Connection Strings Contains Database Name Server Address/Name
May Reveal Network Schema UserName Password
Slide 7
Connection Strings (Where?) Options? In Code Place in Text file
In Application Configuration file Web.Config Application
Settings
Slide 8
Authentication Windows accounts Machine Specific High Security
SQL accounts Portable Less Secure
Slide 9
Permissions Microsoft says use Groups not User Specific rights.
What happens when user leaves? Who is responsible?
Slide 10
Permissions One Database = One Owner Lowest possible
Permissions Segregation of Duties Read Write
Slide 11
Storing Data Minimum Size Data Type Sproc Data Types match
Slide 12
SQL Injections Source: http://xkcd.com/327/
Slide 13
PrincipleImplementation Never trust user input Validate all
textbox entries using validation controls, regular expressions,
code, and so on Never use dynamic SQLUse parameterized SQL or
stored procedures Never connect to a database using an admin-level
account Use a limited access account to connect to the database
Don't store secrets in plain text Encrypt or hash passwords and
other sensitive data; you should also encrypt connection strings
Exceptions should divulge minimal information Don't reveal too much
information in error messages; use customErrors to display minimal
information in the event of unhandled error; set debug to false
Basic Rules
Slide 14
Injections Inputs Example Critical Information Outputs
Sanitization
Slide 15
Handling Inputs Never trust the user. DropDown Lists ListBoxes
Tables Query Strings Hidden Fields
Slide 16
Login Forms Login UserName Password LoginCancel X
Slide 17
Dynamic SQL //This code is susceptible to SQL injection
attacks. Dim strQry As String strQry = "SELECT Count(*) FROM Users
WHERE UserName='" & txtUser.Text & "' AND Password='" &
txtPassword.Text & "'"
Slide 18
What will happen? Login or 1=1 -- ********* UserName Password
LoginCancel X
Slide 19
Critical Information Passwords Strong Hashing Salts Other
Information Hashing Salts
Slide 20
Handling Outputs Know what you are showing off What data is
shown? Always validate authority Do not display schema Custom
Tables Careful object reuse Errors Exceptions
Slide 21
Validation - Can use ASP.Net validation tools Pros Fast Easy
Cons Javascript False security Know what is running where Always
best to handle in code Sanitization
Slide 22
References Stop SQL Injection Attacks Before They Stop You SQL
Server 2005 Security Best Practices