OWASP Developer Guide
Secure Database Access Checklist
4.2.3 Checklist: Secure Database Access
Ensure that access to all data stores is secure, including both relational databases and NoSQL databases.
Refer to proactive control C3: Validate all Input & Handle Exceptions and its cheatsheets for more context from the OWASP Top 10 Proactive Controls project, and use the list below as suggestions for a checklist that has been tailored for the individual project.
1. Secure queries
- Use Query Parameterization to prevent untrusted input being interpreted as part of a SQL command
- Use strongly typed parameterized queries
- Utilize input validation and output encoding and be sure to address meta characters
- Do not run the database command if input validation fails
- Ensure that variables are strongly typed
- Connection strings should not be hard coded within the application
- Connection strings should be stored in a separate configuration file on a trusted system and they should be encrypted
2. Secure configuration
- The application should use the lowest possible level of privilege when accessing the database
- Use stored procedures to abstract data access and allow for the removal of permissions to the base tables in the database
- Close the database connection as soon as possible
- Turn off all unnecessary database functionality
- Remove unnecessary default vendor content, for example sample schemas
- Disable any default accounts that are not required to support business requirements
3. Secure authentication
- Remove or change all default database administrative passwords
- The application should connect to the database with different credentials for every trust distinction (for example user, read-only user, guest, administrators)
- Use secure credentials for database access
References
- OWASP Cheat Sheet: Query Parameterization
- OWASP Cheat Sheet: Database Security
- OWASP Top 10 Proactive Controls
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.
\newpage