Parameterised queries or stored procedures, instead of dynamically generated queries, are used by web applications for database interactions.
Ensure proper output encoding is applied when parameterized queries or safer mechanisms are unavailable to prevent injection attacks. For example, use context-aware SQL escaping to neutralize untrusted input and prevent SQL injection when parameterization is not an option; Apply escaping techniques specific to the database engine to mitigate risks effectively (e.g., using mysql_real_escape_string() in legacy MySQL systems); Ensure encoding is applied as close to execution as possible to minimize exposure; Regularly audit and test database interactions to identify and remediate potential vulnerabilities.
Identify and understand the types and sensitivity of data stored and processed by applications, ensuring that basic data protection measures are in place. Protect all data associated with an application based on the requirements of the most sensitive data it stores or processes. Prohibit propagation of unsanitized sensitive production data to lower (non-production) environments, focusing data protection policies on production environments. Implement security controls like encryption, backups, and controlled data sharing to prevent unauthorized access and mitigate risks.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-22-01-01-01 | Identify and Classify Data Elements | Identify all data elements processed and stored by the application. Classify these data elements based on their type and sensitivity level to ensure appropriate handling. | Preparation | Data Governance, Security Engineers |
| SSS-02-22-01-01-02 | Implement Controls to Protect Sensitive Data | Implement necessary controls to protect the most sensitive data, ensuring that data is handled according to its protection requirements. | Development | Security Engineers, IT Operations |
| SSS-02-22-01-01-03 | Prevent Propagation of Sensitive Data to Lower Environments | Implement controls to prevent the propagation of unsanitized sensitive data from production environments to lower (non-production) environments. This reduces the risk of exposing sensitive data during testing or development. | Development | DevOps Teams, Security Engineers |
| SSS-02-22-01-01-04 | Monitor Data Handling and Fate | Maintain awareness of how sensitive data is processed and handled, ensuring it is not inadvertently shared with external partners or improperly stored in backups or lower environments. | Post-deployment | IT Operations, Security Engineers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1276) OWASP Application Security Verification Standard OWASP SAMM: Software Assurance Maturity Model (OM-1-A) |