Monday, 4 July 2011

SQL Injection MMM

So I introduced the concept of a Mitigation Maturity Model (MMM) in a previous post, and I created a model for Cross-Site Scripting.  In this post I would like to do the same thing for SQL Injection.

SQL Injection is both an easy and difficult attack to create a maturity model for; on the one hand the mitigations for SQL Injection are well known, on the other hand to rank them is less straight-forward.  Nevertheless, let's have a go:
  1. None.  No protection.  Some protection from input validation but no effort to specifically protect against SQL Injection.
  2. Basic.  Strip SQL syntax characters.  Depending on the string delimiter being used for SQL, either single or double-quote characters are stripped.
  3. Intermediate.  Parameterised Queries (a.k.a. Prepared Statements).  All SQL commands are made using parameterized queries.  Any stored procedures are rigorously reviewed for potential SQL Injection flaws.
  4. Advanced.  Object-Relational Mappings (ORM).  All SQL commands are replaced with ORM calls.  Any stored procedures are rigorously reviewed for potential SQL Injection flaws.
So the model I have provided here contains no surprises, but I think I have to justify why I think ORM is a more mature mitigation than a parameterized query.  I actually think both are perfectly valid mitigations in their own right, and I struggled to decide if I should choose one as more mature than the other.  In the end what tipped ORM as a more mature mitigation was simply that parameterized queries still take a string (the SQL query with placeholders), and short of reviewing all these strings, there is no way to know if that string was dynamically constructed.  For this reason I believe you can have more confidence in ORM, since there is no way for a developer to abuse it (short of using direct queries in the ORM API, but these can easily be audited).  I doubt everyone will agree with my logic on this, but I think it's a reasonable argument.

So SQL Injection is probably one of the easier attacks to put in a MMM since the mitigations are so well understood.  The real test of how useful the idea of a MMM will be is determining if it can be applied to the majority of high-risk attacks applications must face.

No comments:

Post a comment