Forem: rakeshvngowda

SQL | DDL, DQL, DML, DCL and TCL Commands

rakeshvngowda — Tue, 30 Apr 2024 15:18:57 +0000

SQL Overview

SQL (Structured Query Language), We can use this language to create database.
SQL contains commands like CREATE,DROP,INSERT, etc. to carry out required tasks

SQL Commands are categorized into five types.

DDL - Data definition Language
DQL - Data Query Language.
DML - Data Manipulation Language.
DCL - Data Control Language.
TCL - Transaction Control Language.

DDL (Data Definition Language)

List of DDL Commands

CREATE - the Command is used to create the database or its objects like (table, index, function, views, stored procedure, and triggers)
DROP - This command is used to delete objects from the database.
ALTER - This is used to alter the structure of the database.
TRUNCATE - This is used to remove all recors from the table, includeing all spaces allocated for the recors are removed.
COMMENT: This is used to add comments to the data dictionary.
RENAME: This is used to rename an object existing in the database.

DQL (Data Query Language)

List of DQL Commands

SELECT : It is used to retrieve data from the database.

DML(Data Manipulation Language)

Deals with manipulation of data present in the database

List of DML commands:

INSERT: It is used to insert data into a table.
UPDATE: It is used to update existing data within a table.
DELETE: It is used to delete records from a database table.
LOCK: Table control concurrency.
CALL: Call a PL/SQL or JAVA subprogram.
EXPLAIN PLAN: It describes the access path to data.

DCL (Data Control Language)

DCL includes commands such as GRANT and REVOKE which mainly deal with the rights, permissions, and other controls of the database system.

List of DCL commands:

GRANT: This command gives users access privileges to the database.
REVOKE: This command withdraws the user’s access privileges given by using the GRANT command.

TCL (Transaction Control Language)

List of TCL Commands:

BEGIN: Opens a Transaction.
COMMIT: Commits a Transaction.
ROLLBACK: Rollbacks a transaction in case of any error occurs
SAVEPOINT: Sets a save point within a transaction.

Data Types in Java

rakeshvngowda — Sun, 25 Feb 2024 03:33:01 +0000

Every variable in Java has a data type.Data types specify the size and type of values that can be stored in an identifier.

In Java Data types are classified into two categories.

Primitive Data type(built-in data type).
Non-Primitive Data type(reference data type).

Primitive Data type.

Java has 8 primitive data types

Integer types

byte - 1byte(8-bits) value range from -128 to 127
short - 2byte(16-bits) value -32768 to 32768
int - 4bytes(32-bits) value from -2147483648 to 2147483647
long - 8bytes(64-bits) value from -9,223,372,036,854,775,808 to 9,223,372,036,854,775,807

public class App 
{
   public static void main(String[] args) {
      // byte type
      byte b = 20;
      System.out.println("byte= "+b);

      // short type
      short s =20;
      System.out.println("short= "+s);

      //int type
      int i =20;
      System.out.println("int= "+i);

      // long type
      long l = 20;
      System.out.println("long= "+l);
   }

}

Floting types

float - 4byte(32-bits) float data type. ex: 0.3f
double - 8byte (64-bits) float data type. ex: 11.123

public class App 
{
   public static void main(String[] args) {
      // float type
      float f = 20.25f;
      System.out.println("float= "+f);

      // double type
      double d = 20.25;
      System.out.println("double= "+d);
   }

}

Character Type

char - 2bytes(16bits) range from 0 to 65,535.
boolean - true or false.

public class App 
{
   public static void main(String[] args) {
      char ch = 'S';
      System.out.println(ch);

      char ch2 = '&';
      System.out.println(ch2);

      char ch3 = '$';
      System.out.println(ch3);
   }

}

XSS attacks types

rakeshvngowda — Mon, 19 Feb 2024 09:38:45 +0000

Cross site scripting(XSS) is a technique that attackers use to insert malicious data into any request or browser-side script that an application sends to web browser.

Using XSS. attackers can:

Deface websites
perform phishing attacks.
Inject malicious links into trusted web pages.
Send confidential information to untrusted websites.

XSS Types:

1. Non-persistent XSS.

During a non-persistent XSS attack, the malicious XSS data is reflected to the targeted web browser. This causes the browser to display unexpected results. A non-persistent XSS attack usually occurs when a user clicks on a malicious link in a web browser or submits a form that contains malicious code.

2.Persistent XSS:

During a persistent XSS attack, the malicious XSS data is stored on the web server the target web browser interacts with.

3.DOM-based XSS:

A DOM-based XSS attack modifies the DOM environment of the page that is displayed in the targeted web browser. This does not affect the HTTP response generated by the page, so the appearance of the page remains unaltered. However, the client-side code associated with the page, exhibits unexpected beavior.

SDLC - Secure Software Development Life Cycle

rakeshvngowda — Mon, 19 Feb 2024 08:58:41 +0000

This approach integrates security into every stage of the software development process. aiming to address vulnerabilities and reduce the risk of security breaches from design to ongoing maintenance.

It aids organizations in developing secure software by integarting security into the development process. reducing security flaws and ensuring a robust product. Adapting secure SDLC practices to organizational needs and providing regular security training is crucial.

Security requirements

The security requirement phase involves the following key activities:

Determining the business functionality requirements of the software including associated security requirements in terms of confidentiality, integrity, availability, and authentication, such as logging, password, integration with identity management servers,etc.
Identifying the data sensitivity (such as personal data,cardholder data, health data.etc) that will be stored, processed. or transmitted by the software, along with corresponding application functions handling the data.
Perform high-level security risk assessments to determine sections of a project that will require security design reviews before release.
Establish baseline standars to identify and fix security faults during development.
Categorize the controls according to physically, procedural, or texhnical means.
Identify the coding tools, techniques and skills required to develop and test the application.

Secure Design

Develop an application architectural plan that includes security requirements.
Classify data according to its sensitivity and define the security controls accordingly.
Consider the authentication and authorization requirements. sensitive data security and privacy requirements.cryptographic controls,dat retention and deletion timelines.
After developing an architectural plan, perform an architecture risk analysis.
Implement a Web Application Firewall(WAF)

Secure Coding

Consider OWASP Top 10, SANS, PCI-DSS, and other industry-recommended best practices for secure code development.
Consider platform-specific coding guidelines related to the development platform such as AEM, SFCC, Android, or iOS.
Only use open-source components, libraries, or third-party codes from trusted sources.
Create input validation checks to verify malicious data.
Handle all errors and exceptions securely.
Create strong authentication, authorization, and session management methods.
Add cryptographic alogithems and menthods, whereve required.
Implement security logging and auditing features.

Testing and verification.

Secure the test environments and protect data used for testing.
Do not use production or Live data in test scripts.
restrict access to code repository to authorized people only.
Perform security vulnerability assessment and penetration test.

Continous Monitoring & Risk Assessment

Configure and enable server security features along with the secure coding.
Update the server OS and packages frequently.
Add security groups to servers.
Use https requests.
Use TLS security for internal servers.

Risk and countermeasures to common web vulnerabilities

rakeshvngowda — Mon, 19 Feb 2024 05:38:28 +0000

Improper Input validation

1.Command Injection.
2.SQL Injection.
3.Cross side scripting.
4.Insecure file upload
5.Buffer Overflow.

Improper Access Control

1.Broken access control.
2.Improper session management.
3.identification and authentication failures.
4.Cross-Site Request Forgery (CSRF).
5.Server-Side Request Forgery.

Security Misconfiguration.

1.Missing platform specific security.
2.Cryptographic failures.
3.Vulnerable and outdated components.
4.Misconfigured SSL/TLS
5.Misconfigured security headers.
* CORS.
* Cache-control directives
* Content Security Policy.

Information Disclosure.

1.Improper error & exception handling.
2.Directory listing.
3.Insecure configurations and settings.
4.Sensitive data exposure.