none
Connecting a Windows Forms application to hosted database

คำตอบ

ตอบทั้งหมด

  • Hi there,

    Your question is not 0-1 answer. The best way to deal with it is to Threat Model the scenario you've mentioned. Frankly, the fact that the database is outside your company DMZ should be considered only one more risk source, but your might have a lot more to be analysed.

    Fistly, let's divide your app in four elements:

    1 - Process - Windows App

    2 - Store - Database

    3 - Data flow - Data Requisition

    4 - Data flow - Data Response

    Now, making use of STRIDE, we can figure out the threats. More info about STRIDE http://msdn.microsoft.com/en-us/magazine/cc163519.aspx

    Element S   T   R   I    D   E

    1           X   X   X   X   X   X

    2               X        X   X

    3,4            X        X   X

    Now, you must employ an analysis for each element, detailing the threat, assigning the risk level, and the coutermeasure/mitigation.

    As an example, considering the following threat:

    • Threat - Information disclosure is when the information can be read by an unauthorized party.
    • Detail - Consider the information in the data flow and what protections it needs. Is it over a network or IPC?
    • Countermeasure - Confidentiality mitigations are dependant on the nature of the data flow Consider ACLs and encryption. Over the network, data can only be protected by encryption.

    The information above is in the Threat Modeling Analysis Tool. http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx

    Good job!

    Regards!


    Fabricio Braz (PhD)


    • แก้ไขโดย Fabrício Braz 29 มิถุนายน 2554 14:37 layout
    29 มิถุนายน 2554 14:32
  • Thank you very much for introducing the STRIDE concept to me.

    The STRIDE may be good for analyzing threats, but I am wondering what are those threats and what can I do about them?

    For example, my application will be sending requests to the server and get data back. I don't know the format a query result will be in, probably plain text?

    Is there a book that details this information and show me how to do that?

    Thanks.

     

    1 กรกฎาคม 2554 1:46
  • Hi,

    Apart from what Fabrício Braz explained, you should consider following secure coding practices.

    Since your data is hosted in commercial hosting firm, you should consider using strong Encryption for encrypting critical data. So in case the hosting firm database gets leaked out , no one should be able to decrypt your critical data.

    Thanks & Regards,

    Sunil Yadav


    My Blogs: http://www.sunilyadav.net Follow Me : http://www.twitter.com/yadavsunil
    • เสนอเป็นคำตอบโดย SDL TeamModerator 22 กันยายน 2554 20:06
    5 กันยายน 2554 20:49
  • Thanks for your reply.

    The idea is good, but does SQL Server provide a seamless way to do this?

    5 กันยายน 2554 20:53
  • Here is an article about encryption in SQL Server: http://msdn.microsoft.com/en-us/library/cc278098(v=sql.100).aspx 

    And I would also like to point out that not only the data on SQL Server should be encrypted, but also the communication betweeen the database and your client.


    Dimitri C. - Please mark the replies as answers if they help! Thanks.
    • เสนอเป็นคำตอบโดย SDL TeamModerator 6 มกราคม 2555 17:48
    • ทำเครื่องหมายเป็นคำตอบโดย SDL TeamModerator 6 มกราคม 2555 17:48
    21 ธันวาคม 2554 13:57
  • Dimitri C, thanks for your feedback.
    24 ธันวาคม 2554 21:59