intro
This blog will walk you through a set of common database security mistakes you should avoid. Take a look!
Database security is paramount. “Wow, what an obvious statement to start a blog with… Thank you, Mr. Obvious!”, — we hear you saying. No, seriously — have a look through a trove of the most recent data breaches. We can confidently say that at least some of these companies thought the same way before getting breached and losing the data pertaining to tens of millions of customers — so what do we do?
Thankfully, there is a solution to many security problems for database. Educate yourself on the most common security mistakes to avoid and you will put yourself on a good path!
The Most Common Database Security Mistakes
So, what are the most common security pitfalls in databases? Most of the time, they outline themselves as the five that follows.
Note: The security issues below are the main ones you should be wary about — there, of course, are others, however, those aren’t as dangerous. Protect your databases from these attacks and you should be on a good path!
Time to analyze the most common database security mistakes!
1. Injection Attacks
As weird as it may be, injection attacks have been at the top of the pile of database security issues for more than a decade and I suspect they will remain there for a period of time to come. They will remain there at least until developers become savvy enough to not pass user input straight into a database:
2. Broken Access Control
You know how we always say that you should ensure that the users accessing your database only possess the necessary privileges? We don’t say that without a reason; both injection and broken access control are on the top of the pile of the OWASP security threats targeting applications and broken access control has to do with, well, broken access control.
Broken access control measures often look like so:
See the problem here? Once we click the login button, we only check if the username and password is filled in. If it is, we log the user in. What about checking the username and the password against a record in the database? I’m not even talking about password hashing here… Can you type? You’re now logged in!
This type of database security error is crazy easy to prevent — yet, as we can see from the security threats outlined in OWASP and other security bulletins, some developers couldn’t care less. We can only guess why…
3. Cryptographic Failures
While this one isn’t exclusively related to database security issues, cryptographic failures can be seen in many data breaches (have a gander at how many recent data breaches hashed their passwords with something like SHA1 or — worse yet — didn’t hash them at all) and we think that part of the problem here is that developers are less educated on security than on development.
All security engineers will know that BCrypt or Blowfish is a more viable choice when compared to something like MD5 or SHA1, but some developers won’t give a damn. That’s not because they’re lazy — they might just not fully grasp what it is.
Don’t even get us started about password salting: salts are very useful because in the event of a data breach, they would increase the time an attacker takes to crack (”unhash”) all of the password hashes in question. Be aware of the way you hash your passwords, folks! If not necessary, don’t store them at all.
4. Security Logging and Monitoring Failures
This is yet another blunder of many developers and database engineers. Many of them will know how to protect their applications from injection attacks or how to hash passwords but neglect logging. If that’s not the case, how would they know when an attacker has logged in using an administrative account? Ask the administrator in question? Yeah, right. Log and monitor, or face the consequences.
5. Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)
Again, these security issues aren’t directly related to your database and they are more geared towards your applications (XSS appears due to an unfiltered user input and CSRF allows an attacker to execute unwanted actions on behalf of the user).
Regardless, both of these security flaws are no less dangerous to your database either as a frequent end goal for many attackers in these cases is access to your database internals — after they gain access, they exfiltrate data. Data then often ends up in data breach search engines, and after that, well, you see “Your password is wrong.” when logging into Meta or other services. That’s bad…
Protecting Your Database and Application
“Protect your applications from these attacks and you should be on a good path” may be easier said than done. Many will wonder how exactly do they protect their applications and database from attacks outlined in this blog to improve their database security? Everything’s simple. Follow this advice:
These things will become a good starting point for both you and your database: follow this advice and you will set both your application and database on a good path. Alternatively, read books like “Hacking MySQL: Breaking, Optimizing, and Securing MySQL for Your Use Case” or attend industry conferences like Database Frontiers, and you should be good to go.
Summary
In this blog, you’ve learned that the biggest database security flaws include “vanilla” security issues like injection but also other application-based attacks like broken access control, XSS, CSRF, and others, as well as security logging and monitoring failures.
Thankfully, these security issues can be easily squashed — avoid providing user input straight into a database, filter user input, stay updated on the OWASP Top 10 and you should be good to go.
FAQ
How to improve database security?
Improve database security by reading books on these subjects and applying the knowledge within to your database, being aware of security threats like those outlined in the OWASP Top 10, and attending conferences like Database Frontiers.
Will data breach search engines like BreachDirectory help when improving database security?
Unfortunately, the task of data breach search engines is a little different — they protect you from identity theft attacks and not your database from attacks directed towards it — however, register for data breach notifications and you will certainly be aware whenever your account is at risk of identity theft.
Why should I use DbVisualizer?
Consider using a powerful database client like DbVisualizer because it can connect to MySQL, PostgreSQL, SQL Server, MongoDB, and many other database management systems. That means no matter what database management system, you will find yourself using it will most likely be covered by the tool. Did we tell you that DbVisualizer also lets you format queries, visualize your data within your database, and perform a wide variety of other things? Grab a free trial and start using it today!
