Article by Alex Rothacker

Application Security, Inc.'s Team SHATTER (Security Heuristics of Application Testing Technology for Enterprise Research) has researched the Top 10 Database Vulnerabilities in order to provide you with the most up-to-date vulnerabilities, risk and remediation information.

Today we will cover the third database vulnerability - extensive privileges assigned directly to users or indirectly through user groups.

There are two very important concepts that apply to information systems security controls: separation of duties and the principle of least privileges.

Separation of duties manages conflicts of interest and implements an appropriate level of checks and balances on an individual's activities to ensure they do not have toxic privilege combinations.

The principle of least privileges requires that users have the least amount of privileges required to perform their specific tasks - only they the data they need and nothing more.

The process of collecting a comprehensive list of all rights that a user has can become a daunting task. Privileges aren't typically just assigned directly to the users they also inherit privileges from groups or roles they belong to.

In this week's edition of our Database Vulnerability of the day series, we will highlight several important rights, privileges and common groups to look out for when reviewing user and group rights, as well as group membership. We will also let you know how and what to check for to mitigate these risks.

To stay informed on the Top 10 Database Vulnerabilities follow @TeamSHATTER on Twitter.

Alex Rothacker is the manager of Application Security, Inc.'s Team SHATTER (Security Heuristics of Application Testing Technology for Enterprise Research). Team SHATTER has been providing its customers and database vendors with the most up-to-date database vulnerability information to ensure the security of information stored in databases.