SlideShare uma empresa Scribd logo

What Permissions Does Your Database User REALLY Need?

Denim Group
Denim Group

Attaching web applications to databases as “sa” or “root” might be easy but it is also a horrible idea. This presentation provides a methodology as well as tools to create fine-grained database user permissions based on application-specific requirements. The negative impact of permissive database user account permissions is demonstrated alongside the potential benefits of constrained database user access. Tools for the automated creation of security-role-specific MySQL user permission policies will be demonstrated and these will be used as a model for making “least privilege” database accounts a standard practice in web application deployment.

Tecnologia
1 de 41
Baixar para ler offline
What Permissions Does Your Database User REALLY Need? Dan Cornell CTO, Denim Group @danielcornell © Copyright 2012 Denim Group - All Rights Reserved
My Background • Dan Cornell, founder and CTO of Denim Group • Software developer by background (Java, .NET, etc) • OWASP San Antonio, Global Membership Committee © Copyright 2012 Denim Group - All Rights Reserved 1
Who has deployed a web application to production attached to its database as the “sa” or “root” user? © Copyright 2012 Denim Group - All Rights Reserved 2
LIARS! © Copyright 2012 Denim Group - All Rights Reserved 3
The Weakest Link © Copyright 2012 Denim Group - All Rights Reserved 4
Web Application Database User Permissions • Data = Value • Web Applications Are Front-Ends For Web Databases • Web Applications Are Full of SQL Injection Vulnerabilities • Therefore: Choosing You Web Database User Permissions Has a Large Potential Impact On Your Security Posture © Copyright 2012 Denim Group - All Rights Reserved 5
Problems With Web Database Access Security • Nearly all applications use a single database user to access the database – Masks the true identity of the caller to the database • Too often this user is hyper-privileged • Why? – Lazy configuration management for production environment – DBA attitude of “one app – one schema – one user” – “Too hard” to figure out what permissions are needed – Schema ownership required by 3rd party code © Copyright 2012 Denim Group - All Rights Reserved 6
Result • Any SQL injection vulnerability exploit owns the entire database – Schema: Map it out – Data: INSERT, UPDATE, SELECT, DELETE • Whole “Confidentiality, Integrity and Availability” thing: out the window • This can even be automated: – sqlmap: http://sqlmap.sourceforge.net/ • If that database user‟s privileges extend beyond the database supporting the vulnerable application… © Copyright 2012 Denim Group - All Rights Reserved 7
Test Environment • (Crappy) PHP Web Application: Crap-E-Commerce • Database Access With Full Permissions © Copyright 2012 Denim Group - All Rights Reserved 8
Environment Setup Tips • If you want to symlink to the commerce/ examples on OS X – http://tlrobinson.net/blog/2008/06/mac-os-x-web-sharing-apache-and-symlinks/ • Use „127.0.0.1‟ rather than „localhost‟ for the MySQL database host – http://stackoverflow.com/questions/3968013/cakephp-no-such-file-or-directory- trying-to-connect-via-unix-var-mysql-mysq © Copyright 2012 Denim Group - All Rights Reserved 9
What Is Wrong With Our Target Application? • Process: – Scan with OWASP ZAProxy to find vulnerabilities: http://code.google.com/p/zaproxy/ – Use sqlmap to see what we can find • Results: – Publicly-accessible SQL injections! © Copyright 2012 Denim Group - All Rights Reserved 10
Sqlmap Results • Command – ./sqlmap.py -u http://localhost/~dcornell/commerce/order.php?order_id=1 --dump-all • Data retrieved: – All of it… © Copyright 2012 Denim Group - All Rights Reserved 11
Actual Business Impact • From sqlmap: Lost all data in the database: – Usernames and passwords – Order history – Full credit card information • Additional possibilities: UPDATE, DELETE, INSERT © Copyright 2012 Denim Group - All Rights Reserved 12
We Need To Make Some Progress © Copyright 2012 Denim Group - All Rights Reserved 13
That Was With a Powerful Database User So what happens if we deploy the application with a less powerful user? To do this we need to know what access a legitimate user needs… © Copyright 2012 Denim Group - All Rights Reserved 14
What Privileges Does a Database User Need? • Ask the development team – Good luck with that – Do they even know given frameworks and abstraction layers like ORMs – Doesn‟t scale • Ask the DBA – Double good luck with that – Doesn‟t scale • Inspect the code – Ugh – Error prone – Doesn‟t scale © Copyright 2012 Denim Group - All Rights Reserved 15
Any Way To Automate This? • Interesting Article: – http://www.teamshatter.com/topics/general/team-shatter-exclusive/what-are-my- users%E2%80%99-effective-database-privileges/ – See http://www.petefinnigan.com/tools.htm for more along these lines • Less than ideal – What assets can this user access? versus – What assets does the user need to access? • Could be helpful determining possible impact of a breach © Copyright 2012 Denim Group - All Rights Reserved 16
Other Permission Calculation Tools • .NET Permission Calculator Tool (Permcalc.exe) – http://msdn.microsoft.com/en-us/library/ms165077(v=vs.90).aspx • Stowaway (Android Permissions Calculator) – http://www.android-permissions.org/ • Both of these tools appear to rely solely on static analysis – Makes sense from a coverage standpoint – Would be really hard for databases potentially accessed by multiple applications © Copyright 2012 Denim Group - All Rights Reserved 17
Alternate Approach • Dynamically analyze traffic to the database server • Use that traffic as a “representative sample” of required database access • Create user permissions based on this • Why? – Static analysis is really hard to get exactly right – this relies on observed behavior © Copyright 2012 Denim Group - All Rights Reserved 18
sqlpermcalc • Tool that calculates the least-privilege database permissions required to execute a given set of SQL queries – Written in Python – https://github.com/denimgroup/sqlpermcalc • Helper tools: – Start and stop MySQL logging – Capture query log from a MySQL database • Relies on python-sqlparse for basic SQL parsing support – https://code.google.com/p/python-sqlparse/ – Thanks Andi Albrecht! (http://andialbrecht.de/) © Copyright 2012 Denim Group - All Rights Reserved 19
An Aside: “Pythonic” • Definition of “pythonic” – “To be Pythonic is to use the Python constructs and data structures with clean, readable idioms” – http://faassen.n--tree.net/blog/view/weblog/2005/08/06/0 • At this point sqlpermcalc is more … “python-ish” – Enjoy  – Any Python gurus are more than welcome to help with cleanup… © Copyright 2012 Denim Group - All Rights Reserved 20
Support Tools • Turn on MySQL logging with mysql_start_logging.sh – Not recommended for use in production because of potential performance impact – Also we‟re logging to MySQL tables rather than a log file – even worse • Retrieve MySQL log data with mysql_get_logfile.sh – Pulls queries from a given user into a local .sql file • Turn off MySQL logging with mysql_stop_logging.sh – Stops logging © Copyright 2012 Denim Group - All Rights Reserved 21
Process • Stop webserver • Turn on MySQL logging • Start webserver • Exercise application • Retrieve logs • Turn off MySQL logging • Analyze logs for permission usage © Copyright 2012 Denim Group - All Rights Reserved 22
Calculating Permissions • SELECT • INSERT • UPDATE • DELETE © Copyright 2012 Denim Group - All Rights Reserved 23
SELECT Permissions • Can control on a table-wide basis • Can control on a per-column basis for a table • WHERE clause will require additional SELECT permissions • Scenarios: – SELECT * FROM MyTable – SELECT col1, col2, col3 FROM MyTable – SELECT * FROM MyTable WHERE col1 = 1 AND col2 = 2 OR col3 = „three‟ – SELECT col1, col2 FROM MyTable where col3 = „three‟ © Copyright 2012 Denim Group - All Rights Reserved 24
INSERT Permissions • Can control on a table-wide basis • Can control on a per-column basis for a table • Scenarios: – Full table: INSERT INTO MyTable VALUES (1, 2, „three‟) – Columns in table: INSERT INTO MyTable (col1, col2, col3) VALUES (1, 2, „three‟) © Copyright 2012 Denim Group - All Rights Reserved 25
UPDATE Permissions • Can control on a table-wide basis • Can control on a per-column basis for a table • WHERE clause will require SELECT permissions as well • Scenarios: – UPDATE MyTable SET col1 = 1 – UPDATE MyTable SET col2 = 2 WHERE col3 = „three‟ © Copyright 2012 Denim Group - All Rights Reserved 26
DELETE Permissions • Can only control on a table-wide basis • WHERE clause will require SELECT permissions as well • Scenarios: – DELETE FROM MyTable – DELETE FROM MyTable WHERE col1 = 1 © Copyright 2012 Denim Group - All Rights Reserved 27
A Note About Wildcards • DELETE always impacts all columns in a table – Hence it only has table-level permissions – not column-level • SELECT and INSERT sometimes impact all columns in a table – SELECT * FROM MyTable – INSERT INTO MyTable VALUES (1, 2, „three‟) • Currently we do not “know” the actual database schema – Therefore we do not know all of the actual column names – So instead we track „*‟ to represent “all columns” • This should not cause problems – What we see accessed in the queries should be what we need to access © Copyright 2012 Denim Group - All Rights Reserved 28
What Permissions Are Actually Needed? • INSERT – CommerceUser: email,first_name,last_name,password – CreditCard: CVV,expiration,number,type – OrderItem: order_id,price,product_id,product_name,quantity • SELECT – CommerceUser: * – Order: date,total,user_id – OrderItem: price,product_id,product_name,quantity – Product: * © Copyright 2012 Denim Group - All Rights Reserved 29
Given The Model We Can Generate GRANTs • For MySQL we need to know the user account name and host for access GRANT INSERT (email,first_name,last_name,password) ON sqlpermcalc_commerce.CommerceUser TO 'spc_publiclow'@'localhost'; GRANT INSERT (CVV,expiration,number,type) ON sqlpermcalc_commerce.CreditCard TO 'spc_publiclow'@'localhost'; GRANT INSERT (order_id,price,product_id,product_name,quantity) ON sqlpermcalc_commerce.OrderItem TO 'spc_publiclow'@'localhost'; GRANT SELECT ON sqlpermcalc_commerce.CommerceUser TO 'spc_publiclow'@'localhost'; GRANT SELECT (date,total,user_id) ON sqlpermcalc_commerce.Order TO 'spc_publiclow'@'localhost'; GRANT SELECT (order_id,price,product_id,product_name,quantity) ON sqlpermcalc_commerce.OrderItem TO 'spc_publiclow'@'localhost'; GRANT SELECT ON sqlpermcalc_commerce.Product TO 'spc_publiclow'@'localhost'; © Copyright 2012 Denim Group - All Rights Reserved 30
Impact of Slimmed-Down Permissions? © Copyright 2012 Denim Group - All Rights Reserved 31
Re-Run sqlmap • Can still recover a whole lot of data – But not the credit card data (or even the credit card primary key IDs) – So that is better. Kinda • But… – No UPDATE or DELETE access to any tables – Limited INSERT access • What Does That Get Us? – Can‟t INSERT into Products or modify Products – Automated SQL worms can‟t “infect” the site with malware via SQL injection – So that is definitely better © Copyright 2012 Denim Group - All Rights Reserved 32
Other Uses • Insight into database usage – Do you have any idea what database assets your web application touches? – Even if you don‟t generate new user permissions, you can still use this to explore • Forensic review over time – Gather usage logs from production servers at intervals? – Why did this app suddenly start using additional permissions? • Compare multiple user roles or applications – What does each need to do? – How are the access needs different? © Copyright 2012 Denim Group - All Rights Reserved 33
Calculating Permission for Multiple Scenarios • Hosting Multiple Applications Accessing the Same Database(s) – Two applications (public and admin) share several databases – Public site is read-only and heavily cached – Admin site is read/write – During series of attacks we had to manually calculate constrained permissions • Hosting Same Application In Different VMs – Cannot make code changes but need to harden infrastructure – Host different configuration files for database access – Example: Falling Rock Networks Armored Stack infrastructure • http://www.fallingrocknetworks.com/armored-stack.html © Copyright 2012 Denim Group - All Rights Reserved 34
Limits of This Approach • Assumes that assets touched during a test run are all that a legitimate user session will ever need – If we miss something we will see runtime errors – Likely needs re-calculation when code is changed – Comprehensive unit/regression test suite can help (Rugged DevOps!) • Many applications require a lot of access so the security benefit might not be as great as desired – In the example application: we still lost usernames/passwords © Copyright 2012 Denim Group - All Rights Reserved 35
Current sqlpermcalc Limitations • Only supports basic SQL functionality – SELECT, INSERT, UPDATE, DELETE • Parsing is still crudimentary – More advanced SELECT statements – JOINs, subqueries – are not yet supported – Precludes use for apps using common frameworks and tools • Only tested on MySQL – Every databases SQL dialect is a little different – Every database has different ways to grant/revoke privileges © Copyright 2012 Denim Group - All Rights Reserved 36
Next Steps • Improve the SQL supported by the parser – Support all SQL queries generated by Hibernate for a non-trivial application – Look into adding support for stored procedures • Clean up code – This is kind of “scripty” right now – Allow others to use the capabilities – Make it more Pythonic – http://kennethreitz.com/repository-structure-and-python.html • Support for other databases – Pull MS SQL Server queries from the Profiler © Copyright 2012 Denim Group - All Rights Reserved 37
Other Stuff To Look At • SE PostgreSQL: https://code.google.com/p/sepgsql/ © Copyright 2012 Denim Group - All Rights Reserved 38
Get The Code • sqlpermcalc on Github: https://github.com/denimgroup/sqlpermcalc – sqlpermcalc Python code – Example Crap-E-Commerce app – Support scripts for MySQL © Copyright 2012 Denim Group - All Rights Reserved 39
Conclusions and Questions Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com github.com/denimgroup/sqlpermcalc (210) 572-4400 © Copyright 2012 Denim Group - All Rights Reserved 40

Recomendados

Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 

Recomendados

Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouDenim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...Denim Group
 
Database security
Database securityDatabase security
Database securitySoftware Engineering
 
Mule access management - Managing Environments and Permissions
Mule access management - Managing Environments and PermissionsMule access management - Managing Environments and Permissions
Mule access management - Managing Environments and PermissionsShanky Gupta
 

Mais conteúdo relacionado

Mais procurados

Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouDenim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...Denim Group
 

Mais procurados (20)

Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell You
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
 

Destaque

Mule access management - Managing Environments and Permissions
Mule access management - Managing Environments and PermissionsMule access management - Managing Environments and Permissions
Mule access management - Managing Environments and PermissionsShanky Gupta
 
Anypoint access management - Roles
Anypoint access management - RolesAnypoint access management - Roles
Anypoint access management - RolesShanky Gupta
 
Presentation on Federated identity and Access Management
Presentation on Federated identity and Access ManagementPresentation on Federated identity and Access Management
Presentation on Federated identity and Access Managementokoliec
 
Présentation de l'offre IAM de LINAGORA LinID
Présentation de l'offre IAM de LINAGORA LinIDPrésentation de l'offre IAM de LINAGORA LinID
Présentation de l'offre IAM de LINAGORA LinIDMichel-Marie Maudet
 
Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls Kingsley Uyi Idehen
 
10 02 authentification PAM
10 02 authentification PAM10 02 authentification PAM
10 02 authentification PAMNoël
 
IAM Methods 2.0 Presentation Michael Nielsen Deloitte
IAM Methods 2.0 Presentation Michael Nielsen DeloitteIAM Methods 2.0 Presentation Michael Nielsen Deloitte
IAM Methods 2.0 Presentation Michael Nielsen DeloitteIBM Sverige
 
The Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelThe Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelSarah Moore
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 

Destaque (14)

Database security
Database securityDatabase security
Database security
 
Mule access management - Managing Environments and Permissions
Mule access management - Managing Environments and PermissionsMule access management - Managing Environments and Permissions
Mule access management - Managing Environments and Permissions
 
Anypoint access management - Roles
Anypoint access management - RolesAnypoint access management - Roles
Anypoint access management - Roles
 
Presentation on Federated identity and Access Management
Presentation on Federated identity and Access ManagementPresentation on Federated identity and Access Management
Presentation on Federated identity and Access Management
 
Présentation de l'offre IAM de LINAGORA LinID
Présentation de l'offre IAM de LINAGORA LinIDPrésentation de l'offre IAM de LINAGORA LinID
Présentation de l'offre IAM de LINAGORA LinID
 
Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls
 
IAM
IAM IAM
IAM
 
Les processus IAM
Les processus IAMLes processus IAM
Les processus IAM
 
10 02 authentification PAM
10 02 authentification PAM10 02 authentification PAM
10 02 authentification PAM
 
IAM Methods 2.0 Presentation Michael Nielsen Deloitte
IAM Methods 2.0 Presentation Michael Nielsen DeloitteIAM Methods 2.0 Presentation Michael Nielsen Deloitte
IAM Methods 2.0 Presentation Michael Nielsen Deloitte
 
Itil 2011 Mind Maps
Itil 2011 Mind MapsItil 2011 Mind Maps
Itil 2011 Mind Maps
 
Itil 2011 process map goldfish_fr_v1.0
Itil 2011 process map goldfish_fr_v1.0Itil 2011 process map goldfish_fr_v1.0
Itil 2011 process map goldfish_fr_v1.0
 
The Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelThe Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity Model
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
 

Semelhante a What Permissions Does Your Database User REALLY Need?

Ce hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database serversCe hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database serversVi Tính Hoàng Nam
 
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...Olivier DASINI
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLEDB
 
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CIS14: SCIM: Why It’s More Important, and More Simple, Than You ThinkCIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CIS14: SCIM: Why It’s More Important, and More Simple, Than You ThinkCloudIDSummit
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014Kelly Grizzle
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOsama Mustafa
 
MySQL Manchester TT - Performance Tuning
MySQL Manchester TT - Performance TuningMySQL Manchester TT - Performance Tuning
MySQL Manchester TT - Performance TuningMark Swarbrick
 
2019 odtug webinar-20190129
2019 odtug webinar-201901292019 odtug webinar-20190129
2019 odtug webinar-20190129Secure-24
 
GLOC 2014 NEOOUG - Oracle Database 12c New Features
GLOC 2014 NEOOUG - Oracle Database 12c New FeaturesGLOC 2014 NEOOUG - Oracle Database 12c New Features
GLOC 2014 NEOOUG - Oracle Database 12c New FeaturesBiju Thomas
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLEDB
 
Storage Systems For Scalable systems
Storage Systems For Scalable systemsStorage Systems For Scalable systems
Storage Systems For Scalable systemselliando dias
 
MySQL for Oracle DBAs
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAsBen Krug
 
MySQL Performance Tuning at COSCUP 2014
MySQL Performance Tuning at COSCUP 2014MySQL Performance Tuning at COSCUP 2014
MySQL Performance Tuning at COSCUP 2014Ryusuke Kajiyama
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLEDB
 
Hadoop Essentials -- The What, Why and How to Meet Agency Objectives
Hadoop Essentials -- The What, Why and How to Meet Agency ObjectivesHadoop Essentials -- The What, Why and How to Meet Agency Objectives
Hadoop Essentials -- The What, Why and How to Meet Agency ObjectivesCloudera, Inc.
 
Sysmech The Zen of Consolidated Network Performance Management
Sysmech The Zen of Consolidated Network Performance ManagementSysmech The Zen of Consolidated Network Performance Management
Sysmech The Zen of Consolidated Network Performance ManagementSystemsMechanics
 
Top10 list planningpostgresdeployment.2014
Top10 list planningpostgresdeployment.2014Top10 list planningpostgresdeployment.2014
Top10 list planningpostgresdeployment.2014EDB
 
Hadoop Application Architectures tutorial at Big DataService 2015
Hadoop Application Architectures tutorial at Big DataService 2015Hadoop Application Architectures tutorial at Big DataService 2015
Hadoop Application Architectures tutorial at Big DataService 2015hadooparchbook
 
From Zero to Performance Hero in Minutes - Agile Testing Days 2014 Potsdam
From Zero to Performance Hero in Minutes - Agile Testing Days 2014 PotsdamFrom Zero to Performance Hero in Minutes - Agile Testing Days 2014 Potsdam
From Zero to Performance Hero in Minutes - Agile Testing Days 2014 PotsdamAndreas Grabner
 

Semelhante a What Permissions Does Your Database User REALLY Need? (20)

Ce hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database serversCe hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database servers
 
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
 
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CIS14: SCIM: Why It’s More Important, and More Simple, Than You ThinkCIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
 
MySQL Manchester TT - Performance Tuning
MySQL Manchester TT - Performance TuningMySQL Manchester TT - Performance Tuning
MySQL Manchester TT - Performance Tuning
 
2019 odtug webinar-20190129
2019 odtug webinar-201901292019 odtug webinar-20190129
2019 odtug webinar-20190129
 
GLOC 2014 NEOOUG - Oracle Database 12c New Features
GLOC 2014 NEOOUG - Oracle Database 12c New FeaturesGLOC 2014 NEOOUG - Oracle Database 12c New Features
GLOC 2014 NEOOUG - Oracle Database 12c New Features
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
 
Storage Systems For Scalable systems
Storage Systems For Scalable systemsStorage Systems For Scalable systems
Storage Systems For Scalable systems
 
MySQL for Oracle DBAs
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAs
 
MySQL Performance Tuning at COSCUP 2014
MySQL Performance Tuning at COSCUP 2014MySQL Performance Tuning at COSCUP 2014
MySQL Performance Tuning at COSCUP 2014
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
 
Hadoop Essentials -- The What, Why and How to Meet Agency Objectives
Hadoop Essentials -- The What, Why and How to Meet Agency ObjectivesHadoop Essentials -- The What, Why and How to Meet Agency Objectives
Hadoop Essentials -- The What, Why and How to Meet Agency Objectives
 
Sysmech The Zen of Consolidated Network Performance Management
Sysmech The Zen of Consolidated Network Performance ManagementSysmech The Zen of Consolidated Network Performance Management
Sysmech The Zen of Consolidated Network Performance Management
 
Top10 list planningpostgresdeployment.2014
Top10 list planningpostgresdeployment.2014Top10 list planningpostgresdeployment.2014
Top10 list planningpostgresdeployment.2014
 
Hadoop Application Architectures tutorial at Big DataService 2015
Hadoop Application Architectures tutorial at Big DataService 2015Hadoop Application Architectures tutorial at Big DataService 2015
Hadoop Application Architectures tutorial at Big DataService 2015
 
From Zero to Performance Hero in Minutes - Agile Testing Days 2014 Potsdam
From Zero to Performance Hero in Minutes - Agile Testing Days 2014 PotsdamFrom Zero to Performance Hero in Minutes - Agile Testing Days 2014 Potsdam
From Zero to Performance Hero in Minutes - Agile Testing Days 2014 Potsdam
 

Mais de Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 

Mais de Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Último

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 

Último (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 

What Permissions Does Your Database User REALLY Need?

  • 1. What Permissions Does Your Database User REALLY Need? Dan Cornell CTO, Denim Group @danielcornell © Copyright 2012 Denim Group - All Rights Reserved
  • 2. My Background • Dan Cornell, founder and CTO of Denim Group • Software developer by background (Java, .NET, etc) • OWASP San Antonio, Global Membership Committee © Copyright 2012 Denim Group - All Rights Reserved 1
  • 3. Who has deployed a web application to production attached to its database as the “sa” or “root” user? © Copyright 2012 Denim Group - All Rights Reserved 2
  • 4. LIARS! © Copyright 2012 Denim Group - All Rights Reserved 3
  • 5. The Weakest Link © Copyright 2012 Denim Group - All Rights Reserved 4
  • 6. Web Application Database User Permissions • Data = Value • Web Applications Are Front-Ends For Web Databases • Web Applications Are Full of SQL Injection Vulnerabilities • Therefore: Choosing You Web Database User Permissions Has a Large Potential Impact On Your Security Posture © Copyright 2012 Denim Group - All Rights Reserved 5
  • 7. Problems With Web Database Access Security • Nearly all applications use a single database user to access the database – Masks the true identity of the caller to the database • Too often this user is hyper-privileged • Why? – Lazy configuration management for production environment – DBA attitude of “one app – one schema – one user” – “Too hard” to figure out what permissions are needed – Schema ownership required by 3rd party code © Copyright 2012 Denim Group - All Rights Reserved 6
  • 8. Result • Any SQL injection vulnerability exploit owns the entire database – Schema: Map it out – Data: INSERT, UPDATE, SELECT, DELETE • Whole “Confidentiality, Integrity and Availability” thing: out the window • This can even be automated: – sqlmap: http://sqlmap.sourceforge.net/ • If that database user‟s privileges extend beyond the database supporting the vulnerable application… © Copyright 2012 Denim Group - All Rights Reserved 7
  • 9. Test Environment • (Crappy) PHP Web Application: Crap-E-Commerce • Database Access With Full Permissions © Copyright 2012 Denim Group - All Rights Reserved 8
  • 10. Environment Setup Tips • If you want to symlink to the commerce/ examples on OS X – http://tlrobinson.net/blog/2008/06/mac-os-x-web-sharing-apache-and-symlinks/ • Use „127.0.0.1‟ rather than „localhost‟ for the MySQL database host – http://stackoverflow.com/questions/3968013/cakephp-no-such-file-or-directory- trying-to-connect-via-unix-var-mysql-mysq © Copyright 2012 Denim Group - All Rights Reserved 9
  • 11. What Is Wrong With Our Target Application? • Process: – Scan with OWASP ZAProxy to find vulnerabilities: http://code.google.com/p/zaproxy/ – Use sqlmap to see what we can find • Results: – Publicly-accessible SQL injections! © Copyright 2012 Denim Group - All Rights Reserved 10
  • 12. Sqlmap Results • Command – ./sqlmap.py -u http://localhost/~dcornell/commerce/order.php?order_id=1 --dump-all • Data retrieved: – All of it… © Copyright 2012 Denim Group - All Rights Reserved 11
  • 13. Actual Business Impact • From sqlmap: Lost all data in the database: – Usernames and passwords – Order history – Full credit card information • Additional possibilities: UPDATE, DELETE, INSERT © Copyright 2012 Denim Group - All Rights Reserved 12
  • 14. We Need To Make Some Progress © Copyright 2012 Denim Group - All Rights Reserved 13
  • 15. That Was With a Powerful Database User So what happens if we deploy the application with a less powerful user? To do this we need to know what access a legitimate user needs… © Copyright 2012 Denim Group - All Rights Reserved 14
  • 16. What Privileges Does a Database User Need? • Ask the development team – Good luck with that – Do they even know given frameworks and abstraction layers like ORMs – Doesn‟t scale • Ask the DBA – Double good luck with that – Doesn‟t scale • Inspect the code – Ugh – Error prone – Doesn‟t scale © Copyright 2012 Denim Group - All Rights Reserved 15
  • 17. Any Way To Automate This? • Interesting Article: – http://www.teamshatter.com/topics/general/team-shatter-exclusive/what-are-my- users%E2%80%99-effective-database-privileges/ – See http://www.petefinnigan.com/tools.htm for more along these lines • Less than ideal – What assets can this user access? versus – What assets does the user need to access? • Could be helpful determining possible impact of a breach © Copyright 2012 Denim Group - All Rights Reserved 16
  • 18. Other Permission Calculation Tools • .NET Permission Calculator Tool (Permcalc.exe) – http://msdn.microsoft.com/en-us/library/ms165077(v=vs.90).aspx • Stowaway (Android Permissions Calculator) – http://www.android-permissions.org/ • Both of these tools appear to rely solely on static analysis – Makes sense from a coverage standpoint – Would be really hard for databases potentially accessed by multiple applications © Copyright 2012 Denim Group - All Rights Reserved 17
  • 19. Alternate Approach • Dynamically analyze traffic to the database server • Use that traffic as a “representative sample” of required database access • Create user permissions based on this • Why? – Static analysis is really hard to get exactly right – this relies on observed behavior © Copyright 2012 Denim Group - All Rights Reserved 18
  • 20. sqlpermcalc • Tool that calculates the least-privilege database permissions required to execute a given set of SQL queries – Written in Python – https://github.com/denimgroup/sqlpermcalc • Helper tools: – Start and stop MySQL logging – Capture query log from a MySQL database • Relies on python-sqlparse for basic SQL parsing support – https://code.google.com/p/python-sqlparse/ – Thanks Andi Albrecht! (http://andialbrecht.de/) © Copyright 2012 Denim Group - All Rights Reserved 19
  • 21. An Aside: “Pythonic” • Definition of “pythonic” – “To be Pythonic is to use the Python constructs and data structures with clean, readable idioms” – http://faassen.n--tree.net/blog/view/weblog/2005/08/06/0 • At this point sqlpermcalc is more … “python-ish” – Enjoy  – Any Python gurus are more than welcome to help with cleanup… © Copyright 2012 Denim Group - All Rights Reserved 20
  • 22. Support Tools • Turn on MySQL logging with mysql_start_logging.sh – Not recommended for use in production because of potential performance impact – Also we‟re logging to MySQL tables rather than a log file – even worse • Retrieve MySQL log data with mysql_get_logfile.sh – Pulls queries from a given user into a local .sql file • Turn off MySQL logging with mysql_stop_logging.sh – Stops logging © Copyright 2012 Denim Group - All Rights Reserved 21
  • 23. Process • Stop webserver • Turn on MySQL logging • Start webserver • Exercise application • Retrieve logs • Turn off MySQL logging • Analyze logs for permission usage © Copyright 2012 Denim Group - All Rights Reserved 22
  • 24. Calculating Permissions • SELECT • INSERT • UPDATE • DELETE © Copyright 2012 Denim Group - All Rights Reserved 23
  • 25. SELECT Permissions • Can control on a table-wide basis • Can control on a per-column basis for a table • WHERE clause will require additional SELECT permissions • Scenarios: – SELECT * FROM MyTable – SELECT col1, col2, col3 FROM MyTable – SELECT * FROM MyTable WHERE col1 = 1 AND col2 = 2 OR col3 = „three‟ – SELECT col1, col2 FROM MyTable where col3 = „three‟ © Copyright 2012 Denim Group - All Rights Reserved 24
  • 26. INSERT Permissions • Can control on a table-wide basis • Can control on a per-column basis for a table • Scenarios: – Full table: INSERT INTO MyTable VALUES (1, 2, „three‟) – Columns in table: INSERT INTO MyTable (col1, col2, col3) VALUES (1, 2, „three‟) © Copyright 2012 Denim Group - All Rights Reserved 25
  • 27. UPDATE Permissions • Can control on a table-wide basis • Can control on a per-column basis for a table • WHERE clause will require SELECT permissions as well • Scenarios: – UPDATE MyTable SET col1 = 1 – UPDATE MyTable SET col2 = 2 WHERE col3 = „three‟ © Copyright 2012 Denim Group - All Rights Reserved 26
  • 28. DELETE Permissions • Can only control on a table-wide basis • WHERE clause will require SELECT permissions as well • Scenarios: – DELETE FROM MyTable – DELETE FROM MyTable WHERE col1 = 1 © Copyright 2012 Denim Group - All Rights Reserved 27
  • 29. A Note About Wildcards • DELETE always impacts all columns in a table – Hence it only has table-level permissions – not column-level • SELECT and INSERT sometimes impact all columns in a table – SELECT * FROM MyTable – INSERT INTO MyTable VALUES (1, 2, „three‟) • Currently we do not “know” the actual database schema – Therefore we do not know all of the actual column names – So instead we track „*‟ to represent “all columns” • This should not cause problems – What we see accessed in the queries should be what we need to access © Copyright 2012 Denim Group - All Rights Reserved 28
  • 30. What Permissions Are Actually Needed? • INSERT – CommerceUser: email,first_name,last_name,password – CreditCard: CVV,expiration,number,type – OrderItem: order_id,price,product_id,product_name,quantity • SELECT – CommerceUser: * – Order: date,total,user_id – OrderItem: price,product_id,product_name,quantity – Product: * © Copyright 2012 Denim Group - All Rights Reserved 29
  • 31. Given The Model We Can Generate GRANTs • For MySQL we need to know the user account name and host for access GRANT INSERT (email,first_name,last_name,password) ON sqlpermcalc_commerce.CommerceUser TO 'spc_publiclow'@'localhost'; GRANT INSERT (CVV,expiration,number,type) ON sqlpermcalc_commerce.CreditCard TO 'spc_publiclow'@'localhost'; GRANT INSERT (order_id,price,product_id,product_name,quantity) ON sqlpermcalc_commerce.OrderItem TO 'spc_publiclow'@'localhost'; GRANT SELECT ON sqlpermcalc_commerce.CommerceUser TO 'spc_publiclow'@'localhost'; GRANT SELECT (date,total,user_id) ON sqlpermcalc_commerce.Order TO 'spc_publiclow'@'localhost'; GRANT SELECT (order_id,price,product_id,product_name,quantity) ON sqlpermcalc_commerce.OrderItem TO 'spc_publiclow'@'localhost'; GRANT SELECT ON sqlpermcalc_commerce.Product TO 'spc_publiclow'@'localhost'; © Copyright 2012 Denim Group - All Rights Reserved 30
  • 32. Impact of Slimmed-Down Permissions? © Copyright 2012 Denim Group - All Rights Reserved 31
  • 33. Re-Run sqlmap • Can still recover a whole lot of data – But not the credit card data (or even the credit card primary key IDs) – So that is better. Kinda • But… – No UPDATE or DELETE access to any tables – Limited INSERT access • What Does That Get Us? – Can‟t INSERT into Products or modify Products – Automated SQL worms can‟t “infect” the site with malware via SQL injection – So that is definitely better © Copyright 2012 Denim Group - All Rights Reserved 32
  • 34. Other Uses • Insight into database usage – Do you have any idea what database assets your web application touches? – Even if you don‟t generate new user permissions, you can still use this to explore • Forensic review over time – Gather usage logs from production servers at intervals? – Why did this app suddenly start using additional permissions? • Compare multiple user roles or applications – What does each need to do? – How are the access needs different? © Copyright 2012 Denim Group - All Rights Reserved 33
  • 35. Calculating Permission for Multiple Scenarios • Hosting Multiple Applications Accessing the Same Database(s) – Two applications (public and admin) share several databases – Public site is read-only and heavily cached – Admin site is read/write – During series of attacks we had to manually calculate constrained permissions • Hosting Same Application In Different VMs – Cannot make code changes but need to harden infrastructure – Host different configuration files for database access – Example: Falling Rock Networks Armored Stack infrastructure • http://www.fallingrocknetworks.com/armored-stack.html © Copyright 2012 Denim Group - All Rights Reserved 34
  • 36. Limits of This Approach • Assumes that assets touched during a test run are all that a legitimate user session will ever need – If we miss something we will see runtime errors – Likely needs re-calculation when code is changed – Comprehensive unit/regression test suite can help (Rugged DevOps!) • Many applications require a lot of access so the security benefit might not be as great as desired – In the example application: we still lost usernames/passwords © Copyright 2012 Denim Group - All Rights Reserved 35
  • 37. Current sqlpermcalc Limitations • Only supports basic SQL functionality – SELECT, INSERT, UPDATE, DELETE • Parsing is still crudimentary – More advanced SELECT statements – JOINs, subqueries – are not yet supported – Precludes use for apps using common frameworks and tools • Only tested on MySQL – Every databases SQL dialect is a little different – Every database has different ways to grant/revoke privileges © Copyright 2012 Denim Group - All Rights Reserved 36
  • 38. Next Steps • Improve the SQL supported by the parser – Support all SQL queries generated by Hibernate for a non-trivial application – Look into adding support for stored procedures • Clean up code – This is kind of “scripty” right now – Allow others to use the capabilities – Make it more Pythonic – http://kennethreitz.com/repository-structure-and-python.html • Support for other databases – Pull MS SQL Server queries from the Profiler © Copyright 2012 Denim Group - All Rights Reserved 37
  • 39. Other Stuff To Look At • SE PostgreSQL: https://code.google.com/p/sepgsql/ © Copyright 2012 Denim Group - All Rights Reserved 38
  • 40. Get The Code • sqlpermcalc on Github: https://github.com/denimgroup/sqlpermcalc – sqlpermcalc Python code – Example Crap-E-Commerce app – Support scripts for MySQL © Copyright 2012 Denim Group - All Rights Reserved 39
  • 41. Conclusions and Questions Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com github.com/denimgroup/sqlpermcalc (210) 572-4400 © Copyright 2012 Denim Group - All Rights Reserved 40