AppSec Blog: Category - Database

AppSec Blog:

Top 25 Series - Rank 16 - Information Exposure Through an Error Message

Error messages can leak everything from full path names to password. A user should never be exposed to them, unless you expect them to fix the problem for you.

Argument for Database encryption in web apps

I regularly get consulted on various web application security issues and defensive strategies. One of the recent "frequently asked questions" is around database encryption of web application. My answers to these kind of questions usually lead to awkward looking faces. I always start off asking more questions about the requirements, "Who are you trying to protect the data from?" and "What data are you trying to protect?" The answers to those questions are usually good indicator whether the person is on the right path or not.

In most cases, database encryption does not prevent the hacker from accessing the backend database via an application compromisse. The reasoning is very simple. If the web application needs to be able to access the data for normal operation and hackers are able to compromise the application, the hackers can essentially access the same data by controlling the applicaton (attacker owns the application). Encryption does not prevent a hacker to access the