The Database Hacker's Handbook: Defending Database Servers

This review is only for the Oracle parts of the book.The most interesting chapter is "Attacking Oracle". These guys give phrase "thinking outside of the box" the real meaning. They look for a feature or bug open to the security attack, then they shake it til it breaks. You will see exploits of AUTHID, PL/SQL injections, app. server, dbms_sql.parse bug,... most of them relevant to 9i and 10g versions.The hacks are mainly in the sections called "Real-World Examples". Most of the exploits are already patched by Oracle and they are also available on hacking forums, but there were some new ones that were quite a revelation.The security recommendations in the "Securing Oracle" chapter were too general, you can probably find Internet white papers on hardening Oracle that give more details. But, this book is not really about hardening Oracle, even if it says "Defending Database Servers" with small, blue letters on the front cover. This book is about attacking database servers.I have seen David Litchfield's previous work and I am sure he knows (and has tried) more than what is written here. Can we expect to see that in "The Hacker's Handbook" part II?

This book is simply amazing. I would have expected a book with a handful of descriptions of exploits against the various databases, followed by some lame generalizations about blocking the holes.Instead, this book offers detailed information on the various exploits, and detailed information on how to fix the problems.If you are a DBA of any of the major databases, you NEED to pick up this book sooner rather than later. Now that this book is "on the streets", it's just a question of time before all hell breaks loose :(

This book is now ten years old, and it's kind of frightening that it seems to be the most up-to-date work on the field of database hacking. Good sections about the seven largest databases (who mostly still own the field, all this time later). I'm working my way through the section on DB2, as that's my specialty.I'm quite concerned that significant new threats have probably arisen in the ten years since the book's publication, and I'd love to hear that a new edition is planned; but the theoretical background and classification of threats is as valid as ever.One significant lack here -- no discussion of security for mainframe databases (DB2 for z/OS, IMS, CA-IDMS, and presumably others), which hold a significant portion of the world's financial data.

Really good and in Excelent condición

Completely satisfied.

Here is a book in which you will probably only be interested in 1/7 of the pages. That means that instead of reading 528 pages you only need to read about 70. But, you may really, really need that 70 pages. The reason for this is that the book covers seven of the most common databases: IBM DB2, Oracle, MySQL, PostGreSQL, SQL Server, SyBase, Informix. These programs are so different that what applies to one does not generally apply to the others.Each section of the book covers one of the databases. It usually begins with some history of both the database and attacks on it. For instance the Slammer worm compromised more than 75,000 SQL Server databases within ten minutes of its release in January 2003.After that there is a discussion on the database, its architecture, how it handles things like authentication and so on.Finally it goes into how to defend the database against attack. This includes information on how to remove unncecessary features and services that might serve as gateways to attacks, and talks about how to use the databases own internal security systems to their maximum effectiveness.As I said, you really need the 70 or so pages that refer to your own database.PS - What's the most secure database - PostGreSQL, and it goes into why.

The book is a little old but talks about several oracle exploits and hacks. It opens up your mind.

David Litchfield is arguably the foremost expert and evangelist when it comes to database security. He, and his team of compatriots from Next Generation Security Software, have written a book that any database or security administrator should be familiar with.Even if some of the attacks or exploits described in the book were previously obscure or unknown, the fact that they have been outlined in this book means that administrators need to know about them and defend against them before the "bad guys" read this book and take advantage of them.One of the best aspects of this book is the way it is organized. Splitting the book into sections devoted to specific database systems makes it exceptionally simple and convenient to use. If you only use MySQL, you can skip all of the information regarding Oracle or Microsoft SQL Server, and just focus on the section of the book that applies to you.Within each section, the authors provide a tremendous wealth of knowledge. Aside from describing weaknesses, potential exploits and protective measures to defend against them, they also look at the general architecture and the methods of authentication used by the database.Any database admin should have a copy of this on their desk.

Its a great book for the time by a fantastic author, but things have moved on a lot since this was published and its now very outdated. I think it was around 2005 and much of the content was time sensitive.Still find large sections useful in certain roles, such as permissions, but even some architectural issues raised in this book aren't necessarily still as broken as they are presented here.Wish I'd checked the publishing date before purchasing (my own fault) and I'm hoping a new edition is under consideration. I'd certainly buy again if it was released.

Having read about this book at various places, I thought it might be a fruitful addition to my library on hacking literature, especially regarding databases, not least only due to the list of authors. The first chapter is nicely written and somehow informative, however, as soon as the authors start writing on specific database implementations, the book becomes more or less a tribute to themselves. Not only that each chapter is far too short, and does not really contains anything new, further issues are...1. describing a database within no more than 10 pages is futile...2. listing already known attacks is nothing new to be published...we have sources for that3. it's nice that the authors have discovered some stuff, but they should stop remembering us with a book all the time...4. if you print source code, ever heard about explaining/pretty printing it for a book?5. the contents actually cover only a small percentage what is possible in hacking databases, in fact, they cover what the authors know and have done/found out, but nothing more - a book should attempt to be complete and sound, at least in its topic...the authors should force themselves to accept other people's work...Just stay away from that book and save your money. The internet again is your best friend regarding the ridiculously treated topics of this book.

Good book! An excelent option to adquire a basic knowlege for database hacks

I bought this book as reference Book re database security.I got the the Kindle edition. It's not the most engrossing of subjects and is hard going to read.I suggest anyone who gets this book should know a but about databases in quite some detail before attempting to read this.