My 2 cents (please do not view this response as that for an SQL injection issue, as others have already responded to it; my view is more generic in nature):- There are both pros and cons in putting up a N tier solution as a response to a security problem (u can apply it to any case where N tier solutions are being proposed):- Pros Properly configured, reconstructing an attack becomes more informative Attack surface is reduced, as you usually have different people handling different roles Easy to implement when security guys are breathing down ur neck as u already have the infrastructure in place (and easy for security guys to implement as well as they can put up a piecemeal approach to the solution) Cons Configuration (logging, setting up required permissions and maintaining them) is a pain if u speak to the delivery side (e.g., developers, client, etc.) as security usually is an afterthought (even though the winds of change are slowly blowing) Incident management becomes little slow because of communication headaches (u have to speak to multiple guys to get access to logs and to analyze them) Regards Maanav -----Original Message----- From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Infosec Sent: Tuesday, February 05, 2013 4:27 AM To: websecurity@lists.webappsec.org Subject: [WEB SECURITY] SQL injection and N tier Architecture Hello, I need to know how the different architecture will effect on application security. For example: A. Web server and Database server B. web server , Application server and Database server How much the above architectures secure from SQL injection? I know multi-tier is more secure, but I need more explination. Multi-tier is more secure, but still doesn't prevent SQL injection, isn't? Regards, _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Hi all, Actually I'm wondering about N-tier in security point of view. I was focusing in the application itself and never thought about the architecture. You answered my question. Thank you all for cooperation. Regards, On Feb 5, 2013, at 5:01 AM, Nahuel Grisolia <nahuel.grisolia@gmail.com> wrote: > Hey there! > > I believe he's trying to ask the following: > > Why using a 3-tier scheme if with an SQL injection issue the attacker is able to "takeover" the DB, or with a Command injection control the App Server... and/or some kind of vulnerability like the one for Apache you can play with the Web Server infra? > > Maybe he's wondering that... don't really know > cheers, Nahu.- > > On Feb 4, 2013, at 9:51 PM, Jim Manico <jim@manico.net> wrote: > >> I second that notion. >> >> https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet >> >> - Jim >> >>> You are barking up the wrong tree. SQL injection is a coding issue, tell your devs to use parameterized queries. >>> >>> -phil >>> @bsdwiz >>> >>> On Feb 4, 2013, at 4:56 PM, Infosec <infosecm@gmail.com> wrote: >>> >>>> Hello, >>>> >>>> I need to know how the different architecture will effect on application security. >>>> For example: >>>> >>>> A. Web server and Database server >>>> B. web server , Application server and Database server >>>> >>>> How much the above architectures secure from SQL injection? >>>> >>>> I know multi-tier is more secure, but I need more explination. >>>> Multi-tier is more secure, but still doesn't prevent SQL injection, isn't? >>>> >>>> >>>> Regards, >>>> _______________________________________________ >>>> The Web Security Mailing List >>>> >>>> WebSecurity RSS Feed >>>> http://www.webappsec.org/rss/websecurity.rss >>>> >>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>>> >>>> WASC on Twitter >>>> http://twitter.com/wascupdates >>>> >>>> websecurity@lists.webappsec.org >>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >>> _______________________________________________ >>> The Web Security Mailing List >>> >>> WebSecurity RSS Feed >>> http://www.webappsec.org/rss/websecurity.rss >>> >>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>> >>> WASC on Twitter >>> http://twitter.com/wascupdates >>> >>> websecurity@lists.webappsec.org >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org