Often, the SQL Injection payload is designed in a generic manner to impact on more SQL Databases and Database Servers. The Security loophole in most cases lie in poor design of Data Access Code. Although it can be argued that there is much more to it than securing Data Access Code, I'm talking about the majority of such an attack and how imperative it is to secure the Data Access Code.
The impact of an SQL Injection Attack can be on
- The Database ( contents of the DB are compromised )
- The Users (malware injected directly,Users do not know because they trust this website )
The SDL aka Trustworthy computing Security Development Lifecycle ( a process that Microsoft has adopted for the development of software that needs to withstand malicious attack ) is a good thing to adapt and follow.
"Microsoft's experience indicates that the SDL is effective at reducing the incidence of security vulnerabilities. Initial implementation of the SDL (in Windows Server 2003, SQL Server 2000 Service Pack 3, and Exchange 2000 Server Service Pack 3) resulted in significant improvements in software security, and subsequent software versions, reflecting enhancements to SDL, appear to be showing further improvements in software security" - SDL Conclusion from MS.
Now, a quick look at Securing your Data Access Code, Referred from MSDN SDL Blog and Micheal Howard's Blog(Co-Author of Writing Secure Code).
Use the following in you Data Access Code:
1] SQL Parameterized queries
2] Stored Procedures
3] SQL Execute Only Permission
These are not mere recommendations, They are Requirements!!. More on the nitty-gritty of these techniques can be viewed on the SDL Blog, Micheal Howard's Blog and on the MS Security Research site.
One might argue that SQL Injection Attacks are also mainly due to 'N00b' Developers. This might be partly so. Periodic training for Developers,Testers,Security Analysts on current security issues , best practices from SDL etc is very imperative here. Training is also a strict requirement in the SDL. Afterall, Knowledge is Power, Knowing is dangerous, Knowing is everything...
The impact of an SQL Injection Attack can be on
- The Database ( contents of the DB are compromised )
- The Users (malware injected directly,Users do not know because they trust this website )
The SDL aka Trustworthy computing Security Development Lifecycle ( a process that Microsoft has adopted for the development of software that needs to withstand malicious attack ) is a good thing to adapt and follow.
"Microsoft's experience indicates that the SDL is effective at reducing the incidence of security vulnerabilities. Initial implementation of the SDL (in Windows Server 2003, SQL Server 2000 Service Pack 3, and Exchange 2000 Server Service Pack 3) resulted in significant improvements in software security, and subsequent software versions, reflecting enhancements to SDL, appear to be showing further improvements in software security" - SDL Conclusion from MS.
Now, a quick look at Securing your Data Access Code, Referred from MSDN SDL Blog and Micheal Howard's Blog(Co-Author of Writing Secure Code).
Use the following in you Data Access Code:
1] SQL Parameterized queries
2] Stored Procedures
3] SQL Execute Only Permission
These are not mere recommendations, They are Requirements!!. More on the nitty-gritty of these techniques can be viewed on the SDL Blog, Micheal Howard's Blog and on the MS Security Research site.
One might argue that SQL Injection Attacks are also mainly due to 'N00b' Developers. This might be partly so. Periodic training for Developers,Testers,Security Analysts on current security issues , best practices from SDL etc is very imperative here. Training is also a strict requirement in the SDL. Afterall, Knowledge is Power, Knowing is dangerous, Knowing is everything...
A great rule of thumb for new IT pros is to never skimp on details. The best practices you've listed here are completely sound, especially in emphasizing the SDL. I hope more people see best practices as requirements as much as you do!
ReplyDelete**************
Nico del Castillo
Microsoft Security Outreach Team
www.microsoft.com/hellosecureworld7