I am new to network security and was wondering how the SQL language relates to network security, if at all. I figure you have to have a code in which to hack, right?
Allow me to welcome you to network security. I think you’ll find a fascinating career is ahead of you -- it’s ever-changing and fast-paced, to say the least.
A strict definition of network security would imply security at what’s traditionally considered a network layer in the OSI model. A slightly more liberal approach would say this is anything below the session layer (transport, network, data link and physical layer). Neither definition would include SQL language in the argument but that doesn’t mean you don’t need to be aware of both.
To have a secure application (SQL, Web, etc.), you need security at many layers. All companies need to protect the foundational layers -- the physical layers which transmit the 1’s and 0’s that make up modern communication. This is as basic as running network cables through conduit to prevent eavesdropping or interruptions. It also includes locking down physical hardware such as routers, switches and even the servers themselves. The primary goal here is availability -- ensuring the data links remain up at all times, with secondary goals of confidentiality and data integrity.
As you move up the OSI stack, you need to start thinking about the network and transport layers. These layers need to be protected and are typically protected via network architecture. Network architecture refers to the design and implementation of various network hardware -- routers, switches, intrusion detection/prevention devices, etc. These devices are deployed to ensure hackers do not succeed at breaking open or re-routing traffic through the network.
Encryption can happen at several layers, and your selection of encryption technologies will always depend on the network architecture, data you are protecting and overall network topology. Sometimes the most effective encryption will take place at the data link layer (VPNs, for instance), whereas other times, the better encryption takes place at the session layer (SSL).
However, even the most secure network doesn’t secure an application, and that’s where good development skills come in -- whether that’s HTML, Java Script or SQL. So once you’ve protected your network, you need to turn your attention to how your application is being developed. It’s ironic that many development teams say, “Sure we’re secure -- we do everything in SSL,” when in fact their site is a potential sieve simply because it’s been poorly written. Sites like this, while full of security features, lack secure features. This is where the hacking takes place -- injecting code into an application in order to compromise the application’s confidentiality, integrity or availability.
As I’m sure you’re figuring out, there’s a vast body of knowledge on this topic. My first recommendation would be for you to start reading up on the OSI model and on application security. OWASP has a wealth of useful documents and books, all available online for free, which can get you started. If you really want to gain skills and knowledge, I’d recommend you begin reading books and taking courses related to CISSP (Certified Information Systems Security Professional) certification. Even if you’re not able to be CISSP certified, you can benefit from the skills, earn your associate CISSP certification and gain the experience necessary to qualify for the full CISSP certification.
Dig Deeper on Topics Archive
Related Q&A from John Overbaugh
Learn what's behind AWS outages and how to fix failures before they happen. Continue Reading
Learn strategies for best security test strategies for SaaS cloud. Continue Reading
Expert John Overbaugh identifies the three top concerns of the test manager and offers advice on how to stay ahead of the curve when it comes to ... Continue Reading