Database Password and Access Policy PDF

Reviewer Database Password Policy Do you recall putting in your database connection user root, and password: "", this blank password means your root username has no password, and everyone can access it. DB Access Controls Policy It is ideal to have limited controls or privileges to specific users of the database Database Backup Policy It is ideal to backup your database in a regular fashion, if your project is a 1 year project, backup once every 2 weeks or month. Recovery Policy It is ideal to have rules in recovering your database from backup. Encrypted Password Policy It is ideal to have your passwords in the database encrypted, this way, not even the developers can see the password written by the users, and potential hackers. Database Update and revision Policy Change happens, more so in software development. This is why we must have a record of the changes we perform. The usual way to make sure that you are recording the changes well is through changelogs. Archiving Policy Deleting rows on a database table is not ideal. The correct way is archiving. To do archiving, the best way is to create a boolean column on your database named archived, and it should either be true or false or 1 or 0, where true or 1 means it is archived. To make sure that you only get the data that are not archived, you can always query on the database: archived = 0. Database Access Controls FAX COM First off let us locate where you can manage the access controls in your database. Let us take for example MYSQL because it is the most common of them all. You can find the privileges of all USERS in the User Accounts Tab in your localhost. It is ideal that you have passwords for your database, especially the root username, in this way only authorized users can access your databases. HAK USE You are free to create your own user accounts in localhost mysql, this is so that you can create privileges for each of them. Ideally it is recommended to have multiple users with different privileges with them. Such as: LAVE Project Manager has can have all privileges except ADMINISTRATION privileges Senior Developer only has all DATA query privileges Junior Developer only has SELECT from DATA Query privilege Designers have some privileges from DATA and STRUCTURE MYSQL Privilege Groups: Data Data Privileges are the privileges you can perform with the ROWS on the database tables, such as: SELECT INSERT UPDATE DELETE FILE Usually Data privileges are given to developers who have access to the content of the database rather than the structure, this is so that the design of the database tables won't be changed and thus the actual design is also not changed. Structure For Structure this is where you can change the entire structure of the database tables and even their relationship with other database tables. Perhaps you can identify the structure as the Columns of the database Administration Administration has the access to the creation, editing, and deleting of User accounts and their credentials in databases and the whole MYSQL localhost server. Usually this is given to Software Architects, database administrators, and some project managers. Resource Limits There are cases where you also limit the resource control of the users. Thus limiting the things they can do at a time. Limit Max queries per hour, limits the queries that can be done, this is to avoid buffer overflow. Limit Updates per hour, limits the updates that changelogs can be done before the updates. Information Flow Model An information flow model describes the flow of data/information within your system. A very good example of it would be data flow diagrams. But data flow diagrams are only a part of the information flow model. Data flow diagrams describe each step of your systems activities, events, and entities, relating them and explaining how data is transferred between entities. Information Flow Model Security and Integrity: Information Our goal in all of this is to secure the flow of information from each part of the system. A good way to do this is to display a flow model or diagram such as the example above. And then ask the questions on is it secure. Example: In collect payment Entity and Users Entity, are the invoices, statements, payments, and inquiries secure? When the User processes the Order, are the user name, and user address secure? Is the process of transferring Billing information between process order and invoices secure? And you have to secure each and one of these information flows, to guarantee overall security. And what we did was somewhat of a risk management process, where we usually identify the assets, but in this case we identified the information and the flow of information. Information Flow Model Security and Integrity: Threats The next question you should ask is what are the threats involved in the identified information flow? This is done through brainstorming and discussions and checking out news and potential threats in your area, country, and type of organization. And a lot if it is actually through imagination and thinking of scenarios. Information Flow Model Security and Integrity: Threat categorization Ideally the next step is to categorize the threat by its level of impact and likelihood. Impact is from Very Low impact, Low impact, Moderate impact, High impact, or Very High impact. And likelihood is from very unlikely, unlikely, moderately likely, likely, or very likely to occur. Securing the Database's flow A database on its own is actually not that secure. It can be attacked through Buffer overflow exploitations. Buffer overflow occurs when a process attempts to write more data to a fixed-length block of memory than it is allowed to hold. Sometimes a database interacting with another database can also have detrimental effects, this usually happens in huge projects involving multiple teams and multiple databases that will interact near half-way of the project. Sometimes there can be issues with them that can vulnerabilities between them, thus the information flow should be checked and secured What are the other components of the information flow model An information Flow model can have the interactions between Server to Database, Database to System/software, System/software to Devices/platform, Device/platform to user. And all of these can be seen in the other way around as well. Authorization and Control Authorization is a privilege provided by the Database Administer. Users, may it be the developers, the clients, etc. of the database can only view the contents they are authorized to access. The rest of the database is out of bounds to them. Database Authorization actually differs from database to database, and for some companies to companies, depending if the database was purposely designed for them, or if the database is a general use database such as MySQL. In our case we will be exploring a more general authorization of a database. Database Auditing The main reason why organizations perform database auditing is to track the use of database records and the authority of those who have access to them. It's possible to keep track of every action in a database, including which database object or data record was accessed, who did the action, and when it occurred. Importance of Auditing Databases, after a few years of use, change of positions, change of access, new hires, new training and such can have a lot of changes in the access and authorization of the key personnel. That means there is a high chance that someone will have access to the database which is not supposed to be. Maintain Data Quality It doesn't matter if you run a tiny business or a giant corporation when it comes to your database. You have complete control over where your customers' advertising appears online. The more precise audience targeting you can provide advertisers, the more they will trust you and remain loyal consumers. Here, success depends on having accurate and up-to-date information about your customers. Compliance with Data Privacy & Protection Regulations Publishers and advertisers must keep data privacy compliance in mind in today's digital world. As a result of database audits, you'll be able to take advantage of new business prospects with the knowledge that your organization is adhering to regulations Reducing Security Risks It is impossible to exaggerate the importance of security to user trust and customer relationships. Regular database audits mean you're less likely to be attacked or caught off guard by a security breach Who can perform Database Auditing? Usually it is performed by the IT security officers and Database administrators, sometimes when there are a lot of changes that occurred in the database, a fresh series of database authorization is created adhering to the changes and changing the access of each user How to perform Database Auditing? Database auditing involves checking each and every part of the databases, and who has access to them. If you have hundreds of databases, it will take some time to check all of the authorizations levels in those databases, and the people who were given those authorizations Testing We are already aware of the testing phase of any software development cycle, it is when our almost finished software is to be tested to check for errors, and return it back to IT developers to fix them. We actually avoid the term testers, nowadays we call them quality assurance engineers. Test Case A Test Case is a set of actions executed to verify a particular feature or function of your software application. A Test Case contains test steps, test data, precondition, postcondition developed for specific test scenarios to verify any requirement. The test case includes specific variables or conditions, using which a testing engineer can compare expected and actual results to determine whether a software product is functioning as per the requirements of the customer. Test Scenario Test Scenario is a wider range or general test description, this is so that the testers are given a general description of what they are testing. After this they will be given a test case to perform the test scenario. In other words, the test scenario is within the test cases. Example of a test scenario with a description of test cases (take note, this is just a description of test cases, later we will be showing actual test cases) For a Test Scenario: Test user Login Functionality. Test Case 1: Check results on entering valid User Id & Password Test Case 2: Check results on entering Invalid User ID & Password Test Case 3: Check response when a User ID is Empty & Login Button is pressed, and many more Standard Test Case Format A test case should be formatted in a way that it is easily understood by the tester, and can easily be filled in with a response of pass or fail. Performing Tests and Creating Test Cases User fail to acces and an invalid password error prompted Performing Quality Assurance testing is a very meticulous process, a lot of details need to be handled one by one, and it takes a lot of time to create and perform the tests, but it is the most crucial in delivering a successful system. Ideally, it is best to try as many possible test cases in a scenario to ensure that there are no errors once the system is deployed, this is actually impossible, but the best way to do so is to try to think as someone trying to exploit the system. And this is where the IT security provides possible inputs, and where the test case writer becomes creative. Few rules in test case making Here are a few rules to follow in the creation of test cases 1. test cases should not be created or performed by the developer for it can cause bias 2. test cases should be clear and easily understood 3. test cases should cover all bases that can exploit the system Post Test and Post Fix After the codes are fixed, the test cases are returned to the testers, and once again should be tested. Sometimes, for the sake of not missing any errors, the whole Test Scenario is tested again, perhaps the edited code brought errors to the other test cases. Automated Testing As we mentioned there are situations where the testing takes around thousands of tests plus months to finish. And that is why software development companies now use automated testing. This automated testing just requires you to place the test cases and the links or even coordinates of your mouse button for the automated testing to test the developed system

Database Password and Access Policy PDF

Document Details

Tags

Related

Summary

Full Transcript