Which Database Is the Most Secure?

All of the databases we cover in this volume have had serious security flaws at some point. Oracle has published 69 security alerts on its "critical patch updates and security alerts" page—though some of these alerts relate to a large number of vulnerabilities, with patch 68 alone accounting for somewhere between 50 and 100 individual bugs. Depending on which repository you search, Microsoft SQL Server and its associated components have been subject to something like 36 serious security issues—though again, some of these patches relate to multiple bugs. According to the ICAT metabase, DB2 has had around 20 published security issues—although the authors of this book have recently worked with IBM to fix a further 13 issues. MySQL has had around 25 issues; Sybase ASE is something of a dark horse with a mere 2 published vulnerabilities. PostgreSQL has had about a dozen. Informix has had about half a dozen, depending on whose count you use.

The problem is that comparing these figures is almost entirely pointless. Different databases receive different levels of scrutiny from security researchers. To date, Microsoft SQL Server and Oracle have probably received the most, which accounts for the large number of issues documented for each of those databases. Some databases have been around for many years, and others are relatively recent. Different databases have different kinds of flaws; some databases are not vulnerable to whole classes of problems that might plague others. Even defining "database" is problematic. Oracle bundles an entire application environment with its database server, with many samples and pre-built applications. Should these applications be considered a part of the database? Is Microsoft's MSDE a different database than SQL Server? They are certainly used in different ways and have a number of differing components, but they were both subject to the UDP Resolution Service bug that was the basis for the "Slammer" worm.

Even if we were able to determine some weighted metric that accounted for age, stability, scrutiny, scope, and severity of published vulnerabilities, we would still be considering only "patchable" issues, rather than the inherent security features provided by the database. Is it fair to directly compare the comprehensive audit capabilities of Oracle with the rather more limited capabilities of MySQL, for instance? Should a database that supports securable views be considered "more secure" than a database that doesn't implement that abstraction? By default, PostgreSQL is possibly the most security-aware database available—but you can't connect to it over the network unless you explicitly enable that functionality. Should we take default configurations into account? The list of criteria is almost endless, and drawing any firm conclusions from it is extremely dangerous.

Ultimately, the more you know about a system, the better you will be able to secure it—up to a limit imposed by the features of that system. It isn't true to say, however, that the system with the most features is the most secure because the more functionality a system has, the more target surface there is for an attacker to abuse. The point of this book is to demonstrate the strengths and weaknesses of the various database systems we're discussing, not—most emphatically not—to determine which is the "most secure."

In the end, the most secure database is the one that you know the most about.

source :

The Database Hacker's Handbook: Defending Database Servers

by David Litchfield et al.

John Wiley & Sons © 2005

Why Care About Database Security?

Overview

In the introduction, we discussed the reasons why we consider database security to be important. In this chapter, we provide a brief overview of several broad categories of security issues, with a few specific details and some discussion of general defenses. We also briefly discuss how to go about finding security flaws in database systems. Before we do so, we should discuss some emerging trends in database security.

In recent years, with the explosion in web-based commerce and information systems, databases have been drawing ever closer to the network perimeter. This is a necessary consequence of doing business on the Web—you need your customers to have access to your information via your web servers, so your web servers need to have access to your databases. Databases that were previously accessible only via several insulating layers of complex business logic are now directly accessible from the much more fluid—and much less secure—web application environment. The result of this is that the databases are closer to the attackers. With the constant march toward a paperless business environment, database systems are increasingly being used to hold more and more sensitive information, so they present an increasingly valuable target. In recent years, database vendors have been competing with each other to provide the most feature-rich environment they can, with most major systems supporting XML, web services, distributed replication, operating system integration, and a host of other useful features. To cap all of this, the legislative burden in terms of corporate security is increasing, with HIPAA, SOX, GLBA, and California Senate Bill No. 1386 imposing an ever-increasing pressure on companies to ensure that their networks are compliant.

So why care about database security? Because your databases are closer to the attacker, present a more valuable target, have more features to configure, and are more closely regulated than they have ever been before.

source :

The Database Hacker's Handbook: Defending Database Servers

by David Litchfield et al.

John Wiley & Sons © 2005

Introduction

Why do we care about database security?

If money could be said to exist anywhere in a network, it exists on a database server. When we say that modern economies are reliant on computers, what we really mean is that modern economies are reliant on database systems. Databases are behind the systems that affect almost every aspect of our lives — our bank accounts, medical records, pensions, employment records, phone records, tax records, car registration details, supermarket purchases, our children's school grades — almost every piece of information of significance in our lives is stored in a modern relational database management system. Since this volume covers seven of the most popular relational database systems, chances are that your personal information is currently being stored in the very systems that are the subject of this book.

We (the authors of this volume) consider database security to be the single most important information security issue there is. If database systems — the systems we all implicitly trust to hold our most sensitive data — are not secure, the potential impact on our lives, and even on our broader society, could be devastating.

Why then do we want to publish a book that describes methods for attacking databases? Simply put, we want to put this information into the hands of database administrators, security professionals, and network auditors so that the people whose job it is to defend these systems understand more fully how others attack them. The people we are all defending against already fully understand how to attack databases and networks; their continued liberty depends on that fact. This volume is likely to teach them little they didn't already know. Contrary to what most software vendors would have you believe, finding security bugs isn't very hard. For every bug that an independent researcher reports to a vendor, there are likely to be several bugs that are known to people who don't inform the vendor. We believe that the best way to defend your network — and your databases — against these unknown bugs is to understand in detail the mechanics of the bugs we know about and attempt to create configurations that thwart whole classes of bugs, rather than simply patching and hoping that no one attacks you with a 0-day exploit.

More often than not, securing a database is a matter of applying the tried-and-tested principles that have been used in network security for decades — enforce minimal privilege, reduce "attack surface" by removing unnecessary functionality, be strict about authentication and access controls, separate blocks of functionality into distinct areas, enforce encryption . . . the only real difference is that in a database, all of these mechanisms operate within the miniature world of the database itself.

It's tempting to read vendor literature pertaining to security and be reassured by the plethora of security measures that modern databases implement. Almost all database systems have some notion of privilege, access controls, comprehensive audit facilities, and controlled access to system components. Database vendors vie with each other to obtain security certifications that prove that they have appropriately implemented these mechanisms. The problem is that although these certifications are important, they are only a part of the story, and by no means the most important part.

All of the databases discussed in this volume have been subject to buffer overflows that violate almost all of these security mechanisms. Placing our faith in security standards, evaluations, and accreditations isn't working. It's time to get practical, and that's what this book is all about.

source :

The Database Hacker's Handbook: Defending Database Servers

by David Litchfield et al.

John Wiley & Sons

Free Download Database Tools

Free Download Database Tools

Free virus by Norton Internet Security 2008

Title	Licensi	Size
Crack Killer 1.2 Publisher's description Crack Killer is a database application that enables software authors to track and report web sites hosting cracks, serials and pirated versions of their software. To the program features referred solid database to keep track of active and killed sites; highly configurable SMTP e-mail complaint capabilities; DMCA complaint notice generator; IP check function to help identify relocating and reborn sites; support for multiple companies; HTML and CSV export and import; ability to run SQL queries on the database; database filtering.	Free	1.07 mb
EasyPHP 2.0 beta 1 PHP execution & development tool EasyPHP is a complete software package allowing you to use all the power and the flexibility that dynamic languages like PHP offer, as well as the efficient use of databases. Package includes an Apache server, a MySQL database, a full PHP execution, as well as easy development tools for your web site or your applications.	Free	12.3 Mb
EMS SQL Manager 2005 Lite for SQL Server 2.7 Publisher's description (From EMS Database Management Solutions ): EMS SQL Manager Lite for SQL Server is a light and easy-to-use freeware graphical tool for MS SQL/MSDE administration. It has minimal required set of instruments for those users who are new to MS SQL server and need only it's basic functionality. It makes creating and editing MS SQL Server database objects easy and fast, and allows you to run SQL scripts, manage users and their privileges, simply edit SQL queries. Version 2.7 added more Database properties, DB Explorer: it is now possible to view brief table information in SQL Assistant. Possibility to modify the schema/owner in object editors. Incremental search has been added to a number of object lists.	Free	13.28 mb
Foxy SQL Free 1.1 Execute SQL commands and queries for any database. Publisher's description (From CHARONWARE ): Foxy SQL Free is a database script and query tool designed for DB professionals. It allows them to execute SQL commands and queries against any database. Connections: Native, ODBC, ADO. Supported DB: Oracle, MS SQL, IB, DB2, MySQL, PostgreSQL, Firebird, Sybase ASE and more. Key features: user-friendly interface, syntax highlighting, users can run queries, insert, edit, delete records, browse data. Version 1.1 may include unspecified updates, enhancements, or bug fixes.	Free	1.81 mb
MDB Browser and Editor 2.3 Modify Access databases with this SQL tool and editor. Publisher's description (From Jerry Fugini ): This application can be used to work with tables from databases created in Access 97 or 2000 in a manner similar to FoxPro 2.6. You can open tables or SQLs from a view window, browse, set, create or delete indexes, set relations, copy to text or another table, append from text or another table and delete records. The application does require some knowledge of SQL but makes the operations easier than having to write SQLs. Users can also create, delete and run queries. A help file provides all necessary information on how to use the dialogs.	Free	5.28 mb
Microsoft Data Access Components (MDAC) 2.80.1022.3 Enable universal data access for your Windows-family operating system. (From Microsoft ): Microsoft Data Access Components (MDAC) 2.8 contains core Data Access components such as the Microsoft SQL Server OLE DB provider and ODBC driver. This redistributable installer for the MDAC 2.8 release installs the same Data Access components as Microsoft Windows Server 2003. This release does not include Microsoft Jet, the Microsoft Jet OLE DB Provider or ODBC driver, the Desktop Database ODBC Drivers, or the Visual FoxPro ODBC Driver.	Free	5.3 mb
Microsoft Jet Database Engine 3.5 Update your copy of Microsoft Jet, version 3.51.0623, to version 3.51.3328.0. (From Microsoft ): The Jet35sp3.exe file contains an update of several DLL files that are included with Microsoft Access 97, Microsoft Office 97 Professional Edition, Microsoft Visual Basic (version 5.0 or later), and other products that incorporate Jet 3.5x. Microsoft Jet database engine version 3.51 provides an improved Compact utility that combines Compact and Repair into a single process. Also, the updated version of the Jet database engine generates an error if it encounters a problem during the Compact process, and then creates the table, MSysCompactError, in the destination database.	Free	1.29 mb
SQLyog 7.15 Manage MySQL databases. Publisher's description (From Webyog ): Import data from ODBC datasource, synchronize your database. Execute queries for updation of result. Copy databases between hosts. Generate Schema for your database. Manage Foreign Relationships and all options fully InnoDB compliant. Reorder columns. SQLyog is an easy to use, compact and very fast graphical tool to manage your MySQL database anywhere in the world. SQLyog is a tool that allows you manage MySQL database.	Free	10.53 mb
StarInix Database Compare 2.0.15 Publisher's description (From StarInix ): The Free Database Compare application will allow you to compare the structure of two databases and display all the differences between them. Supported databases include: SQL Server (All Editions), MySQL and Access databases. You can compare two different databases, like access and SQL 2000. It will also allow you to create snapshots of a database and compare a live database to a snapshot. A database structure viewer is included. Version 2.0.15 may include unspecified updates, enhancements, or bug fixes.	Free	3.03 mb
Writer's Database 1.2 Publisher's description (From Ultima Thule ): This program is a database system that enables writers to keep track of the works they have created, the potential publishers they have identified, and any submissions to those publishers. It allows you to quickly and easily see which works are awaiting submission, which submissions are outstanding, and which publishers you have tried. This version features minor bug fixes. Keep track of potential publishers with this databse for writers.	Free	1.53 mb
Next

Database Tools

(from wikipedia free)

A DBMS is a set of software programs that controls the organization, storage, management, and retrieval of data in a database. DBMS are categorized according to their data structures or types. It is a set of prewritten programs that are used to store, update and retrieve a Database. The DBMS accepts requests for data from the application program and instructs the operating system to transfer the appropriate data. When a DBMS is used, information systems can be changed much more easily as the organization's information requirements change. New categories of data can be added to the database without disruption to the existing system.

Organizations may use one kind of DBMS for daily transaction processing and then move the detail onto another computer that uses another DBMS better suited for random inquiries and analysis. Overall systems design decisions are performed by data administrators and systems analysts. Detailed database design is performed by database administrators.

Database servers are computers that hold the actual databases and run only the DBMS and related software. Database servers are usually multiprocessor computers, with generous memory and RAID disk arrays used for stable storage. Connected to one or more servers via a high-speed channel, hardware database accelerators are also used in large volume transaction processing environments. DBMSs are found at the heart of most database applications. Sometimes DBMSs are built around a private multitasking kernel with built-in networking support although nowadays these functions are left to the operating system.