Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

12/28/2011
02:54 PM
50%
50%

App And Database Security: Two Halves Of A Whole

Limit application privileges to the database and sanitize input to improve data security

Data security, application security, and database security are like pieces of a puzzle -- different yet still dependent on one another to reach true completion. When they fail together, attack methods such as SQL injection have a far greater impact on an organization. In order to limit the scope of attacks, developers and DBAs need to acknowledge their roles in the process and work together to ensure that Web applications aren't exposing sensitive databases.

This starts by understanding how much the current Web app phenomenon has opened up once-closed databases.

"The days of static content Web sites are a distant memory, and every Web site or Web-based application today is back-ended by some kind of database, whether it’s your bank, your cloud CRM service, your mobile device's app-store, your favorite online shopping site, or your photo collection and blog," says Joe Levy, CTO of Solera Networks. "The front-end application and the back-end database are inextricably bound in our current model, and one simply would not exist without the other."

According to Levy, one of the biggest weaknesses in this model is when the pathways to data aren't properly controlled.

"We expect that the Web application is the sole interface for human interaction with the data, and that an API is the sole interface for machine interaction with the data," he says. "If this is not the case, then there might be insufficient controls of the pathways to the data, and that would be one very basic potential vulnerability. Even if access methods are well-defined, there is still a virtually unlimited number of ways that applications can fail to properly defend their databases." The fact is that the rule of least privilege shouldn't be instituted for only end users. It should also be applied to the applications themselves, says Chris Eng, vice president of research for Veracode.

"All too often, applications are granted excessive privilege to databases that they don't need to operate," he says, explaining that the risks are amplified when multiple applications are granted access to databases used by other applications they don't necessarily need to be tied to. Those types of scenarios give patiently methodical hackers the opportunity to worm their way through a wider range of systems and data.

[What's the best way to provision database users and control access to sensitive data? See Analyzing Data To Pinpoint Rogue Insiders.]

Eng says that developers and DBAs have to come up with a better system for tying the applications into databases.

"It makes sense to chunk it out into better granularity where this application may have only read-only rights or may only have access to this certain table," he says. "People don't do that now because they figure it is just easier to grant as much access as possible so you don't impede the development cycle or application functionality."

If they are given pushback, DBAs have the power to take the driver's seat in this interaction by not giving carte blanche to the developers.

"The DBAs can just simply not allow so much access to be granted," Eng says.

In order to prevent the long arm of hackers from taking advantage out of inevitable Web application vulnerabilities, DBAs also have the power to institute other mitigating controls.

"Until we achieve the lofty goal of fully homomorphic encryption -- where operations can be performed on encrypted data without having to actually decrypt, and thus expose, the data -- our next best bet is to move toward much broader adoption of database encryption, masking, or tokenization. Although this still often requires the data to be decrypted, it provides some defense against the wholesale theft of database contents," says Levy, who adds that, "continuous monitoring of all application-layer and database-layer communications will help to quickly identify and resolve problems, and to accurately determine the scope of any security event."

But as Eng puts it, the onus is not just on the DBAs.

"Developers definitely need to shoulder their share of the responsibility, too," he says.

One important way they can do that is to do a better job of scrubbing user input so they can prevent hackers from having their way with the database information through attacks like SQL injection.

"It is simply unforgivable at this point for any application to not be providing adequate input sanitization," Levy says. "That this is still one of the main causes of breaches a decade after the problem was well-understood is insanity."

Levy recommends organizations start using widely available pen-testing applications. And though Web application firewalls are a good way to mitigate risks, he warns developers to stop using them as a crutch to excuse them from not embedding proper validations in their applications.

"Since waterboarding is neither torture nor unconstitutional, it should be considered as treatment for developers who do not properly sanitize inputs," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29446
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29451
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
CVE-2021-29452
PUBLISHED: 2021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
CVE-2021-29444
PUBLISHED: 2021-04-16
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...