Securing a database

M.-A. Lemburg mal at
Sun Jan 25 23:02:31 CET 2009

On 2009-01-23 08:26, kt83313 at wrote:
> My company provides some services online, which now they are planning
> to make it offline and sell to customers who can use it in their
> networks.
> One of our major moneywinners is some data which is stored in a
> database. Now, this data inside the database was obtained after paying
> through the nose - so the company does not want to disclose the data
> in the DB to the outside world - not to mention the lawsuits which the
> original providers of data will start which will sink the company if
> the data goes out.
> Now, the code is in Python - and we have a big problem. How to secure
> the data in DB? One idea was to encrypt it and store the password in
> the code. I dont believe security through obscurity - and python code
> can easily be reverse-engineered too - right?
> Is it even possible to secure a data in this case?

That depends a lot on what you call "secure". The data will have
to get processed by the CPU one way or another and there are lots
of ways to monitor such operations, either through software (debuggers,
loggers, etc.) or hardware (low-level debuggers, signal analyzers, etc.).

The best you can do is make it just a little harder to get at
the data, ie. implement a simple but non-trivial data protection
mechanism, and then use legal means to protect yourself from
any wrong-doing of your customers.

One way to do this, is by encrypting the data for the database
and decrypting it whenever you start the application. If you
use an in-memory database for the application, this will provide
such a simple but non-trivial data protection scheme.

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Jan 25 2009)
>>> Python/Zope Consulting and Support ...
>>> mxODBC.Zope.Database.Adapter ...   
>>> mxODBC, mxDateTime, mxTextTools ...

::: Try our new mxODBC.Connect Python Database Interface for free ! :::: Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Python-list mailing list