Database Security

The user that the database runs as should not be root and should have least privileges to ensure that any successful exploitation of this account will not lead to full system compromise. Similarly, the user connecting to the database should also have least privileges so the data within the database is at minimal risk.

Database error messages should not be provided to the enduser to minimize the amount of information leakage relating to the database and its contents. Wherever custom error messages are displayed, the cause of the error should be investigated to ensure that blind SQL injection vulnerabilities do not exist within the application. Similarly to data validation, use white list-style validation on user input to ensure that SQL injection vulnerabilities do not exist. Rather than escaping or sanitizing metacharacters, rejecting the request entirely is safest.

Prepared statements can be used to send precompiled SQL statements to the backend database, along with the various validated parameters supplied by the user. The database does not interpret the value of the parameters within prepared statements, leaving the application immune to SQL injection vulnerabilities.

Stored procedures are a similar solution to SQL injection since the exploit string is simply treated as a text parameter within the function. This isolates the web application from making direct SQL queries altogether. Developers shouldn't, however, create dynamic SQL queries and then execute them via a stored procedure. This would bypass the security controls of stored procedures and would allow an attacker to perform SQL injection once again.

Unnecessary functionality, such as irrelevant or insecure stored procedures, increase the risk to an application and should be disabled or removed. This will ensure that attackers are unable to perform actions that were not intended during system design.

For an easy configuration sanity check, scan databases with an authenticated database security scanner to ensure that any insecure default configurations are not present before the system is put into production.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment