OWASP Developer Guide

Secure Database Access Checklist

4.2.3 Checklist: Secure Database Access

Ensure that access to all data stores is secure, including both relational databases and NoSQL databases.

Refer to proactive control C3: Secure Database Access for more context from the OWASP Top 10 Proactive Controls project, and use the list below as suggestions for a checklist that has been tailored for the individual project.

1. Secure queries

Use Query Parameterization to prevent untrusted input being interpreted as part of a SQL command
Use strongly typed parameterized queries
Utilize input validation and output encoding and be sure to address meta characters
Do not run the database command if input validation fails
Ensure that variables are strongly typed
Connection strings should not be hard coded within the application
Connection strings should be stored in a separate configuration file on a trusted system and they should be encrypted

2. Secure configuration

The application should use the lowest possible level of privilege when accessing the database
Use stored procedures to abstract data access and allow for the removal of permissions to the base tables in the database
Close the database connection as soon as possible
Turn off all unnecessary database functionality
Remove unnecessary default vendor content, for example sample schemas
Disable any default accounts that are not required to support business requirements

3. Secure authentication

Remove or change all default database administrative passwords
The application should connect to the database with different credentials for every trust distinction (for example user, read-only user, guest, administrators)
Use secure credentials for database access

References

OWASP Cheat Sheet: Query Parameterization
OWASP Cheat Sheet: Database Security
OWASP Top 10 Proactive Controls

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.

\newpage

Watch Star