Chapter 6

Database Development

Database development is a key factor of developing multiple types applications. Some applications include:

• Website
• Wordpress
• OrangeHRM
• Learning Management Systems (LMS)
• E-Commerce
• Email server
• APIs
• Anything built on a LAMP Stack or WAMP Stack

A LAMP Stack includes the following technologies:

• Linux
• Apache (webserver)
• MySQL or MariaDB
• PHP

A WAMP Stack includes everything listed above but swaps Linux for Windows

Why are Databases Important?

Database functions

Databases provide developers a structured data storage solution that is easily accessible and able to be queried for information matching specific criteria that is stored within the database. One of the features of databases that make it an ideal storage solution for data is that it can handle multiple requests at to the database. This is done by locking data per request and unlocks the data for the next request.

Although MySQL is one of the most well known database applications, some other database applications are the following:

• PostgreSQL
• SQLite
• MongoDB
• And many others

MySQL, PostgreSQL, and SQLite all have different ways of connecting and querying to their respective databases. Some include:

• ssh connection and querying from a cli
• Graphical applications with connections
• Code libraries for the following languages:
  • Java
  • PHP
  • Python
  • Ruby

Database Security

Depending on the production environment, a database is one of the prized possesions of an adversary. (Aside: the only assets I view as higher bounties for adversaries are the following: Active Directory (LDAP for Windows/Microsoft authentication for users) and Domain Controler access). With databases, there can be multitudes of data data that is stored, including but not limited to:

• Usernames
• Passwords (plain text or hashed (with the Message Digest 5 (MD5) encryption algorithm))
• Personal indformation
• Domain specific/highly sensitive information (See the Office of Personnel Management Breach here)

When securing a database, the following steps should be implemented:

• Use prepared (sanitized) inputs when accessing a database
• Exercise least privilege for accounts and commands that can be executed by all users
• Prevent unauthorized access
• Limit data manipulation/exfiltration/deletion
• Ensure data integrity within the database’s data
• Backups of the database should be completed regularly and restoration from a backup should be practiced in case of a breach or database compromise

Securing a database should be a top priority of a developer as the top vulnerability of the Open Web Application Security Project (OWASP) Top 10 is command injection, which includes SQL Injection. With SQLite specifically, the following commands are present to assist with implementing secure database policy:

• Server level (all databases)
• Database level (table permissions)
• Table level (specific table)
• Column level (column of a table)

With regards to the database integrity, a database application should be available to the following actions:

• Open connections
• Query
• Close connections
• Return query result

Conclusion

In conclusion, databases are an integral part to application development and must be treated as such. Until command injection is removed from the OWASP Top 10, there should be an added emphasis on properly securing and maintaining databases so that security incidents do not happen.