[WEB SECURITY] SQL injection and N tier Architecture

maanav maanav.saavadhaan at gmail.com
Tue Feb 5 05:59:09 EST 2013


My 2 cents (please do not view this response as that for an SQL injection
issue, as others have already responded to it; my view is more generic in
nature):-

There are both pros and cons in putting up a N tier solution as a response
to a security problem (u can apply it to any case where N tier solutions are
being proposed):-

Pros
	Properly configured, reconstructing an attack becomes more
informative
	Attack surface is reduced, as you usually have different people
handling different roles
	Easy to implement when security guys are breathing down ur neck as u
already have the infrastructure in place (and easy for security guys to
implement as well as they can put up a piecemeal approach to the solution)

Cons
	Configuration (logging, setting up required permissions and
maintaining them) is a pain if u speak to the delivery side (e.g.,
developers, client, etc.) as security usually is an afterthought (even
though the winds of change are slowly blowing)
	Incident management becomes little slow because of communication
headaches (u have to speak to multiple guys to get access to logs and to
analyze them)

Regards
Maanav

-----Original Message-----
From: websecurity [mailto:websecurity-bounces at lists.webappsec.org] On Behalf
Of Infosec
Sent: Tuesday, February 05, 2013 4:27 AM
To: websecurity at lists.webappsec.org
Subject: [WEB SECURITY] SQL injection and N tier Architecture

Hello,

I need to know how the different architecture will effect on application
security.
For example:

A. Web server and Database server
B. web server , Application server and Database server

How much the above architectures secure from SQL injection?

I know multi-tier is more secure, but I need more explination.
Multi-tier is more secure, but still doesn't prevent SQL injection, isn't?


Regards,
_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org




More information about the websecurity mailing list