Code Audit Fast Track
Securing Database Drivers
Limiting the Attack Surface
Has either the software engineering or IT team removed all extraneous drivers before the database reaches a production environment?
Is there a policy in place to periodically check for software security updates and patches?
Securing Database Drivers
Is the database driver(s) you are using set to run in the most secure context available, such as Sandbox mode for Jet drivers?
Is IIS set to record Web server activity?
Are the database drivers recording login attempts?
Securing Databases
Securing the Database Location
Are you using firewalls to restrict access to your application?
Have you evaluated whether you should place the data source in the same environment as the Web server or separated from the Web server behind another firewall?
Ensuring Least Privilege
Do the users, applications, and processes have the minimum required permissions to complete their functions?
Are firewalls restricting the ports available for communication to the smallest required set?
Are you using either IPSec or SSL to restrict which computers can communicate with your database?
Securing the Database
Have you strengthened the sa account’s password?
Have you removed extended stored procedures and netlibs you are not using?
Have you removed all sample databases, sample stored procedures, and sample code from the database before using it in a production environment?
Writing Secure Data Access Code
Connecting to the Data Source
Have you carefully evaluated which authentication method to use and chosen Windows Authentication if feasible?
Are your connection strings protected using encryption and ACLs where applicable?
Have you created and applied roles, groups, and permissions to appropriately restrict the access of your database users?
Preventing SQL Injection
Do the software engineering and programming teams understand the mechanics of an SQL injection attack?
Are there various overlapping mechanisms in the code to prevent SQL attacks, such as escaping and filtering input, use of SqlParameters, and properly processing errors on the server side?
Are there policies in place to periodically research the latest SQL injection attacks to ensure that your code is still protected from new attacks?
Writing Secure SQL
Does query code retrieve the minimum set of required data from the database?
Depending on the needed security of the module, have additional security checks been applied, such as expected result set size or content parameters?
Has the software engineer written code structured to maximize security?
Reading and Writing to Data Files
Has the application’s file system been locked down using both NTFS and IIS permissions?
If your application creates or reads files on the server, is the user prevented from influencing the name of the file created or read?
If your application creates files based on user action, have precautions been implemented to prevent a user from using excessive amounts of disk space?