sql server and application security for developers mladen prajdić sql server mvp [email protected]...

SQL Server and Application Security for Developers Mladen Prajdi SQL Server MVP [email protected] @MladenPrajdic

About me Welcome to Slovenia The sunny side of alps!

Security Usability Price Pick two

Company Attack Vectors Website SQL Injection XSS, CSRF DDOS Other Social Engineering People impersonation Direct person interaction Others that I havent thought of GCHQ, NSA, CIA, etc

SQL Injection http://xkcd.com/327

SQL Injection 2005 + 83% of hacks Stats by FireHost.com

SQL Injection

Website attack with malicious SQL Error based Union based Blind Data destruction Data stealing Spam Redirects

SQL Injection - Prevention Tries Stored procedures Because they have parameters, right? CREATE PROC spIAmVerySafe @TableName varchar(256) AS EXEC('SELECT * FROM ' + @TableName); GO; CREATE PROC spNowIAmSafe @ID int AS SELECT ID, FirstName, LastName FROM Person WHERE ID = @ID GO;

SQL Injection - Prevention Tries Input validation Usually server and client keywords blacklists Replace all single quotes to 2 single quotes -> They are all USELESS! SELECT * FROM sys.tables DECLARE @s VARCHAR(MAX) = CONVERT(VARCHAR(MAX), 0x53454C454354202A2046524F4D207379732E7461626C6573); EXEC(@s);

SQL Injection - The Only Protection SQL Parameters Use them properly! SqlCommand cmd = new SqlCommand(sqlText, sqlConnection); cmd.Parameters.Add("@IntParam", System.Data.SqlDbType.Int); cmd.Parameters["@IntParam"].Value = 6; SqlDataReader reader = cmd.ExecuteReader();

Cross-Site Scripting (XSS) Exploits the trust a user has for a particular site Perfect attack vector to use with SQL Injection Since 2007 about 84% of all client attacks About 70% of all websites are likely open to it Inject javascript into Web pages viewed by other users Various JS client libraries bugs HTML, JS, Attribute encode/decode everything

Cross-Site Request Forgery (CSRF) Exploits the trust that a site has in a user's browser Attacks extremely under-reported Involve sites that rely on a user's identity Bank Exploit the site's trust in that identity Stored Cookie of the person youre attacking Trick browser to send HTTP request to a target site Cookie authenticates and goes to the bank Involve HTTP requests that have side effects Withdraw money

Distributed Denial Of Service (DDOS) Exploits the resources of your computer On average at least 1 person in your extended family is unknowingly working for the Russian mafia Extortion, Political agenda Feedly, Evernote Code Spaces Out of business

Amateurs hack systems, professionals hack people

Exploits a persons kindness and willingness to help Investment in security awareness in non-IT employees: Minimal It is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system (Kevin Mitnick) Social Engineering

Social Engineering - Profiling

Calling employees Call centers, pretending to be support or customer, Getting various system information OS, Broswer, VPN client, WiFi, Anti-virus, Phishing with XSS and CSRF included Giving away information not perceived to be important Smart small talk Advanced target level Hot women in bars Forgotten or free USB sticks Social Engineering Contact

Stanley Mark Rifkin defrauded the Security Pacific National bank in Los Angeles managed to steal $10,200,000 in a single social engineering attack In 1978! Social Engineering - Prevention Educate people Use two-factor authentication

Social Engineering Success rate? 100%

Social Engineering Clean up cost for company between $25,000 and $100,000 per incident

Securing SQL Server for Developers So how can we as developers protect our Applications and SQL Servers?

Security Mechanisms Overview Run the SQL Server under a special domain account Create a new SqlRunner user in AD Give it minimal permission to the domain and computer Use it to run SQL Server DBA realm Transparent DB encryption SQL Server Audit Reducing the possible surface attack vector

Security Mechanisms Overview Securables Objects that can be secured with permissions Principals People/Processes that access securables GRANT, DENY, REVOKE DENY always has priority Various Cryptographic functions EncryptBy*, DecryptBy*, SignBy*, HASHBYTES,

Permissions Hierarchy - Principals Windows Windows Group Windows Domain Login Windows Local Login Server SQL Server Login Fixed Server Role User-defined Fixed Server Role Database Database User Fixed Database Role User-defined Database Role

Server SQL Server Login Endpoint Database Permissions Hierarchy - Securables Database Schema User, Certificate, Role, Table, View, Function, Stored Procedure, Type,

Permissions Hierarchy - Example SQL Server Login Windows Domain Login Database User User Permissions Object Access Certificates Schema OR Maps 1:1 Depending on permissions from Return data from Treat the database access objects as an interface User Roles

SET TRUSTWORTHY ON hole If DB is trustworthy If DB owner login is a sysadmin If YourAppLogins user is member of db_owner role YourAppLogin can elevate himself to sysadmin Lets secure it properly: YourAppLogin with no default permissions DB owners login in public role only No users in database in db_owner role

Things to Remember - SQL Use login/user with least privileges Run SQL Server service with a custom account Use SQL parameters No SysAdmin (SA) or SET TRUSTWORTHY ON No sysadmin database owners Treat the database access objects as secure interface

Things to Remember -.Net Machine.config Web.config Redirect to custom error pages HTML encode/decode all traffic from/to DB Microsoft Web Protection Library (AntiXSS) Nuget Also part of the Microsoft SDL tools

Things to Remember - Social Watch out for hot blondes in the bar Split your security budget 80%: sysadmin education 20%: people education Metasploit Social-Engineer Toolkit (SET)

The less data you store the safer you are

sql server and application security for developers mladen prajdić sql server mvp [email protected]...

Documents