My 2 cents (please do not view this response as that for an SQL injection
issue, as others have already responded to it; my view is more generic in
nature):-
There are both pros and cons in putting up a N tier solution as a response
to a security problem (u can apply it to any case where N tier solutions are
being proposed):-
Pros
Properly configured, reconstructing an attack becomes more
informative
Attack surface is reduced, as you usually have different people
handling different roles
Easy to implement when security guys are breathing down ur neck as u
already have the infrastructure in place (and easy for security guys to
implement as well as they can put up a piecemeal approach to the solution)
Cons
Configuration (logging, setting up required permissions and
maintaining them) is a pain if u speak to the delivery side (e.g.,
developers, client, etc.) as security usually is an afterthought (even
though the winds of change are slowly blowing)
Incident management becomes little slow because of communication
headaches (u have to speak to multiple guys to get access to logs and to
analyze them)
Regards
Maanav
-----Original Message-----
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf
Of Infosec
Sent: Tuesday, February 05, 2013 4:27 AM
To: websecurity@lists.webappsec.org
Subject: [WEB SECURITY] SQL injection and N tier Architecture
Hello,
I need to know how the different architecture will effect on application
security.
For example:
A. Web server and Database server
B. web server , Application server and Database server
How much the above architectures secure from SQL injection?
I know multi-tier is more secure, but I need more explination.
Multi-tier is more secure, but still doesn't prevent SQL injection, isn't?
Regards,
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi all,
Actually I'm wondering about N-tier in security point of view.
I was focusing in the application itself and never thought about the architecture.
You answered my question.
Thank you all for cooperation.
Regards,
On Feb 5, 2013, at 5:01 AM, Nahuel Grisolia nahuel.grisolia@gmail.com wrote:
Hey there!
I believe he's trying to ask the following:
Why using a 3-tier scheme if with an SQL injection issue the attacker is able to "takeover" the DB, or with a Command injection control the App Server... and/or some kind of vulnerability like the one for Apache you can play with the Web Server infra?
Maybe he's wondering that... don't really know
cheers, Nahu.-
On Feb 4, 2013, at 9:51 PM, Jim Manico jim@manico.net wrote:
You are barking up the wrong tree. SQL injection is a coding issue, tell your devs to use parameterized queries.
-phil
@bsdwiz
On Feb 4, 2013, at 4:56 PM, Infosec infosecm@gmail.com wrote:
Hello,
I need to know how the different architecture will effect on application security.
For example:
A. Web server and Database server
B. web server , Application server and Database server
How much the above architectures secure from SQL injection?
I know multi-tier is more secure, but I need more explination.
Multi-tier is more secure, but still doesn't prevent SQL injection, isn't?
Regards,
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org