Connecting a Windows Forms application to hosted database



  • Hi there,

    Your question is not 0-1 answer. The best way to deal with it is to Threat Model the scenario you've mentioned. Frankly, the fact that the database is outside your company DMZ should be considered only one more risk source, but your might have a lot more to be analysed.

    Fistly, let's divide your app in four elements:

    1 - Process - Windows App

    2 - Store - Database

    3 - Data flow - Data Requisition

    4 - Data flow - Data Response

    Now, making use of STRIDE, we can figure out the threats. More info about STRIDE

    Element S   T   R   I    D   E

    1           X   X   X   X   X   X

    2               X        X   X

    3,4            X        X   X

    Now, you must employ an analysis for each element, detailing the threat, assigning the risk level, and the coutermeasure/mitigation.

    As an example, considering the following threat:

    • Threat - Information disclosure is when the information can be read by an unauthorized party.
    • Detail - Consider the information in the data flow and what protections it needs. Is it over a network or IPC?
    • Countermeasure - Confidentiality mitigations are dependant on the nature of the data flow Consider ACLs and encryption. Over the network, data can only be protected by encryption.

    The information above is in the Threat Modeling Analysis Tool.

    Good job!


    Fabricio Braz (PhD)

    2011年6月29日 下午 02:32
  • Thank you very much for introducing the STRIDE concept to me.

    The STRIDE may be good for analyzing threats, but I am wondering what are those threats and what can I do about them?

    For example, my application will be sending requests to the server and get data back. I don't know the format a query result will be in, probably plain text?

    Is there a book that details this information and show me how to do that?



    2011年7月1日 上午 01:46
  • Hi,

    Apart from what Fabrício Braz explained, you should consider following secure coding practices.

    Since your data is hosted in commercial hosting firm, you should consider using strong Encryption for encrypting critical data. So in case the hosting firm database gets leaked out , no one should be able to decrypt your critical data.

    Thanks & Regards,

    Sunil Yadav

    My Blogs: Follow Me :
    2011年9月5日 下午 08:49
  • Thanks for your reply.

    The idea is good, but does SQL Server provide a seamless way to do this?

    2011年9月5日 下午 08:53
  • Here is an article about encryption in SQL Server: 

    And I would also like to point out that not only the data on SQL Server should be encrypted, but also the communication betweeen the database and your client.

    Dimitri C. - Please mark the replies as answers if they help! Thanks.
    2011年12月21日 下午 01:57
  • Dimitri C, thanks for your feedback.
    2011年12月24日 下午 09:59