks
  • Home Interview Checks
  • Home Manual Checks
  • Home Verify Checks
  • Practical Application of the Checklists

Lesson: Design Review

  • Asset Inventory and Design
  • Assets, Dataflows, and Trust Boundaries
  • Risk Escalators in Designs
  • Risk Mitigation Options

Lesson: Making Application Security Real

  • Cost of Continually Reinventing
  • Paralysis by Analysis
  • Actional Application Security

Additional Tools for the Toolbox

Course Materials

Student Materials: Each student will receive a Student Guide with course notes, code samples, setp-by-step written lab instructions, software tutorials, diagrams and related reference materials and links (as applicable). Students will also receive related (as applicable) project files, code files, data sets and solutions required for any hands-on work.

Classroom Setup Made Simple:  Our dedicated tech team will work with you to ensure your classroom and lab environment is setup, tested and ready to go well in advance of the course delivery date, ensuring a smooth start to class and seamless hands-on experience for your students. We offer several flexible student machine setup options including guided manual set up for simple installation directly on student machines, or cloud based / remote hosted lab solutions where students can log in to a complete separate lab environment minus any installations, or we can supply complete turn-key, pre-loaded equipment to bring ready-to-go student machines to your facility.  Please inquire for details, options and pricing.

Raise the bar for advancing technology skills

Attend a Class!

Live scheduled classes are listed below or browse our full course catalog anytime

Special Offers

We regulary offer discounts for individuals, groups and corporate teams. Contact us

Custom Team Training

Check out custom training solutions planned around your unique needs and skills.

EveryCourse Extras

Exclusive materials, ongoing support and a free live course refresh with every class.

Mix, Match & Master!
2FOR1: Two Courses, One Price!

Enroll in *any* two public courses (for 2023 *OR* 2024 dates!) by December 31, for one price!  Learn something new, or share the promo!

Click for Details & Additional Offers

Learn. Explore. Advance!

Extend your training investment! Recorded sessions, free re-sits and after course support included with Every Course
Trivera MiniCamps
Gain the skills you need with less time in the classroom with our short course, live-online hands-on events
Trivera QuickSkills: Free Courses and Webinars
Training on us! Keep your skills current with free live events, courses & webinars
Trivera AfterCourse: Coaching and Support
Expert level after-training support to help organizations put new training skills into practice on the job

The voices of our customers speak volumes

Special Offers
Limited Offer for most courses.

SAVE 50%

Learn More