SQL: Top Six ACE Security Best Practice to Secured Applications
1. Follow Principle of Least Privilege
a. Utilize access controls and code access security to minimize the privilege level of application user and service accounts.
b. SQL and .NET services should be configured to run with least privilege.
2. Input Validation for All User Input
Do:
a. Constrain input in length, character set and syntax.
b. Execute validation on the server-side.
Do Not:
a. Use only a black list (i.e., a list of unacceptable characters, phrases or words).
b. Perform client-side validation only.
3. Encode all client-supplied data when displaying it as output
a. Utilize HTMLEncode and URLEncode
b. Pay special attention to hidden variables and Response.Redirect
4. Protect Sensitive Information in Transit and Storage—(Passwords, Credit Card Numbers, Product Keys, Encryption Keys and Connection Strings)
a. Utilize IPSec or SSL for transmission.
b. Utilize Rijndael or TripleDES symmetric algorithms with minimum 128-bit key length or Asymmetric algorithms such as RSA with a minimum 1024-bit key length for storage.
c. Encrypt secrets stored in registry as demonstrated in Building Secure ASP.NET Applications.
5. Prevent SQL Injection
a. Employ parametized stored procedures, as well as input validation.
b. Never use dynamic SQL unless the application is required to generate it.
c. If required, dynamic SQL can be written using Sp_Executesql with parameterized variables
6. Restrict Information in Error Messages
a. Always turn off detailed error messages to the clients.
b. Exercise customized (generic) error messages if possible.
c. Maintain an error log.
GetTechieHere...
a. Utilize access controls and code access security to minimize the privilege level of application user and service accounts.
b. SQL and .NET services should be configured to run with least privilege.
2. Input Validation for All User Input
Do:
a. Constrain input in length, character set and syntax.
b. Execute validation on the server-side.
Do Not:
a. Use only a black list (i.e., a list of unacceptable characters, phrases or words).
b. Perform client-side validation only.
3. Encode all client-supplied data when displaying it as output
a. Utilize HTMLEncode and URLEncode
b. Pay special attention to hidden variables and Response.Redirect
4. Protect Sensitive Information in Transit and Storage—(Passwords, Credit Card Numbers, Product Keys, Encryption Keys and Connection Strings)
a. Utilize IPSec or SSL for transmission.
b. Utilize Rijndael or TripleDES symmetric algorithms with minimum 128-bit key length or Asymmetric algorithms such as RSA with a minimum 1024-bit key length for storage.
c. Encrypt secrets stored in registry as demonstrated in Building Secure ASP.NET Applications.
5. Prevent SQL Injection
a. Employ parametized stored procedures, as well as input validation.
b. Never use dynamic SQL unless the application is required to generate it.
c. If required, dynamic SQL can be written using Sp_Executesql with parameterized variables
6. Restrict Information in Error Messages
a. Always turn off detailed error messages to the clients.
b. Exercise customized (generic) error messages if possible.
c. Maintain an error log.
GetTechieHere...
posted by Gomathi Sarma at 1:32 PM
0 Comments:
Post a Comment
<< Home