This article can also be found in the Premium Editorial Download "Information Security magazine: Security survivor all stars explain their worst data breaches."
Download it now to read this article plus other related content.
The Database Hacker's Handbook:
Defending Database Servers
By David Litchfield, Chris Anley, John Heasman & Bill Grindlay
Wiley, 500 pages, $50.00
|The Database Hacker's Handbook: Defending Database Servers|
Unfortunately, database administrators and security analysts live in separate clans on the large IT frontier. The Database Hacker's Handbook fosters the resolution of these inherent communication breakdowns by closing the knowledge differential between the database admin and security admin. Serious effort, training and experience are required to truly understand the other's perspective, but this book provides the perfect starting point.
Its renowned database security researchers waste no time in showing how to attack modern database systems. The terse opening chapter provides a taxonomy for database vulnerabilities, such as privilege elevation via SQL injection and unauthenticated flaws in network protocols, the most dangerous vulnerability. Although classifying the attacks presented later in the book may be a useful exercise for the ambitious reader, the authors could have unified the text by actually applying their definitions throughout.
The remaining chapters are dedicated to detailed security analysis of seven of the industry's most popular relational database management systems: Oracle, DB2, Informix, Sybase, MySQL, SQL Server and Postgres. The comprehensive approach is more valuable than those focus-ing on the market leaders (Oracle, IBM and Microsoft), or "example" commercial and open-source systems.
Each product chapter follows roughly the same template: describing the database architecture and attack methods; "moving further into the network"; and securing the database. Essentially, the structure extends the familiar "attack-and-defend" approach of hacking books.
Attacks are described in highly technical detail and assume readers' familiarity with the particular database product. Example C code will enable you to add some extremely particularized tools to your arsenal; some allow the attacker to discover database servers on the network by sending broadcast packets. The inclusion of source code is questionable for the longer programs, which run up to eight pages. Since none of the code is commented, the instructional value diminishes as the page count increases.
Although the occasional grammar mistake or poorly constructed sentence creeps in, the writing is still superior relative to other computer security titles.
If you need to know database security, buy this book. In fact, perhaps you should start a book club and invite database administrators; this should be the club's first read.
Visit SearchSecurity.com's Information Security Bookshelf for chapter downloads from these books and more.
Sarbanes-Oxley For Dummies
By Jill Gilbert Welytok
Securing Storage: A Practical Guide to SAN and NAS Security
By Himanshu Dwivedi
How to Break Web Software: Functional and Security Testing of Web Applications and Web Services
By Mike Andrews and James A. Whittaker
Nine Steps to Success: An ISO 27001 Implementation Overview
By Alan Calder
IT Governance Publishing
Phishing: Cutting the Identity Theft Line
By Rachael Lininger and Russell Dean Vines
John Wiley & Sons, Inc.
Tell us what you think of our book reviews or the titles on our online bookshelf. Send your comments to email@example.com or enter your thoughts on SearchSecurity.com's Sound Off.
"Security and Usability should be read by everyone involved in designing and deploying security. Security that hampers the user encourages them to subvert it; the papers in this book provide real-world advice on how to build security without making life difficult for the users."
--Al Berg, CISSP, CISM, director of information security, Liquidnet
For a sample chapter of this and other information security titles, visit searchsecurity.com/bookshelf.
This was first published in April 2006