Sunday, June 22nd, 2008
SQL Injection and separation of duties
Adrian Lane writes in his blog entry about separation of duties on the application level. While I agree with his sentiments I also know how hard it is to do so from the application development side. In most applications , database connections are using connection pooling. Creating such a separation makes the development process a [...]
No Comments » - Posted in SQL injection, security by Slavik
Friday, June 20th, 2008
Mass SQL Injection attack is still out there
Well, it was an interesting day today for us in Sentrigo. One of our customers was being attacked by this mass SQL injection and since our software identified the attack he came to us to help him cope with the situation. As explained in other places, the attack takes advantage of vulnerable web sites and [...]
6 Comments » - Posted in MS SQL Server, SQL injection, security by Slavik
Monday, June 2nd, 2008
So, you think you’ve removed that sensitive data (part II)
As I wrote in a previous post, truncating tables or scrambling content might not remove the actual data from the datafiles. The examples I gave in that post were Oracle related and now I’ll show the same using MS SQL Server 2005. I’d like to thank Dmitriy Geyzerskiy for providing the actual working example.
create database [...]
No Comments » - Posted in DBA, MS SQL Server, insider threat, security, technical tips by Slavik
Monday, May 26th, 2008
So, you think you’ve removed that sensitive data
I had an interesting conversation with Alexander Kornbrust yesterday about cloning databases. Most DBAs I know copy database files from production to create staging, integration and test environments. Those environments contain a lot of sensitive information (PII, CC, etc.) which is usually either deleted, scrambled or truncated. The problem with these solutions is that most [...]
3 Comments » - Posted in DBA, Oracle, insider threat, security, technical tips by Slavik
Wednesday, April 9th, 2008
RSA Conference 2008
It’s been a while since I’ve blogged. Hit a dry spell, I guess. Will try to post more frequently and about some technical issues as well. Anyway, I’m at the RSA conference in San Francisco for the entire week. It’s been a great conference so far with interesting keynotes and sessions. Also, a lot of [...]
No Comments » - Posted in PCI, compliance, credit cards, security by Slavik
Monday, March 17th, 2008
Proactivity vs. Reactivity
Fern Halper, an analyst with Hurwitz & Associates wrote in her blog “Data makes the world go ’round” about database activity monitoring (as well as highlighting some of what my company Sentrigo does).
In the summary of her post she raises an important issue - that most DBAs are reactive rather than proactive when it comes [...]
No Comments » - Posted in monitoring, security by Slavik
Thursday, February 21st, 2008
Chinese Internet Restrictions and the Olympics
Totally unrelated to database security but I’ve read this interesting bit on /. while flying to the US. It got me thinking - how does China prevent people from going to restricted sites like blogger.com? Do Chinese ISPs use some form of IP filtering? Do they parse HTTP and prevent proxies? How about HTTPS? and [...]
1 Comment » - Posted in security by Slavik
Monday, December 3rd, 2007
The need for database security explained in 5 minutes
Mike Rothman (of Security Incite) has a new series of podcasts over on eBizQ (where my VP marketing was interviewed a while back on the same topic). In the latest podcast, the 2nd in the series, Mike interviews Rich Mogull on the topic of database security.
If you didn’t “get it” until now, or if you [...]
No Comments » - Posted in security by Slavik
Sunday, November 4th, 2007
PCI Grows Teeth
The rumors about my death have been greatly exaggerated, to paraphrase Mark Twain. I guess I’m a burst-blogger, at least for as long I’m also the CTO of a growing start-up.
The credit card companies started to make good on their threats and levy hefty fines like this one issued against TJX and its banks. This [...]
No Comments » - Posted in PCI, TJX, compliance, credit cards by Slavik
Thursday, July 5th, 2007
DBAs are not the enemy, but they too need watching
Back after a short and much needed hiatus, I came across this piece by security analyst Eric Ogren on Computerworld’s website. He discusses how DBAs have become public enemy number one because of compliance mandates to exercise segregation of duties, and how this has been blown out of proportion to other, greater risks.
A few days [...]