By Dan Cornell
I had a great time at the SOURCE Boston 2012 conference. The speaker lineup was fantastic and the attendees were great as well. I had the opportunity to give a new presentation based on some work we've been doing in database security titled "What Permissions Does Your Database User REALLY Need?" Slides are online here:
The abstract for the talk is:
Attaching web applications to databases as “sa” or “root” might be easy but it is also a horrible idea. This presentation provides a methodology as well as tools to create fine-grained database user permissions based on application-specific requirements. The negative impact of permissive database user account permissions is demonstrated alongside the potential benefits of constrained database user access. Tools for the automated creation of security-role-specific MySQL user permission policies will be demonstrated and these will be used as a model for making “least-privilege” database accounts a standard practice in web application deployment.
Connecting web applications to databases with over-privileged users is a serious issue for a couple of reasons:
- Web-attached databases have a lot of valuable data in them
- SQL injection vulnerabilities are far too common
- Discovery and exploitation of these vulnerabilities can often be automated
The end result is that lots of web databases have data stolen from them and lots of web databases get corrupted with bad data. We're hoping that this presentation and the associated tool can help folks start moving in a safer direction.
Code for the sqlpermcalc tool used during the presentation to create the "least-privilege" database security model can found at the Github site here. Still lots of work to do, but we're excited about the direction.
Contact us for help securing your web-attached databases.
--Dan
dan _at_ denimgroup.com
Comments