7. “I don't need to
know”
“Our network security will take
care of it.”
“I applied all the web server and
PHP patches.”
“Security belongs in the
application layer.”
“Database security slows
development.”
“Nobody will hack my website. We
run Linux.”
19. The cost of
unsafe data
Contacting 19,000 customers:
$380,000
Paying for credit reports for
19,000 customers:
$931,000
Shipping stolen merchandise:
$4,600,000
Lost customer goodwill and
reputation as an insecure &
careless company:
Priceless!
20. Why is LAMP
special?
1. Agility
LAMP platforms are designed for
rapid development and deployment
2. Constant Upgrades
LAMP components are rapidly
advancing
3. Lightweight
LAMP stacks are simple and have few
layers
21. Why is LAMP
special?
1. Agility
rapidly deploy security holes
2. Constant Upgrades
new versions new exploits
3. Lightweight
few layers fast to hack
45. five:
have a threat model
What is your vulnerable data?
(assets)
Who wants this data? (threats)
How will they get it? (attack
vectors)
What are the consequences of
lost data? (costs)
47. your database
engine can help
permissions tripwire anti-DOS
abstraction updates firewall
restricted restricted
audit
database webserver router
server
secure
48. attack vectors
Primary attack vectors for data
theft in LAMP:
1.SQL injection
2.direct connection
3.application server compromise
4.staff malfeasance/mistake
5.physical access
49. attack vectors
Primary attack vectors for data
theft in LAMP:
1.SQL injection
2.direct connection
3.application server compromise
4.staff malfeasance/mistake
5.physical access
51. access control
Goal: Use database access control
lists to prevent connections from
anywhere but specified networks.
database webserver
server
52. access control
Network Isolation:
isolated network segment
only appservers & admins can connect
use firewall tools to restrict ports &
networks
53. access control
Database Access Control
restrict which users can connect to
which databases from which networks
PostgreSQL
pg_hba.conf, listen_addresses,
pgbouncer
MySQL
users table, MySQL Proxy
54. authentication
Goal: prevent privilege escalation
through direct connections to the
database.
psql -U postgres -h
masterserver -c 'update users
set password = 'haxx0r'
where login = 'administrator'
55. authentication
methods
ident: host OS responsible for
security
good for: administrative tasks
bad for: external users
56. authentication
methods
hashed user/password
good for: most things
bad for: application server /
network compromise
57. authentication
methods
krb5 / sspi / ldap: identity
checked against authentication
servers
good for: network/application
server compromises
bad for: performance,
troubleshooting, uptime
58. driver tools
Goal: prevent SQL injection
prepared queries:
$q = prepare(“SELECT * FROM profile
WHERE user = ?”);
execute($q, db_escape($this_user));
60. database privileges
Goal: prevent authenticated low-
level users from modifying or
accessing restricted data.
SELECT FROM users;
UPDATE users;
61. database privileges
Privileges Rule #1:
your app should not be connecting
as the database owner or superuser
62. ROLEs
create some ROLEs (users and groups)
public
application_user db_admin
application_admin
superuser
users
admins
dataentry readonly
claudio felipe
leo wei-chen guest
63. privileges
best way to restrict access to
specific data
SQL standard
Both MySQL & PostgreSQL support:
database/schema, table, column
64. privileges
PostgreSQL privileges:
tables: SELECT, INSERT, UPDATE,
DELETE, ALTER
schema: USAGE, CREATE, ALTER
function: EXECUTE, ALTER
database: CONNECT, TEMP, CREATE, OWNER
65. database
abstraction
Goal: prevent theft of sensitive
data by not allowing direct access
to base tables
schema admin schema member
rights members
settings profiles
messages
view
user_names
users login()
change_pw()
66. database
abstraction
views
a VIEW is a “stored query” with its
own permissions
limit access to specific rows or
columns
stored procedures
SECURITY DEFINER procedures allow
controlled privilege escalation
make sure to lock them down, though!
67. encryption
Goal: prevent misuse of sensitive
data by anyone who has managed to
capture it
the only protection against
physical possesion
encrypt your backups!
68. encryption
1. encrypted authentication
2. encrypted connections
3. encryption of specific data
4. whole database encryption
70. What do you do if
they get in anyway?
sometimes your other measures fail
exploits
loopholes
misconfiguration
sometimes the bad guys have
legitimate access
users
staff
sysadmins
71. database auditing
Goal: know what happened after it
happened, and be able to restore
your data without searching backup
tapes.
72. auditing: logs
dozens of log options
users
connections
queries run
errors
the log can help you analyze a
break-in
maybe even tell you what was stolen
73. secure your logs
best way to find “DBA corruption”
make sure that not even the admins can
erase/alter all copies
make sure few people can change
postgresql.conf
use a secured log server
“syslog” is good for this
make a plan for secure log
archiving
74. data auditing
Goal: figure out exactly which data
changed, when and how, and be able to
reverse it.
Methods
Triggers
Replication
Snapshots
75. data auditing
table members.profiles
member | interests
josh | pottery, cooking
table audit_members.profiles
member | interests | changed | change_by
josh | gaming | 5/23/01 | claudio
josh | pottery | 3/24/08 | felipe
78. contact
Josh Berkus
josh.berkus@pgexperts.com
it.toolbox.com/blogs/database-soup
PostgreSQL
www.postgresql.org
SEPostgres:
http://code.google.com/p/sepgsql
PostgreSQL Experts, Inc.
www.pgexperts.com
Thanks to KaiGai Kohei for SEPostgres diagrams, and to Harrison Fisk for MySQL examples.
Thanks to Google Images for the various images, which belong to their original owners.
Copyright 2009 Josh Berkus, distributable under the creative commons attribution license