10 Ways Developers Put Databases At Risk
Some of the most important database protection methods start with developers who tap into sensitive data stores
Many of today's Web applications rely on enterprises' most sensitive data stores to keep order systems running, partner companies collaborating, and internal users in touch with important business information no matter where they are.
[ Learn more about best practices for protecting your databases. See Strategies For Protecting Web-Facing Databases . ]
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- State of Cloud 2011: Time for Process Maturation
- Research: Federal Government Cloud Computing Survey
- Top Big Data Security Tips and Ultimate Protection for Enterprise Data
- Client Windows Migration: Expert Tips for Application Readiness
While such easy access to business-critical data has greatly improved worker productivity and loosened the pocketbooks of customers, it has also opened up that data to considerable risk. Unfortunately, much of the risk is introduced by developers who lack the resources to code these applications without vulnerabilities that open databases to compromise -- be it time, money, education, or support from executives.
When these factors aren't in place, developers frequently make these mistakes:
1. Trusting Input Way Too Much
One of the top ways developers put databases at risk today is by leaving their applications open to SQL injection. And those SQLi vulnerabilities usually crop up when the developer puts too much trust in user input.
"Without validating that, say, a phone number field only accepts digits, a developer may be allowing hackers something analogous to terminal access to the database," says Konstantinos Karagiannis, principal consultant for BT Global Services' Ethical Hacking division. "For example, a single quote inserted in a form field may prematurely close a valid SQL query the application was supposed to make, allowing the attacker to build and submit a new query."
One of the top ways of addressing this problem is by parameterizing queries.
"Parameterized queries prevent attackers from changing the logic or code at the heart of the query and negate most SQL injection attacks," says Jacob West, CTO of Fortify Products at HP Enterprise Security. "Parameterized queries have been around almost as long as databases and, unlike many areas of security, using them is a best practice for performance and code maintainability as well."
But developers shouldn't stop there. Input should be sanitized and validated because sometimes parameterization is not a possibility. Even when it is, unvalidated input can be used for other nefarious purposes, such as cross-site scripting attacks.
"The oldest and worst sin is not sanitizing inputs, which is stripping out any characters not needed from the user input, like removing apostrophes or semicolons, before running a query against the database," says David Habusha, product vice president for GreenSQL.
2. Displaying Database Error Messages To End Users
When developers allow very specific error messages to pop up when something goes wrong with an application's SQL query, it may help with diagnostics, but it is also offering hackers a nice little window into the inner workings of the back-end database.
"This makes attackers' jobs easier by revealing important information about how the database is structured and how the application queries it," says Bill Karwin, principal consultant for Percona.
Error messages can give away clues as to the type of database an application is tapping into, the query structure and the underlying schema, Habusha says.
"This exploit opens the door for a blind SQL injection attack," he says. "Developers should display a generic error page instead."
3. Playing Fast And Loose With Passwords
For the sake of expediency, many developers play fast and loose with user passwords in a number of insecure ways. For example, they may hard-code passwords into the application.
"One of the most egregious database risks are hard-coded passwords and passwords in configuration files," says Tim Erlin, director of IT security risk and strategy for nCircle. "Both of these design choices rely on security through obscurity; they assume the attacker won't have access to this information, and therefore development doesn't have to concern themselves with the security of the files or the information in them."
Similarly dangerous is the practice of storing passwords in plain text.
"A very simple but all too common mistake is storing passwords in plain text, which involves not hashing the user inputted password, and not salting hashes, which entails adding random bits to the hash," says Daniel Jacobowitz, security research engineer for BeyondTrust.
Whichever flavor of poor password management, failing to build strong authentication into applications with a direct line into the database is akin to leaving the door to the bank vault wide open.
4. Making Every Connection SUPER
In the same vein, many developers put databases at risk by routing all connections from the application to the database through a "root" or some other SUPER user account. This is often a frequent problem associated with those applications with hard-coded passwords, as it is too difficult to institute proper privilege management in these cases.
"Ordinary application operations rarely need access granted by the 'super' privilege, and allowing applications to use the super-privileged user creates opportunities for unrestricted actions that are not appropriate," Karwin says. "All applications should connect to the database using lesser-privileged credentials."
5. Believing Stored Procedures Are THE Answer To SQLi
Many developers today believe that stored procedures are a reliable way to prevent SQL injection. Not so, says Dmitry Vyrostkov of DataArt.
"In fact, stored procedures do not prevent SQL injections if they contain vulnerabilities within their own code, or if they are invoked in an unsafe manner," he says.
Romain Guacher agrees that this is a myth that needs busting within the developer community.
"It's not true because string concatenation can happen inside stored procedures," says Gaucher, senior security researcher for Coverity. "Even stored procedure calls that are prepared statements can be vulnerable if dynamic queries are constructed and executed from inside the stored procedure itself."
Next Page: 5 more mistakes.