Improving Web Application Security by Implementing Database Security

Fri 18 May 2012 Category: Security

Security is about defense-in-depth. It bogles my mind why it is so difficult to implement defense-in-depth security in web applications. 99.9% of applications use a single database account, with root-like privileges. Easiest for the developer of course, and the database is just a data store. It is not understood for what it really is. Your database is your only and last defensive layer that you have before the attacker compromises your data. Use it well.

For example, you can use your database to protect you against high-impact attacks such as SQL-injection.

I created a presentation about this topic a while ago You can download this presentation here:

A short summary of the points made.

  • Truly understand your application and their requirements.
  • Do not create a monolithic application, create separate applications. For example, at least separate front office and back office.
  • Run those applications under different operating system users or ideally on different servers, residing in different network segments.
  • It suddenly makes sense to put your database server in a separate secure network segment as opposed to running it on the same box as the application server.
  • Do not use a single database account with root-like privileges.
  • Create separate database accounts for separate application components. Only assign those privileges required for that application. White-list privileges within the database. This is key.
  • Understand that for end-user authentication, 'select username,password from user' kinda privs is not required!
  • Use stored procedures and functions wisely. By only providing access to functions, views and stored procedures, while preventing access to tables, you can significantly reduce the impact of SQL-injection or other application level security breaches.
  • In any case, understand that an attacker can never obtain more database privileges than the database account used. Even if the entire application server is compromised. This is especially important for your internet-facing applications.
  • Use your database as an extra layer of defense.