Physical Design and Implementation Essay

Submitted By lutaurus23
Words: 1576
Pages: 7

Assigment 6: Physical Design and Implementation

Explain the security mechanisms available for a database and how the data will be protected.
Database security is the most important component of any information system; it is the responsibility of team members and all staff managers, not just information technology professionals. Social engineering is the mother cause of having a compromised information system. Especially when employees are not properly informed about information and security processes, they become a security liability, it is therefore important that the organization set clear security policy guidelines to it members by communicating to them fully.
As a member chosen to guide on security plan part of it includes account types. Database accounts should be set up so that users and applications have the access they need and no more. Allowing a web application to use the database’s root administrator account is a huge security violation. The web account should generally not have access to modify the database schema. Likewise, developers should not necessarily have access to drop tables or delete live data.
In addition, database security can be increased by encapsulating business transactions into procedure-driven database transactions. By using custom, stored database procedures and functions, the processes of the database are not exposed to the server-side code. If the web-server is compromised and an attacker views the code, they will not be able to see the actual table names, field names, or which or how many tables are involved in any given transaction. They will only be able to see the name of a custom procedures, which is useless outside of the database server. Putting the database server on a separate machine that sits behind a firewall will effectively eliminate an attacker from gaining vital information about database schema.
SQL Injection Attacks:
According to Barnett Article (2008), SQL Injection is the most common type of attack on a modern database-driven information system. Attackers can use SQL Injection to steal data and to destroy data and data schemas. This poses a significant threat to an organization’s well-being.
However, the good news about SQL Injection it is predictable. It is not a new threat and it should not be a surprise to any serious organization. Steps can be taken to completely eliminate the threat altogether. The first initiative should emphasis data-cleansing. All data that is entered into an information system from an outside source should be cleansed. This involves escaping quote characters and encoding any HTML or script tags. In addition, data should be validated based on content. For instance, a numeric field should not contain non-numeric data. Developers are responsible for cleansing before sending database.
However, data cleansing assumes that the software developers and programmers who worked on the system correctly implemented data cleansing in a way that will prevent SQL injection. Most organization do not wish to put the security of their data on the shoulders of only the software developers. Messmer in his 2008, described SQL Injection attack on a web site.it described how attacks were devastating to the company and how the organization had to prevent such future occurences.This included the purchase and installation of a third-party utility that would screen data before permitting it to be sent to the database server. This required that the database server and the web server existed on two different machines.
While SQL Injection certainly poses a serious through to data security and integrity. It is easily mitigated with the use of professional, security-focused development and security tools.

SQL:
CREATE TABLE Chef ( chef_id NUMBER PRIMARY KEY, first name VARCHAR2(50) NOT NULL, last name VARCHAR2(50) NOT NULL, title VARCHAR2(50) NOT NULL, salary NUMBER(8,2) NOT NULL, address VARCHAR2(200) NOT NULL, city VARCHAR2(100) NOT NULL,