The Database Hacker's Handbook

While there are many operating systems, applications and services that pose a security risk or contain vulnerabilities which might be exploited to compromise computer systems, few are as critical as database servers. Hacking a database server, as opposed to a regular server or workstation is equivalent to robbing Fort Knox of all of it's gold as opposed to mugging somebody on the street for the $10 in change in their pockets. Protecting database servers is of paramount importance.

While the book totals exactly 500 pages (including the Index, Table of Contents, etc.), it is divided into sections based on the weaknesses and preventive security measures for each major database server. The team from Next Generation Security Software, led by David Litchfield (who also contributed to SQL Server Security), has organized the book so that you only really need to focus on 70 to 100 pages of information that apply to the database you are using.

After a brief introduction into database security and why you should even be concerned about it in the first place, the authors provide in-depth looks at Oracle, DB2, Informix, Sybase ASE, MySQL, Microsoft SQL Server and PostgreSQL. Each section analyzes the overall structure and architecture of the database, the methods of finding and exploiting weaknesses in the database, and tips to secure the database to protect it from such exploits.

David Litchfield is arguably the foremost expert and evangelist when it comes to database security. He, and his team of compatriots from Next Generation Security Software, have written a book that any database or security administrator should be familiar with.

Even if some of the attacks or exploits described in the book were previously obscure or unknown, the fact that they have been outlined in this book means that administrators need to know about them and defend against them before the "bad guys" read this book and take advantage of them.

One of the best aspects of this book is the way it is organized. Splitting the book into sections devoted to specific database systems makes it exceptionally simple and convenient to use. If you only use MySQL, you can skip all of the information regarding Oracle or Microsoft SQL Server, and just focus on the section of the book that applies to you.

Within each section, the authors provide a tremendous wealth of knowledge. Aside from describing weaknesses, potential exploits and protective measures to defend against them, they also look at the general architecture and the methods of authentication used by the database.

Any database admin should have a copy of this on their desk.