Database and Application Security: A Practitioner's Guide

An all-encompassing guide to securing your database and applications against costly cyberattacks!   In a time when the average cyberattack costs a company $9.48 million, organizations are desperate for qualified database administrators and software professionals. Hackers are more innovative than ever before. Increased cybercrime means front-end applications and back-end databases must be finetuned for a strong security posture. Database and Application Security: A Practitioner's Guide is the resource you need to better fight cybercrime and become more marketable in an IT environment that is short on skilled cybersecurity professionals.   In this extensive and accessible guide, Dr. R. Sarma Danturthi provides a solutions-based approach to help you master the tools, processes, and methodologies to establish security inside application and database environments. It discusses the STIG requirements for third-party applications and how to make sure these applications comply to an organization’s security posture. From securing hosts and creating firewall rules to complying with increasingly tight regulatory requirements, this book will be your go-to resource to creating an ironclad cybersecurity database.   In this guide, you'll find: Tangible ways to protect your company from data breaches, financial loss, and reputational harm Engaging practice questions (and answers) after each chapter to solidify your understanding Key information to prepare for certifications such as Sec+, CISSP, and ITIL Sample scripts for both Oracle and SQL Server software and tips to secure your code Advantages of DB back-end scripting over front-end hard coding to access DB Processes to create security policies, practice continuous monitoring, and maintain proactive security postures Register your book for convenient access to downloads, updates, and/or corrections as they become available. See inside book for details.

Table of Contents:
Foreword    xvi Introduction     xvii   Part I. Security Fundamentals   Chapter 1. Basics of Cybersecurity     1 Cybersecurity     1 CIA-DAD     2 I-A-A-A     4 Defense in Depth     6 Hardware and Software Security     7 Firewalls, Access Controls, and Access Control Lists     8 Physical Security     9 Practical Example of a Server Security in an Organization     10 Summary     16 Chapter 1 Questions     17 Answers to Chapter 1 Questions     18   Chapter 2. Security Details     19 The Four Attributes: Encrypt, Compress, Index, and Archive     19 Encryption, Algorithms     22 Public Key Infrastructure     22 Email Security Example     23 Nonrepudiation, Authentication Methods (K-H-A)      25 Current and New Algorithms     26 Summary     26 Chapter 2 Questions     28 Answers to Chapter 2 Questions     29   Chapter 3. Goals of Security     31 Goals of Security—SMART/OKR     31 Who’s Who in Security: RACI     33 Creating the RACI Matrix     35 Planning—Strategic, Tactical, and Operational     36 Events and Incidents     37 Risks, Breaches, Fixes     38 Security Logs—The More the Merrier     39 Re/Engineering a Project     41 Keeping Security Up to Date     42 Summary     43 Chapter 3 Questions     44 Answers to Chapter 3 Questions     45   Part II. Database Security—The Back End   Chapter 4. Database Security Introduction     47 ACID, BASE of DB, and CIA Compliance     47 ACID, BASE, and CIA     47 Data in Transit, Data at Rest     49 DDL and DML     52 Designing a Secure Database     54 Structural Security     57 Functional Security     60 Data Security     61 Procedural Security     63 Summary     64 Chapter 4 Questions     65 Answers to Chapter 4 Questions     66   Chapter 5. Access Control of Data     67 Access Control—Roles for Individuals and Applications     67 MAC, DAC, RBAC, RuBAC     69 Passwords, Logins, and Maintenance     74 Hashing and Checksum Methods     76 Locking, Unlocking, Resetting     80 Monitoring User Accounts, System Account     82 Data Protection—Views and Materialized Views     86 PII Security—Data, Metadata, and Surrogates     90 Summary     94 Chapter 5 Questions     96 Answers to Chapter 5 Questions     97   Chapter 6. Data Refresh, Backup, and Restore     99 Data Refresh—Manual, ETL, and Script     99 ETL Jobs     102 Security in Invoking ETL Job     104 Data Pump: Exporting and Importing     106 Backup and Restore     109 Keeping Track—Daily, Weekly, Monthly     117 Summary     119 Chapter 6 Questions     120 Answers to Chapter 6 Questions     121   Chapter 7. Host Security     123 Server Connections and Separation     123 IP Selection, Proxy, Invited Nodes     126 Access Control Lists     128 Connecting to a System/DB: Passwords, Smart Cards, Certificates     131 Cron Jobs or Task Scheduler     137 Regular Monitoring and Troubleshooting     141 Summary     144 Chapter 7 Questions     145 Answers to Chapter 7 Questions     146   Chapter 8. Proactive Monitoring     149 Logs, Logs, and More Logs     149 Data Manipulation Monitoring     150 Data Structure Monitoring     156 Third-Party or Internal Audits     159 LOG File Generation     165 Summary     172 Chapter 8 Questions     173 LAB Work     173 Answers to Chapter 8 Questions     174   Chapter 9. Risks, Monitoring, and Encryption     175 Security Terms     175 Risk, Mitigation, Transfer, Avoidance, and Ignoring     177 Organized Database Monitoring     181 Encrypting the DB: Algorithm Choices     183 Automated Alerts     185 Summary     186 Chapter 9 Questions     187 Answers to Chapter 9 Questions     188   Part III. Application Security—The Front End   Chapter 10. Application Security Fundamentals     189 Coding Standards     190 The Software Development Process     195 Models and Selection     199 Cohesion and Coupling     201 Development, Test, and Production     202 Client and Server     204 Side Effects of a Bad Security in Software     213 Fixing the SQL Injection Attacks     213 Evaluate User Input     214 Do Back-End Database Checks     215 Change Management—Speaking the Same Language     215 Secure Logging In to Applications, Access to Users     217 Summary     221 Chapter 10 Questions     223 Answer to Chapter 10 Questions     224   Chapter 11. The Unseen Back End     227 Back-End DB Connections in Java/Tomcat     238 Connection Strings and Passwords in Code     241 Stored Procedures and Functions     242 File Encryption, Types, and Association     247 Implementing Public Key Infrastructure and Smart Card     250 Examples of Key Pairs on Java and Linux     251 Symmetric Encryption     253 Asymmetric Encryption     254 Vulnerabilities, Threats, and Web Security     255 Attack Types and Mitigations     256 Summary     260 Chapter 11 Questions     261 Answers to Chapter 11 Questions     262   Chapter 12. Securing Software—In-House and Vendor     263 Internal Development Versus Vendors     263 Vendor or COTS Software     264 Action Plan     265 In-House Software Development     266 Initial Considerations for In-House Software     267 Code Security Check     269 Fixing the Final Product—SAST Tools     271 Fine-tuning the Product—Testing and Release     277 Patches and Updates     278 Product Retirement/Decommissioning     280 Summary     282 Chapter 12 Questions     283 Answers to Chapter 12 Questions     284   Part IV. Security Administration   Chapter 13. Security Administration     287 Least Privilege, Need to Know, and Separation of Duties     287 Who Is Who and Why     290 Scope or User Privilege Creep     292 Change Management     294 Documenting the Process     296 Legal Liabilities     308 Software Analysis     312 Network Analysis     312 Hardware or a Device Analysis     313 Be Proactive—Benefits and Measures     314 Summary     318 Chapter 13 Questions     319 Answers to Chapter 13 Questions     320   Chapter 14. Follow a Proven Path for Security     323 Advantages of Security Administration     323 Penetration Testing     325 Penetration Test Reports     334 Audits—Internal and External and STIG Checking     337 OPSEC—The Operational Security     344 Digital Forensics—Software Tools     346 Lessons Learned/Continuous Improvement     349 Summary     350 Chapter 14 Questions     352 Answers to Chapter 14 Questions     353   Chapter 15. Mobile Devices and Application Security     355 Authentication     356 Cryptography     359 Code Quality and Injection Attacks     360 User Privacy on the Device     360 Descriptive Claims     361 Secure Software Development Claims     361 Sandboxing     363 Mobile Applications Security Testing     364 NIST’s Directions for Mobile Device Security     366 Summary     370 Chapter 15 Questions     372 Answers to Chapter 15 Questions     373   Chapter 16. Corporate Security in Practice     375 Case # 1: A Person Is Joining an Organization as a New Employee     378 Case # 2: An Employee Is Fired or Is Voluntarily Leaving the Organization     382 Case # 3: An Existing Employee Wants to Renew Their Credentials     383 Case # 4: An Existing Employee’s Privileges Are Increased/Decreased     383 Case # 5: A Visitor/Vendor to the Organizational Facility     384 Physical Security of DB and Applications     385 Business Continuity and Disaster Recovery     388 Attacks and Loss—Recognizing and Remediating     390 Recovery and Salvage     393 Getting Back to Work     394 Lessons Learned from a Ransomware Attack—Example from a ISC2 Webinar     399 Summary     403 Chapter 16 Questions     404 Answers to Chapter 16 Questions     405   References    407   Index   411