Background

If you're going to keep up with the attackers , it's important to have up-to-date sources of information. Here are a few pointers toward good reading material on MySQL security:

1. Read the MySQL security guidelines at http://dev.mysql.com/doc/mysql/en/Security.html .

   MySQL AB has an extremely responsive security team and they feed back the information they glean from third parties and bug reports into their documentation. Consequently, the security documentation associated with MySQL is very good ”up-to-date, fairly comprehensive, and easily understandable. This should be your first port of call for security info relating to MySQL.

2. Visit http://www.mysql.com/products/mysql/ often, and check for updates.

   MySQL releases new versions of the database frequently. When it does, it always has a comprehensive change log that details everything that was added or fixed in the new version. Often these logs can make interesting reading. It's obviously up to you to decide if you want to upgrade to the latest version ”the effort of doing so may not be justified in your particular case ”but it's certainly worth monitoring releases to see what's new. If you're at the stage in a project where you have some time to decide on a DBMS and you're looking at MySQL, this is a good place to go for a deeper understanding of which version supports which feature ”and what security bugs are present in older versions.

3. Know your bugs! Check vulnerability databases such as SecurityFocus and ICAT regularly for MySQL bugs, and (if you can stand the noise levels) subscribe to security mailing lists such as VulnWatch, BugTraq, and the MySQL mailing lists.

4. Security Focus ( http://www.securityfocus.com ) and ICAT ( http://icat.nist.gov/ ) are excellent sources of information on security vulnerabilities. It is also a good idea to subscribe to security mailing lists, because every so often someone will find a security bug in MySQL and occasionally these bugs get posted directly to mailing lists. Depending on your particular circumstances, you might judge it best to be aware of the problems as soon as the information goes public, rather than waiting for a patch to be published.