Follow these steps to ensure that all input passed to database is validated:
1.Identify all sources of input to the database. An application can have various sources of input. Each of these sources is an entry point to your application and can potentially be used to break your application's security model. Determine all sources of input that are eventually pushed to the database.
Potential sources of input in a web application typically include:
◦URL based parameters
◦Form based parameters
◦Hidden fields
◦Cookies
◦HTTP headers
◦Data stored on the local filesystem
◦Database
◦Other related services
2.Verify that validators have been used to check the input. Check that a content-specific validator has been placed at each entry point.
Each database input source should have a data validation routine associated with it. Ideally the validation will occur as soon as the input reaches your application. Shared validation routines are better than creating many spread throughout your code base, so check for consolidation of routines to aid testing. If a database input source does not have a validation routine associated with it, flag it for fixing.
3.Ensure that type-safe parameters and stored procedures are used. Check that stored procedures and parametrized queries have been implemented instead of using the input values directly in constructing dynamic SQL queries as the latter is prone to SQL injection.
4.Ensure that database entry paths have been audited. Get a 3rd party reviewer to verify that all the database input paths have been identified and that validators have been correctly implemented for all entry points.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment