tags:

views:

443

answers:

7
+2  Q: 

Stored Procedures vs No Stored Procedures - Security Viewpoint

For a web application database, from a security standpoint only, what are arguments counter to the point for an sp only solution where the app db account has no rights to tables and views and only exec on sps?

If someone intercepts the app db account, the surface area exposed to an attack is much less then when tables and views aren't exposed. What security advantages would a non sp solution offer (or not)? I see many advantages to using a non sp solution, but exposing all the tables leaves me a little worried.

The question is for major database vendor products in general but specifically, sql server 2008.

+2  A: 

Well, I guess you really captured the core of the problem yourself: if you don't use stored procedures for all CRUD operations, you have to grant at least a app-specific db user account at least SELECT rights on all tables.

If you want to allow the db account to do even more work, that account might also need other permission, like being able to UPDATE and possibly DELETE on certain tables.

I don't see how a non-stored proc approach would have any security benefits - it does open up the gate just a bit more, the question really is: can you afford to? Can you secure that app-specific DB account enough so it won't compromise your system's overall security?

One possible compromise might be to use views or table access to allow SELECT, but handle everything else (UPDATEs, DELETEs, INSERTs) using stored procs - half secure, half convenient...

As it often is - this is a classic trade-off between convenience (non-sp approach; using an ORM possibly) and security (all SProc approach; probably more cumbersome, but a bit safer).

Marc

marc_s  2009-07-29 12:33:53
Thanks. I've thought about your partial solution - select to tables, updates to sps. Have you tried this approach? Anything unanticipated that caused problems?
Steve  2009-07-29 13:02:20
@Steve: no, I've never done this hybrid approach. My previous job was all-SProc - safe, but a pain to work against. My current one is all direct table access - convenient but not awfully safe....
marc_s  2009-07-29 13:33:11
+3  A: 

This is one of those areas where conventional wisdom is correct: exposing just the stored procedures gives you more control over security. Giving direct access to tables and views is easier, and there are times you need to do it, but it's going to be less secure.

Steven Sudit  2009-07-29 12:34:33
+5  A: 

From a security point of view only, I can't see any advantages a non-SP approach would have over an SP approach because:

  • you have to grant permissions directly to the underlying tables etc
  • with a sproc, all the real-underlying schema information can be encapsulated/hidden away (SPs can be encrypted too)
AdaTheDev  2009-07-29 12:34:46
+1 for abstraction ("encapsulated/hidden away")
Peter Gfader  2010-01-27 12:51:09
+1  A: 

The biggest security advantage to not using stored procedures is clarity. You know exactly what an account can do, by seeing what access to tables it has. With stored procedures, this isn't necessarily the case. If an account has the ability to execute procedure X, that does limit the account to executing that and not hitting an underlying table, but X can do anything. It could drop tables, alter data, delete data etc.

To know what an account can do with stored procedures you have to look at the stored procedure. Each time a sproc is updated, someone will have to look at what it does to make sure that something didn't get "accidentally" placed in it. The real problem with security in sprocs comes from inside the organization, not from rogue attackers.

Here's an example:

Let's say you are trying to restrict access to the employee table. Without stored procedures, you just deny access to the table. To get access someone pretty much has to blatantly ask you to grant permissions. Sure they could get you to run a script to grant access, but most people at least try to review a script which alters the database schema (assuming the script doesn't update a sproc, which I will talk about below).

There are potentially hundreds of stored procedures for an application. In my experience, they get updated quite frequently, add a field here, delete one there. For someone to review the number of update procedure scripts all the time becomes daunting, and in most organizations the database team starts to only quickly look at the procedure (or not look at it all), and move it along. This is where the real problem comes in. Now, in this example, if someone on the IT staff wants to allow access to a table, that person just needs to slip in a line of code granting access or doing something else. In a perfect world this would get caught. Most of us don't work in a perfect world.

The real problem with stored procedures is that they add a level of obfuscation to the system. With obfuscation comes complexity, and with complexity comes ultimately more work to understand an administrate the underlying system. Most people in IT are overworked and things slip through. In this instance you don't try and attack the system to gain access, you use the person in charge of the system to get what you want. Mitnick was right, in security people are the problem.

The majority attacks against an organization come from the inside. Any time you introduce complexity into any system, holes appear, things can get overlooked. Don't believe it, think about where you work. Go through the steps about who you would ask to get access to a system. Pretty soon you realize that you can get people to overlook things at the right moment. The key to successfully penetrating a system with people involved is to do something which seems innocuous, but is really subversive.

Remember, if I am trying to attack a system: I am not your friend; I have no interest in your kids or hobbies; I will use you in any way necessary to get what I want; I don't care if I betray you. The idea of "but he was my friend and that's why I trusted him to believe what he was doing was correct," is no comfort after the fact.

Kevin  2009-07-29 13:05:16
clarity for who? If the DB team are responsible for db access, then the devs should never even KNOW the name of database objects(tables). Not sure why having devs see the db code is a security advantage.
Kev Riley  2009-07-29 14:28:27
Obfuscation is not security. It's like saying robbers won't find the jewelry, because I hid it in the closet. If I really want to break into something not knowing the schema is a minor annoyance, not a hindrance. My point is that not using sprocs keeps security simple, which is the biggest factor in making a system secure. Less changes to the db system make the system more secure from this standpoint, because the possibility of something getting overlooked is less. Changing the functionality of sprocs every release increases the chance that something will get missed.
Kevin  2009-07-29 15:01:03
If you have inline SQL you are more suseptible to SQL injection but with Sprocs its just stored in a variable and does not affect the structure of the call
AutomatedTester  2009-07-29 15:16:37
True, but that is a weakness of the calling application, not with the database itself. If you use dynamic sql in sprocs you can be just as susceptible to sql injection with a sproc.
Kevin  2009-07-29 15:54:06
@Kevin: still don't see how not using Sprocs makes it 'more' secure or security 'more' simple. If the only access allowed is SP execution, then I can audit all my SQL code in one place, and determine what procs access what objects - I can't do that if I've allowed select permission on a table to a user - who knows what queries they are writing.
Kev Riley  2009-07-30 11:20:32
@Kev you're thinking to small. don't think about auditing your code think about auditing 30 people's code. Figuring out what each sproc does and what tables it accesses. On complicated systems, I've seen sprocs easily over 100 lines of code. With table access you can quickly tell if someone can see certain information: Steve doesn't have access to the employee table, steve can't get that data. With sprocs: Steve can't access the employee table, but steve has access to execute these 25 sprocs. Now you get to look through 25 different procedures to see if he did accidentally get access.
Kevin  2009-07-30 11:36:53
@Kevin: and you're thinking too narrow :) Steve might not have table access but Sue does, and Steve has blagged Sue's password from her. I guess we'll have to agree to disagree - I will never implement table level permissions on my databases, and you will always write SQl in code - lets hope we never end up working for the same company :) (Although as the DBA I win)
Kev Riley  2009-07-30 11:53:41
@Kev Actually, I'm playing the devil's advocate on this one. :) Collusion is a difficult task to beat. I do write a lot of stored procedures, but one of my jobs is also to hack into systems. I've gotten pretty good at knowing how to slip things past QA and the DB teams and show weaknesses in processes.
Kevin  2009-07-30 12:12:42
A: 

In addition to the traditional security separation with stored procedures (EXEC permission on procedures, rely on ownership chaining for data access) stored procedures can be code signed, resulting in very granular and specific access control to any server functionality like linked servers, server scoped management views, controlled access to stored procedures and even data in other databases outside of user ordinary access.

Ordinary requests made in T-SQL batches, no matter how fancy and how many layer upon layers of code generation and ORM are behind it, simply cannot be signed and thus cannot use one of the most specific and powerful access control mechanisms available.

Remus Rusanu  2009-07-29 15:08:44
+1  A: 

Let's take a system that needs to be really secure, say your company's accounting system. If you use procs and grant access only to the procs, then users cannot do anything other than what the proc does, ever. This is an internal control designed to make sure that the business rules for the system cannot be gotten around by any user of the system. This is what prevents people from making a company purchase and then approving the funds themselves opening up the door to fraud. This also prevents many people in the organization from deleting all records in the accounts table because they do not have delete rights except the ones granted from the proc which will allow only one delete at a time.

Now developers have to have more rights in order to develop, but they should not have more rights on a production machine ever if you want to consider security. True a developer could write a malicous sp which does something bad when put to prod. This same developer though could put the same code into the application version and be as likely to be caught or not causght as if they maliciously change a proc. Personally I think the proc might be easier to catch because it might get reveiwed separately from the code by the dbas which might mean the manager or configuration management person and the dbas had a chance to look at it vice just the manager or configuration management person. We all know reality is that no one pushing code to prod has the time to review each piece of it personally, so hiring trustworthy developers is critical. Having code review and source control in place can help find a malicious change or roll it back to a previous version but the use of sps vice application code are both at risk from developers no matter what.

The same is true for system admins. The must have full rights to the system in order to do their jobs. They can potentially do a lot of damage without being caught. The best you can do in this case is limit this access to as few people as possible and do the best you can in hiring trustworthy people. At least if you have few people with this access, it is easier to find the source of the problem if it occurs. You can minimize risk by having off-site backups (so at least what the admin breaks if they turn bad can be fixed to some extent) but you can never completely get rid of this risk. Again this is true no matter what way you allow the applications to access data.

So the real use of sps is not to eliminate all possible risk, but to make it so fewer people can harm the system. The use of application code to affect database information is inherently unsecure and in my opinion should not be allowed in any system storing financial information or personal information.

HLGEM  2009-07-29 15:17:33
A: 

It's an imperfect analogy, but I like to compare the tables in the DB's "dbo" schema to "private" data in OO terminology, and Views and Stored Procs to "public." One can even make a "public" schema separate from the dbo schema to make the distinction explicit. If you follow that idea, you get a security advantage as well as an extensibility advantage.

One account (not the web app's account) has dbo access and owns the database, and the web app connects using another account restricted to the public-facing structures.

onupdatecascade  2009-07-29 16:50:34

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL