Improving Web Application Security: Threats and - CGISecurity

Checklist:Securing Data AccessHow to Use This ChecklistThis checklist is a companion to Chapter 14, “Building Secure Data Access” andChapter 16, “Securing Your Database Server.” Use it to help you build secure dataaccess, or as a quick evaluation snapshot of the corresponding chapters.This checklist should evolve with secure data access practices that you discoverduring software development.SQL Injection ChecksCheck DescriptionInput passed to data access methods that originates outside the current trust boundary isconstrained.Sanitization of input is only used as a defense in depth measure.Stored procedures that accept parameters are used by data access code. If storedprocedures are not used, type safe SQL parameters are used to construct SQL commands.Least-privileged accounts are used to connect to the database.AuthenticationCheck DescriptionWindows authentication is used to connect to the database.Strong passwords are used and enforced.If SQL Server authentication is used, the credentials are secured over the network by usingIPSec or SSL, or by installing a database server certificate.If SQL Server authentication is used, connection strings are encrypted by using DPAPI andare stored in a secure location.Application connects using a least-privileged account. The sa account or other privilegedaccounts that are members of the sysadmin or db_owner roles are not used for applicationlogins.