Must remove privileges to several vendor-specific SQL functions, especially the OS command functions that will enable command injection by way of SQL injection. - Jim > Hello List - I was putting together a cheat sheet on security considerations > of a database account for a web application. I know I am overlooking few > points so I thought I will reach out to the community to add to the list. > > Here is what I have put so far > > Database Configuration Cheat Sheet > > 1. Windows Authentication should be preferred over SQL authentication (if > possible) > 2. If using SQL Authentication maybe do IP binding? (thoughts?) > 3. Database passwords should not be stored in cleartext in the configuration > file > 4. Database credentials should not be hard coded in the code > 5. Application should not connect to the database with an admin account > 6. Application account should have least privileges > 7. Application account should not have access to any system tables or stored > procedures > 8. Application account should not have privileges like Drop Table, Create > Stored Procedure or Triggers > > > Thoughts/Comments? > > > Thanks, > > Anurag Agarwal > MyAppSecurity > Cell - 919-244-0803 > Email - anurag@myappsecurity.com > Website - http://www.myappsecurity.com > Blog - http://myappsecurity.blogspot.com > LinkedIn - http://www.linkedin.com/in/myappsecurity > Twitter: https://twitter.com/#!/myappsecurity > > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org