All queries to databases from web applications are filtered for legitimate content and correct syntax.
Ensure all database queries are protected against injection attacks by using secure query methods. For example, enforce parameterized queries and prepared statements to prevent SQL injection by keeping user input separate from query logic; Use ORMs (Object-Relational Mappers) or entity frameworks that provide built-in protections against query manipulation; Avoid direct string concatenation when constructing queries, as it exposes applications to injection risks; Regularly audit and test database queries to detect and remediate any potential vulnerabilities.
Identify and understand the types and sensitivity of data stored and processed by applications, ensuring that basic data protection measures are in place. Protect all data associated with an application based on the requirements of the most sensitive data it stores or processes. Prohibit propagation of unsanitized sensitive production data to lower (non-production) environments, focusing data protection policies on production environments. Implement security controls like encryption, backups, and controlled data sharing to prevent unauthorized access and mitigate risks.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-21-01-01-01 | Identify and Classify Data Elements | Understand the types and sensitivity levels of all data elements stored and processed by your applications. This classification helps ensure that the proper protections are applied to each data type. | Preparation | Data Governance, Security Engineers |
| SSS-02-21-01-01-02 | Implement Controls to Protect Sensitive Data | Implement necessary controls to protect the most sensitive data, ensuring that data is handled according to its protection requirements. | Development | Security Engineers, IT Operations |
| SSS-02-21-01-01-03 | Prevent Propagation of Sensitive Data to Lower Environments | Implement controls to prevent the propagation of unsanitized sensitive data from production environments to lower (non-production) environments. This reduces the risk of exposing sensitive data during testing or development. | Development | DevOps Teams, Security Engineers |
| SSS-02-21-01-01-04 | Monitor Data Handling and Fate | Maintain awareness of how sensitive data is processed and handled, ensuring it is not inadvertently shared with external partners or improperly stored in backups or lower environments. | Post-deployment | IT Operations, Security Engineers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1275) OWASP Application Security Verification Standard OWASP SAMM: Software Assurance Maturity Model (OM-1-A) |