SQL Injection – and 3rd Party Applications
Yesterday I wrote about 3rd Party Applications and the risk they can pose in your overall security model. Probably the most common issues I’ve seen involve injection, and that’s the real target of these editorials.
You simply MUST talk with your vendors. There are some key things to ask about – and if you get answers that seem to avoid the topic, or answers that just don’t feel right, it’s time to go digging. In my opinion, your vendors should be able to answer AND expand on your questions – just to make the point that they have indeed dealt with issues of security, injection and the like.
From Charley – "I have been warning that we must ask for this kind of information from our venders. This would include the hardware venders like the ones that provide the firewall and such. This counts in all aspects not just in transactions with the db. I do my own investigations but making others aware with this article is great."
Really, you can start with the items brought up yesterday (read it here) or even just ask them if their application uses SA. Watch for eye-rolls and wiggling in the seat…
Mark writes "your article today about SQL injection and 3rd party vendors is spot on! Coming from a banking environment, one of my key responsibilities is to make sure our third party applications are safe from SQL injection or the other big concern any Cross Site Scripting. Being in a meeting when I ask the vendor if they are using ‘sa’ for any logins…I usually get a quiet pause then “I’ll have to check into that for you” or if I ask “Is it possible to have a trusted connection with a Windows login and not an SQL login…I usually get another quiet pause. We do our best to make sure our applications are secure, but real world business deployments and day-to-day operations tend to focus on a myriad of other problems."
I have personally fallen prey to this with applications. I know it’s tough to ask the questions, poke around in the application and, frankly, try to get a straight answer. I have to tell you though, those uncomfortable moments are nothing when compared to discovering you do indeed have an issue and you’re immediately in recovery and repair mode.
One final thing you can do if the vendor is less forthcoming… You can install the application on a new VM with SQL Server. Then, go in and find out what’s been set up. Look for hidden SQL Server instances (that may mean they live outside your maintenance plans – so won’t automatically get backed up or worse…) Review the user permissions that are established and see what’s happening. I’ve seen cases where locked instances with no maintenance plans are created outside the purvey of the normal administrative access. I’ve seen cases where applications take over the SA accounts. I’ve seen cases too where applications play nice.
You really have to find out, and understand what’s going on with your servers.
What types of things have you seen with vendors? Good and bad – how did you deal with it?
Let me know…