Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

10:46 PM

10 Ways Developers Put Databases At Risk

Some of the most important database protection methods start with developers who tap into sensitive data stores

Many of today's Web applications rely on enterprises' most sensitive data stores to keep order systems running, partner companies collaborating, and internal users in touch with important business information no matter where they are.

[ Learn more about best practices for protecting your databases. See Strategies For Protecting Web-Facing Databases . ]

While such easy access to business-critical data has greatly improved worker productivity and loosened the pocketbooks of customers, it has also opened up that data to considerable risk. Unfortunately, much of the risk is introduced by developers who lack the resources to code these applications without vulnerabilities that open databases to compromise -- be it time, money, education, or support from executives.

When these factors aren't in place, developers frequently make these mistakes:

1. Trusting Input Way Too Much
One of the top ways developers put databases at risk today is by leaving their applications open to SQL injection. And those SQLi vulnerabilities usually crop up when the developer puts too much trust in user input.

"Without validating that, say, a phone number field only accepts digits, a developer may be allowing hackers something analogous to terminal access to the database," says Konstantinos Karagiannis, principal consultant for BT Global Services' Ethical Hacking division. "For example, a single quote inserted in a form field may prematurely close a valid SQL query the application was supposed to make, allowing the attacker to build and submit a new query."

One of the top ways of addressing this problem is by parameterizing queries.

"Parameterized queries prevent attackers from changing the logic or code at the heart of the query and negate most SQL injection attacks," says Jacob West, CTO of Fortify Products at HP Enterprise Security. "Parameterized queries have been around almost as long as databases and, unlike many areas of security, using them is a best practice for performance and code maintainability as well."

But developers shouldn't stop there. Input should be sanitized and validated because sometimes parameterization is not a possibility. Even when it is, unvalidated input can be used for other nefarious purposes, such as cross-site scripting attacks.

"The oldest and worst sin is not sanitizing inputs, which is stripping out any characters not needed from the user input, like removing apostrophes or semicolons, before running a query against the database," says David Habusha, product vice president for GreenSQL.

2. Displaying Database Error Messages To End Users
When developers allow very specific error messages to pop up when something goes wrong with an application's SQL query, it may help with diagnostics, but it is also offering hackers a nice little window into the inner workings of the back-end database.

"This makes attackers' jobs easier by revealing important information about how the database is structured and how the application queries it," says Bill Karwin, principal consultant for Percona.

Error messages can give away clues as to the type of database an application is tapping into, the query structure and the underlying schema, Habusha says.

"This exploit opens the door for a blind SQL injection attack," he says. "Developers should display a generic error page instead."

3. Playing Fast And Loose With Passwords
For the sake of expediency, many developers play fast and loose with user passwords in a number of insecure ways. For example, they may hard-code passwords into the application.

"One of the most egregious database risks are hard-coded passwords and passwords in configuration files," says Tim Erlin, director of IT security risk and strategy for nCircle. "Both of these design choices rely on security through obscurity; they assume the attacker won't have access to this information, and therefore development doesn't have to concern themselves with the security of the files or the information in them."

Similarly dangerous is the practice of storing passwords in plain text.

"A very simple but all too common mistake is storing passwords in plain text, which involves not hashing the user inputted password, and not salting hashes, which entails adding random bits to the hash," says Daniel Jacobowitz, security research engineer for BeyondTrust.

Whichever flavor of poor password management, failing to build strong authentication into applications with a direct line into the database is akin to leaving the door to the bank vault wide open.

4. Making Every Connection SUPER
In the same vein, many developers put databases at risk by routing all connections from the application to the database through a "root" or some other SUPER user account. This is often a frequent problem associated with those applications with hard-coded passwords, as it is too difficult to institute proper privilege management in these cases.

"Ordinary application operations rarely need access granted by the 'super' privilege, and allowing applications to use the super-privileged user creates opportunities for unrestricted actions that are not appropriate," Karwin says. "All applications should connect to the database using lesser-privileged credentials."

5. Believing Stored Procedures Are THE Answer To SQLi
Many developers today believe that stored procedures are a reliable way to prevent SQL injection. Not so, says Dmitry Vyrostkov of DataArt.

"In fact, stored procedures do not prevent SQL injections if they contain vulnerabilities within their own code, or if they are invoked in an unsafe manner," he says.

Romain Guacher agrees that this is a myth that needs busting within the developer community.

"It's not true because string concatenation can happen inside stored procedures," says Gaucher, senior security researcher for Coverity. "Even stored procedure calls that are prepared statements can be vulnerable if dynamic queries are constructed and executed from inside the stored procedure itself."

Next Page: 5 more mistakes.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd