SOURCE Boston 2012 Follow-Up: What Permissions Does Your Database User REALLY Need?

I had a great time at the SOURCE Boston 2012 conference. The speaker lineup was fantastic and the attendees were great as well. I had the opportunity to give a new presentation based on some work we’ve been doing in database security titled “What Permissions Does Your Database User REALLY Need?” Slides are online here:

The abstract for the talk is:

Attaching web applications to databases as “sa” or “root” might be easy but it is also a horrible idea. This presentation provides a methodology as well as tools to create fine-grained database user permissions based on application-specific requirements. The negative impact of permissive database user account permissions is demonstrated alongside the potential benefits of constrained database user access. Tools for the automated creation of security-role-specific MySQL user permission policies will be demonstrated and these will be used as a model for making “least-privilege” database accounts a standard practice in web application deployment.

Connecting web applications to databases with over-privileged users is a serious issue for a couple of reasons:

  • Web-attached databases have a lot of valuable data in them
  • SQL injection vulnerabilities are far too common
  • Discovery and exploitation of these vulnerabilities can often be automated

The end result is that lots of web databases have data stolen from them and lots of web databases get corrupted with bad data. We’re hoping that this presentation and the associated tool can help folks start moving in a safer direction.

Code for the sqlpermcalc tool used during the presentation to create the “least-privilege” database security model can found at the Github site here. Still lots of work to do, but we’re excited about the direction.

Contact us for help securing your web-attached databases.

–Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *