Improving Web Application Security: Threats and - CGISecurity

Chapter 14: Building Secure Data Access 395The code shown above exhibits the following security characteristics (identified bythe numbers in the comment lines).1. The data access code is placed inside a try/catch block. This is essential toprevent the return of system level information to the caller in the event of anexception. The calling ASP.NET Web application or Web service might handle theexception and return a suitably generic error message to the client, but the dataaccess code does not rely on this.2. Input is validated using a regular expression. The supplied product ID ischecked to verify that it contains characters in the range A–Z and 0–9 only, anddoes not exceed 12 characters. This is the first in a set of countermeasuresdesigned to prevent SQL injection attacks.3. The SqlConnection object is created inside a C# using statement. This ensuresthat the connection is closed inside the method regardless of whether an exceptionoccurs. This mitigates the threat of denial of service attacks, which attempt to useall available connections to the database. You can achieve similar functionality byusing a finally block.4. Parameterized stored procedures are used for data access. This is anothercountermeasure to prevent SQL injection.5. Detailed error information is not returned to the client. Exception details arelogged to assist with problem diagnosis.6. The Encrypted database connection string is stored in the registry. One of themost secure ways of storing database connection strings is to use DPAPI toencrypt the string and store the encrypted cipher text in a secured registry key thathas a restricted ACL. (For example, use Administrators: Full Control and ASP.NETor Enterprise Services process account: Read, depending on which process hoststhe component.)Other options are discussed in the “Database Connection Strings” section of thischapter.Note The code shows how to retrieve the connection string from the registry and thendecrypt it using the managed DPAPI helper library. This library is provided in “How To: Createa DPAPI Library” in the “How To” section of “Microsoft patterns & practices Volume I, BuildingSecure ASP.NET Applications: Authentication, Authorization, and Secure Communication”at http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT07.asp.