Attaching web applications to databases as “sa” or “root” might be easy but it is also a horrible idea. This presentation provides a methodology as well as tools to create fine-grained database user permissions based on application-specific requirements. The negative impact of permissive database user account permissions is demonstrated alongside the potential benefits of constrained database user access. Tools for the automated creation of security-role-specific MySQL user permission policies will be demonstrated and these will be used as a model for making “least privilege” database accounts a standard practice in web application deployment.
OWASP Minneapolis/St. Paul: What Permissions Does Your Database User REALLY Need?
I’ll be presenting at OWASP Minneapolis / St. Paul on Monday June 18th, 2012. The topic is “What Permissions Does Your Database User REALLY Need?” and the talk abstract is:
This is very similar to the talk I gave at SOURCE Boston this year with some updates to the permission-calculation tool. You can see a brief video with some background on the talk here:
Be sure to sign up at EventBrite to reserve your spot and contact us if you would like to meet up in Minneapolis.
dan _at_ denimgroup.com