Database Security Considerations For Spring Boot Applications

How we can secure our application database

Photo by Manuel Geissinger on Pexels

Database is one of the most important parts of any web application. We must make sure our database and data are secured. There are quite a few areas that we need to secure and organize. In this article, I will try to create a security checklist for database. Let’s begin.

Database Security

Connection: Database should not be accessed from any non-trusted source.

1. Restrict direct access from client or frontend.
2. Access control needs to be in place.
3. Create a separate user for the backend application with no administrative access.
4. Create a separate admin user with proper access.
5. Only allow users with admin credentials to connect to the DB using a client tool.

Data transport security:

1. Configure database to only allow encrypted connections.
2. Install a trusted digital certificate on the server.
3. Configure client to connect using TLSv1.2+ with modern ciphers and verify digital certificate.

Permission and credentials:

1. We should periodically review user accounts and permissions.
2. Change credentials if any developer leaves or any sign of credential compromise.
3. We should not store database credentials as plain text inside the application.
4. While assigning permission to any role/user, we should allow least privilege.
5. We should not use the built-in root account.
6. Allow the account to connect only from permitted hosts.
7. Separate environments should have separate accounts.

Database configuration:

1. Install security updates.
2. Delete any default database and accounts.
3. Store transaction log on a separate disk.
4. Take regular backup and encrypt the backup.

Monitoring:

1. We will need constant monitoring of the database cluster. We need to get an alert if any server goes down or any new server is added to the cluster.
2. We need an audit log to check who executed what commands.

Database Injection

According to [2] there are 3 types of sql injection:

Inband: Data is extracted using the same channel that is used to inject the SQL code. An attacker can view the data on the web page.

Out-of-band: Data is retrieved using a different channel, e.g., an email with the results of the query is generated and sent to the attacker.

Inferential or Blind: There is no actual transfer of data, but the tester is able to reconstruct the information by sending particular requests and observing the resulting behavior of the DB Server.

SQL injection prevention:

1. We need to make sure all queries to the database are using prepared statement.
2. For dynamic queries, sanitize input data before using it in the query.
3. We need to review if any function or procedure execution call are made from input data.
4. For JPA, use query parameterization. Example: “select c from Country c where c.continent = :continent”.
5. If we take sorting field and sort order from the client, we must make sure user can not send unmapped fields for sorting. Let’s say, we are allowing users to sort by age, department and fields. So users should not be able to sort by creation time, update time or any other field.

NoSQL:

1. We need to make sure API call expression does not contain any character that have a special meaning in the target API syntax.
2. We should not use string concatenation to build API call expression but use the API to create the expression. Sample here.
3. We should sanitize data before using it in the query

Conclusion

These are the basic steps that we can implement to secure our database. Implementing them and maintaining them over the time period is the challenge. For a long-running project, it is possible that we lose focus on these issues. Keeping a consistent eye on security should be our top priority. I hope this checklist will help. Best of luck 😊

References:

1. https://cheatsheetseries.owasp.org/cheatsheets/Database_Security_Cheat_Sheet.html
2. https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html
3. https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html
4. https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html