Is it more secure to store using a database or a file?

Question

This question is from a decomposition of http://stackoverflow.com/questions/678471/what-are-good-programming-practices-to-prevent-malware-in-standalone-applications

The question has to do with malware dynamically getting into a program by infecting data files which the program reads/writes.

Is it safer to require data be stored in a database and only use service calls, no direct file operations when accessing data for a program? Let's say your program loads many images, numeric data tables, or text information as it runs. Assume this is after the program is loaded and initialized to where it can make service calls.

Is it easier to infect a file or a database?

Answer 1

It is easier to infect user-space API than kernel space API.

In other words, the point is moot if you can't trust the services you're using to read the data.

Answer 2

I would say it is a function of the definition of security (read prevention, write prevention, etc) and who potentially has access and how much the risk is.

An entity you control may generally be 'safer' than handing off control to an external entity - but not necessarily.

Nothing is generally easy to specify wrt security as it always a risk vs cost trade off.