Hello List - I was putting together a cheat sheet on security considerations
of a database account for a web application. I know I am overlooking few
points so I thought I will reach out to the community to add to the list.
Here is what I have put so far
Database Configuration Cheat Sheet
- Windows Authentication should be preferred over SQL authentication (if
possible)
- If using SQL Authentication maybe do IP binding? (thoughts?)
- Database passwords should not be stored in cleartext in the configuration
file
- Database credentials should not be hard coded in the code
- Application should not connect to the database with an admin account
- Application account should have least privileges
- Application account should not have access to any system tables or stored
procedures
- Application account should not have privileges like Drop Table, Create
Stored Procedure or Triggers
Thoughts/Comments?
Thanks,
Anurag Agarwal
MyAppSecurity
Cell - 919-244-0803
Email - anurag@myappsecurity.com
Website - http://www.myappsecurity.com
Blog - http://myappsecurity.blogspot.com
LinkedIn - http://www.linkedin.com/in/myappsecurity
Twitter: https://twitter.com/#!/myappsecurity
Hello List - I was putting together a cheat sheet on security considerations
of a database account for a web application. I know I am overlooking few
points so I thought I will reach out to the community to add to the list.
Here is what I have put so far
Database Configuration Cheat Sheet
1. Windows Authentication should be preferred over SQL authentication (if
possible)
2. If using SQL Authentication maybe do IP binding? (thoughts?)
3. Database passwords should not be stored in cleartext in the configuration
file
4. Database credentials should not be hard coded in the code
5. Application should not connect to the database with an admin account
6. Application account should have least privileges
7. Application account should not have access to any system tables or stored
procedures
8. Application account should not have privileges like Drop Table, Create
Stored Procedure or Triggers
Thoughts/Comments?
Thanks,
Anurag Agarwal
MyAppSecurity
Cell - 919-244-0803
Email - anurag@myappsecurity.com
Website - http://www.myappsecurity.com
Blog - http://myappsecurity.blogspot.com
LinkedIn - http://www.linkedin.com/in/myappsecurity
Twitter: https://twitter.com/#!/myappsecurity