Threat Modelling for SQL Servers

Bertino, Elisa; Bruschi, Danilo; Franzoni, Stefano; Nai-Fovino, I.; Valtolina, Stefano

doi:10.1007/0-387-24486-7_12

Cited by 10 publications

(8 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Even though stored procedures are not usually associated with strong encapsulation principles, they can be very much used to provide an additional layer of access control and to implement arbitrarily complex access control. In particular, the use of stored procedures for improving database security is often recommended among best practices for protecting databases against various types of threats, such as SQL injection [12]. However, the use of stored procedures requires making sure that only those stored procedures are used whose origin and behavior are well-known.…”

Section: Discretionary Access Control Systems For Object-based Databamentioning

confidence: 99%

Database security - concepts, approaches, and challenges

Bertino

Sandhu

2005

IEEE Trans. Dependable and Secure Comput.

Self Cite

339

174

View full text Add to dashboard Cite

Abstract-As organizations increase their reliance on, possibly distributed, information systems for daily business, they become more vulnerable to security breaches even as they gain productivity and efficiency advantages. Though a number of techniques, such as encryption and electronic signatures, are currently available to protect data when transmitted across sites, a truly comprehensive approach for data protection must also include mechanisms for enforcing access control policies based on data contents, subject qualifications and characteristics, and other relevant contextual information, such as time. It is well understood today that the semantics of data must be taken into account in order to specify effective access control policies. Also, techniques for data integrity and availability specifically tailored to database systems must be adopted. In this respect, over the years the database security community has developed a number of different techniques and approaches to assure data confidentiality, integrity, and availability. However, despite such advances, the database security area faces several new challenges. Factors such as the evolution of security concerns, the "disintermediation" of access to data, new computing paradigms and applications, such as grid-based computing and ondemand business, have introduced both new security requirements and new contexts in which to apply and possibly extend current approaches. In this paper, we first survey the most relevant concepts underlying the notion of database security and summarize the most well-known techniques. We focus on access control systems, on which a large body of research has been devoted, and describe the key access control models, namely, the discretionary and mandatory access control models, and the role-based access control (RBAC) model. We also discuss security for advanced data management systems, and cover topics such as access control for XML. We then discuss current challenges for database security and some preliminary approaches that address some of these challenges.Index Terms-Data confindentiality, data privacy, relational and object databases, XML. ae 1I NTRODUCTIONA S organizations increase their adoption of database systems as the key data management technology for day-to-day operations and decision making, the security of data managed by these systems becomes crucial. Damage and misuse of data affect not only a single user or application, but may have disastrous consequences on the entire organization. The recent rapid proliferation of Webbased applications and information systems have further increased the risk exposure of databases and, thus, data protection is today more crucial than ever. It is also important to appreciate that data needs to be protected not only from external threats, but also from insider threats.Security breaches are typically categorized as unauthorized data observation, incorrect data modification, and data unavailability. Unauthorized data observation results in the disclosure of information to users no...

show abstract

Section: Discretionary Access Control Systems For Object-based Databamentioning

confidence: 99%

Database security - concepts, approaches, and challenges

Bertino

Sandhu

2005

IEEE Trans. Dependable and Secure Comput.

Self Cite

339

174

View full text Add to dashboard Cite

show abstract

“…The aim of this project is to provide an application developer with a tool that allows him to prevent the exploitation of a broad range of threats. Several academic teams investigated common threats in five areas, each focusing on one particular technological building block for web applications [1,2,3,4]. One of these is the smart card, and in particular the electronic identity card (elD card).…”

Section: Introductionmentioning

confidence: 99%

Threat Modelling for Security Tokens in Web Applications

Cock

Wouters

Schellekens

et al. 2005

IFIP — The International Federation for Information Processing

View full text Add to dashboard Cite

Abstract:In the last couple of years, several European countries have started projects which intend to provide their citizens with electronic identity cards, driven by the European Directive on Electronic Signatures. One can expect that within a few years, these smart cards will be used in a wide variety of applications. In this paper, we describe the common threats that can be identified when using security tokens such as smart cards in web applications. We illustrate each of these threats with a few attack scenarios. This paper is part of a series of papers, written by several academic teams. Each paper focuses on one particular technological building block for web applications.

show abstract

“…Swiderski and Snyder [25] introduced the concept of threat modeling, and a structured approach for identifying, evaluating and mitigating risks to system security. A similar approach has been proposed for web application environments [4]. Several general purpose tools have been developed, including Microsoft's Security Assessment Tool [20] and Citicus [6].…”

Section: The State Of the Artmentioning

confidence: 99%

A Service-Oriented Approach for Assessing Infrastructure Security

Masera¹,

Fovino²

IFIP International Federation for Information Processing

View full text Add to dashboard Cite

The pervasive use of information and communication technologies (ICT) in critical infrastructures requires security assessment approaches that consider the highly interconnected nature of ICT systems. Several approaches incorporate the relationships between structural and functional descriptions and security goals, and associate vulnerabilities with known attacks. However, these methodologies are typically based on the analysis of local problems. This paper proposes a methodology that systematically correlates and analyzes structural, functional and security information. The security assessment of critical infrastructure systems is enhanced using a service-oriented perspective, which focuses the analysis on the concept of service, linking the interactions among services -modeled as service chains -with vulnerabilities, threats and attacks.

show abstract

Threat Modelling for SQL Servers

Cited by 10 publications

References 1 publication

Database security - concepts, approaches, and challenges

Database security - concepts, approaches, and challenges

Threat Modelling for Security Tokens in Web Applications

A Service-Oriented Approach for Assessing Infrastructure Security

Contact Info

Product

Resources

About