Scribd
Upload
29 views3 pages

Notes

Uploaded by

togrulaliyev1020
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
29 views3 pages

Notes

Uploaded by

togrulaliyev1020
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Database Security Best Practices

- Tables consist out of columns and rows


Data & Users -> Assess, Detect, Prevent
Assess - Assess the current state of the database // Translate Assess
Detect - Detect attempts ot access data, especially attempts that violate
policy
Prevent - Prevent inappropriate requests / Attempts to compromise data
from the database
Assess Security Risks: // Check other points
- Quickly evaulate risks to your Oracle Databases
- Identify Sensitive data
Prevent Data Compromise:
- Block out-of-band access with encryption at rest and in motion
- Protect against compromised administator login credentials
- Enforce trusted path access
- Prevent sensitive data prolifetration
- Reduce your exposure
Activity Monitoring, Detect Anomalies, Support Data Protection Officers
- Audit user activities
- Detect abnormal attack patterns
- Alert and report on security incidents
It is essentiial to encrypt your database and backups!!!
---
Your dilemma
To do, or not to do
Your wish:
- Get actionable insights, from your data to take smarter buisness
decisions
- Use realistic data for development and analysis
- Quickly share data with developers, data scientists, and partners
Your concern:
- Avoid prolifetration of sensitive data to non-production environments
- Comply with data privacy regulations such as GDPR
The solution:
- Data Masking and subsetting
If something is masked, its important to also mask all the relations, to
not lose the connection
Seperation of Duty
Reducing the risk from malicious users
Give users/workers minimal privilegies for work, and not overpreviliege
anyone
Arragment policy - public - confidential - sensitive
----------------------------------------------------------------
Footprinting
- Collecting information
- Knowing the target's external security status
- Identify vulnerabities
- Network mapping
What is collecting information
Network:
- Ip adresses
- Domain names
System:
- Os information
- Software
Organization
- Company names
- Business subsidiaries,emails
- Network phone numbers
- Key employees
Footprinting types
Active:
- Gathering information by contacting the target system
Passive:
- Search engines, social media, newspapers, websites, etc. such as
gathering information from publicly aviable sources
Passive footprinting
- Search engines (Google, Bing, etc.)
- [Link] (domain name)
- OSINT
- Command prompt (IP Adress)
- [Link] (hosting company)
- Website footprinting ([Link])
- Person search system (social network, special sites)
- Google Earth (determine physical location)
- Job sites
- Social media (Facebook, twitter etc.)
Search engines
- [Link], [Link] etc.
To search SPECIFICALLY for something, "" should be used (ex. not John Doe
but "John Doe")
This technique is called "Google Dorking"
PDF site:[Link]
[Link] - WP 4.0
"intitle: Wp 4.0" site.country_domain
Whois footprinting
- Domain name details
- Domain owner contact details
- Domain Name Servers
- NetRange
- When was domain created?
- Expire time
[Link]
[Link]
Collecting information from sites
[Link]
[Link]
[Link]
[Link]
SimiliarWeb
[Link]
[Link]
OSINT
[Link]
[Link]
[Link]
GHDB - Google Hacking Database
---------------------
TryHackMe Passive Reconnaisance
whois to query WHOIS servers
nslookup to query DNS servers
dig to query DNS servers (simplier)
We use whois to query WHOIS records, while we use nslookup and dig to
query DNS database records. These are all publicly available records and
hence do not alert the target.
E
----------------------------------
Application Security
1) Software Development Lifecycle
2) Secure Software Development Lifecycle
3) Arcenal of Solutions
Software Development Lifecycle (SDLC)
1) Planning - Define architecture, Define stack, Understand requirements
for customers
2) Development - Implement features and develop the app
3) Testing -> QA, Security, Customers (Beta Test)
4) Deployment
5) Maintenance
6 Phases of the Software Development Life Cycle
ANALYSIS -> DESIGN -> DEVELOPMENT -> TESTING -> DEPLOYMENT -> MAINTENANCE
Three pillars of SDLC - Brooks Law
Adding manpower to a late software project makes it later
Boehms Law
Costs to find and fix bugs get higher as the time goes by
Conways law
Any organization that designs a system (defined broadly) will produce a
design whose structure is a copy of the organization's communication
structures
Secure Software Development Life Cycle
Building blocks of SSDLC
1. Application and security team
2. sdlc and ssdlc processes and requirements
3. secure coding guidelines
4. secure coding checklist
5. tools
6. risk analysis strategy and risk matrix
Whats DevSecOps?
- Secure culture
- Practices
- Tools
-----------------------------

You might also like