[WEB SECURITY] SQL injection and N tier Architecture

maanav maanav.saavadhaan at gmail.com
Tue Feb 5 05:59:09 EST 2013

My 2 cents (please do not view this response as that for an SQL injection
issue, as others have already responded to it; my view is more generic in

There are both pros and cons in putting up a N tier solution as a response
to a security problem (u can apply it to any case where N tier solutions are
being proposed):-

	Properly configured, reconstructing an attack becomes more
	Attack surface is reduced, as you usually have different people
handling different roles
	Easy to implement when security guys are breathing down ur neck as u
already have the infrastructure in place (and easy for security guys to
implement as well as they can put up a piecemeal approach to the solution)

	Configuration (logging, setting up required permissions and
maintaining them) is a pain if u speak to the delivery side (e.g.,
developers, client, etc.) as security usually is an afterthought (even
though the winds of change are slowly blowing)
	Incident management becomes little slow because of communication
headaches (u have to speak to multiple guys to get access to logs and to
analyze them)


-----Original Message-----
From: websecurity [mailto:websecurity-bounces at lists.webappsec.org] On Behalf
Of Infosec
Sent: Tuesday, February 05, 2013 4:27 AM
To: websecurity at lists.webappsec.org
Subject: [WEB SECURITY] SQL injection and N tier Architecture


I need to know how the different architecture will effect on application
For example:

A. Web server and Database server
B. web server , Application server and Database server

How much the above architectures secure from SQL injection?

I know multi-tier is more secure, but I need more explination.
Multi-tier is more secure, but still doesn't prevent SQL injection, isn't?

The Web Security Mailing List

WebSecurity RSS Feed

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter

websecurity at lists.webappsec.org

More information about the websecurity mailing list