Guarding Against SQL Injection

Securing the database is only part of the security equation, a very important part, but still not the entire picture. DBAs need to educate their developer counterparts on developing secure applications which access the data tier. I would go as far as to put in place a security review process for any application that accesses data. As the owner of the data tier, if your application doesn't pass the security review it's not going to access "my" database.

In conjunction with HP and the IIS team a new set of tools was recently released to help identify and defend against SQL injection attacks against ASP web sites. Microsoft Security Advisory 954462 (www.microsoft.com/technet/security/advisory/954462.mspx) contains the details of the toolset.

If you're responsible for the back-end data store that's accessed by an ASP web site you should download the toolset and run it against your ASP code. One last point to make, you should take these steps against applications that are externally accessible and internally accessible. It's unfortunate, but not every employee is trustworthy which means you need to guard against all attack vectors regardless of which side of the firewall they originate.

Comments