Mike's Database Place

Secure Coding Guidelines

Coding

These guidelines apply across all database technologies.
They should be used in conjunction with the database specific Secure Coding Guidelines...

Security

Access Control

"Least Privilege" or "Deny by Default"

Cryptography

Encryption

Injection

Sanitize Database and Application User Input

Always validate user input received from a database client or application by testing type, length, format, and range prior to transmitting it to the database server to minimize the risk of SQL injection.
Any database interaction should be through the use of stored procedures and not dynamic SQL.
Application users should not have INSERT, UPDATE, or DELETE privileges (just EXECUTE permissions on stored procedures that enable this functionality).
There should be no SQL query in the application code produced by string concatenation.

Design

Configuration

Vulnerabilities

Identification and Authentication

Authentication

Software and Data Integrity

Logging and Monitoring

Server-Side Request Forgery

Bibliography

CIS_Microsoft_SQL_Server_2008_R2_Benchmark_v1.5.0
https://owasp.org/https://owasp.org/www-project-top-ten/https://owasp.org/Top10/A01_2021-Broken_Access_Control/https://owasp.org/Top10/A02_2021-Cryptographic_Failures/https://owasp.org/Top10/A03_2021-Injection/https://owasp.org/Top10/A04_2021-Insecure_Design/https://owasp.org/Top10/A05_2021-Security_Misconfiguration/https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/
https://www.owasp.org/index.php/SQL_Injectionhttps://msdn.microsoft.com/en-us/library/ms161953(v=sql.100).aspxhttps://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx

Page updated

Google Sites

Report abuse