Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Don’t fall victim to Little Bobby Tables: Guide...

Avatar for Gabe Villa Gabe Villa
August 29, 2015
Programming
1
170

Don’t fall victim to Little Bobby Tables: Guide to Developing a Secure Database Application

Is your SQL Server driven application safe? Does your application have 'sa' anywhere in the code? Are you a victim of SQL Injection? If you answer "yes" or "not sure", come see how to secure a SQL Server driven .Net application. Learn about some exploits and vulnerabilities and implementing best practices for securing SQL Server driven applications. See firsthand how to use Object Relation Mappers, MVC.Net and other tips to develop a secure application. Take home the ability to defend your SQL Server and your data at your applications level.

Avatar for Gabe Villa

Gabe Villa

August 29, 2015
Tweet

More Decks by Gabe Villa

See All by Gabe Villa
What’s this ‘Scaffolding a CRUD’ all about? Build a Website from your SQL Database
Avatar for Gabe Villa extofer
0
120

Other Decks in Programming

See All in Programming
新しいモバイルアプリ勉強会(仮)について
Avatar for 上ちょ / uetyo uetyo
1
230
What's new in Adaptive Android development
Avatar for Sungyong An fornewid
0
130
JetBrainsのAI機能の紹介 #jjug
Avatar for yusuke yusuke
0
160
Flutterと Vibe Coding で個人開発!
Avatar for Hayami Shuhei hyshu
0
100
No Install CMS戦略 〜 5年先を見据えたフロントエンド開発を考える / no_install_cms
Avatar for Masahiko Sakakibara rdlabo
0
390
Gemini CLIの"強み"を知る! Gemini CLIとClaude Codeを比較してみた!
Avatar for Kota Hisafuru kotahisafuru
2
660
商品比較サービス「マイベスト」における パーソナライズレコメンドの第一歩
Avatar for Ucchiii ucchiii43
0
230
ご注文の差分はこちらですか? 〜 AWS CDK のいろいろな差分検出と安全なデプロイ
Avatar for Kenji Kono konokenj
4
720
코딩 에이전트 체크리스트: Claude Code ver.
Avatar for nacyot nacyot
0
1k
React は次の10年を生き残れるか:3つのトレンドから考える
Avatar for Yuka O’oka oukayuka
41
16k
CLI ツールを Go ライブラリ として再実装する理由 / Why reimplement a CLI tool as a Go library
Avatar for ktr ktr_0731
3
800
MySQL9でベクトルカラム登場!PHP×AWSでのAI/類似検索はこう変わる
Avatar for Suguru Ohki suguruooki
1
260

Featured

See All Featured
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
301
21k
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
328
39k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
140
7k
The Language of Interfaces
Avatar for Des Traynor destraynor
158
25k
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
31
8.7k
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.4k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
77
5.9k
Fireside Chat
Avatar for paigeccino paigeccino
37
3.6k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
50
5.5k
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
271
21k
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
351
21k
Documentation Writing (for coders)
Avatar for Carmen Chung carmenintech
72
4.9k

Transcript

  1. Don’t  fall  victim  to  Little  Bobby   Tables Guide  to

     Developing  a  Secure  Database   Application

  2. Please  allow  me  to  introduce  myself… -­ Rolling  Stone,  Sympathy

     For  The  Devil § Gabriel  Villa § Solutions  Architect § MCPD,  ASP.Net Developer § MCTS,  SQL  Server  Database  Development @extofer www.extofer.com

  3. Take  Home  Outline § SQL  Server  Security  Model § Security

     Defense § Writing  Secure  Code § Database  Security  Threats

  4. Database  Security  Threats Privilege  Abuse

  5. Database  Security  Threats Database  Platform  Vulnerabilities

  6. Database  Security  Threats Weak  Audit  Trail

  7. Database  Security  Threats Weak  Authentication

  8. Authentication § Windows  Authentications § Domain  or  local  Windows  Account

    § Active  Directory  Integration § Supports  Groups § Use  Whenever  Possible

  9. Authentication § Mixed  Authentication § Legacy  or  Hard  Coded  Referenced

     Logins § Non  Windows  Clients § Connections  over  Internet

  10. SQL  Server  Security  Model Principal Windows  Users SQL  Logins Roles

    Groups Securables Schemas Windows  Users SQL  Login Database  Users DB  Roles Schemas

  11. Principal § Windows  Authentication § Active  Directory  Integration § Supports

     Groups § User  Whenever  Possible § Mixed  Mode  Authentication § Legacy  or  Hard  Coded  Referenced  Logins § Non  Windows  Clients § Connections  over  Internet

  12. Roles § Group  users  roles  based  on  usage § Database

     Roles  and  Server  Roles § Server  Level  Roles § Sysadmin,  bulkadmin,  securityadmin,   dbcreator

  13. Securables § Using  Schema  to  secure  database  objects § Schema

     is  a  name  space  container § Simplify  Access  Permissions § Group  objects  into  Schemas § Grant  permissions  to  schemas,  not  objects

  14. Write  Secure  Code § DDL  Triggers § Using  Stored  Procedures

      § Parameterize  returns § Check  valid  inputs § Customize  Error  Messages § Using  ORMS

  15. Database  Security  Threats SQL  Injection

  16. None

  17. Thank  you! § Contact  Info § Email  &  Google+:  [email protected]

    § Twitter:  @extofer § Linkedin:  www.linkedin.com/in/gabevilla § Website:  www.extofer.com