Countermeasures

Database security is one of the most overlooked and underdeveloped methodologies available. In addition to a complete and time-tested hardening policy, we have some solid countermeasures for almost every vulnerability.

1. Stay up to date with patches For both Microsoft and Oracle, patches and hot fixes are issued regularly. Be sure to download and apply them as soon as they are available. Always test a patch on a mirrored, nonproduction system before applying it. We don't want you to break anything!

2. Apply strong firewall rules As obvious as it seems, be sure to check your firewall rules from time to time and always block any database access ports, such as TCP and UDP 1434 (MS SQL) and TCP 1521-1530 (Oracle).

3. Input sanitization As discussed frequently in this book, you must sanitize the input received from a user. The data submitted should be checked for data type (integer, string, and so on) and stripped of any undesirable characters, such as meta-characters.

4. Stored procedure removal Be sure to remove all stored procedures (including extended stored procedures) from the entire database, including Master. These seemingly innocuous scripts can help topple even the mightiest of secure databases.

5. Stored procedure use Whenever possible, turn repeatedly used SQL code into a stored procedure. Doing so limits the SQL code that needs to be managed in the ASP file and reduces the exposure to input validation attacks.

6. Session encryption When your database server is separate from your Web server, be sure to encrypt the session stream in some fashion, such as using IPSec native to Windows 2000.

7. Least privilege Be sure to apply the least privilege needed to get the job done. You should not be using "sa" for access to database files.