Security Basics mailing list archives
Re: Securing 3rd party connections to Oracle DB's?
From: mike () citadelis co uk
Date: 26 Aug 2008 13:25:48 -0000
On the technical side (depending on the evironment of course), I would look at abstracting the access rather than direct access, suggesting web services for exposing and controlling access to the data: SSL for transport security and certificate based or usernane/password authentication for each client. On the database side, match the certificates or userId to a client specific DB user account that only has access to view the data for that client, thus ensuring that each client can only access the data they need to access. Remember to make sure that all web services methods are properly validating input parameters to prevent SQL Injection. Restricting by IP address can help too, but certainly do not rely on this to prevent cross-client access to data. I would not consider exposing the database directly to untrusted clients as your post seems to suggest (apologies if i've misread). For non-technical controls, always ensure an appropriate contract is in place with proper info security clauses such as nondisclosure, protection of data, acceptable use etc. hth Mike
Current thread:
- Securing 3rd party connections to Oracle DB's? Matt Harrison (Aug 25)
- <Possible follow-ups>
- Re: Securing 3rd party connections to Oracle DB's? mike (Aug 26)
- I need a company running web security audit... Eddy Alexandre (Aug 26)
- RE: I need a company running web security audit... Kevin Ortloff (Aug 28)
- I need a company running web security audit... Eddy Alexandre (Aug 26)