Thomas Kellerer <spam_eater@gmx.net> wrote:
>
> Bill Moran wrote on 16.04.2009 23:06:
> >> which only talks about someone getting hold of the contents of the server's
> >> harddisk.
> >
> > Not really. You're making an assumption that a pg_dump can only be
> > run on the server itself.
>
> Right, I forgot that.
>
> But then it's similar to the situation where the user displays the data and
> walks away with the screenshot...
Actually, it's completely different. If a user walks away with a screenshot
of data that they had access to anyway, then the application developer is
not culpable.
However, if a flaw is found in the application and a user can use it to
gain escalated privs and access data that would normally not be available,
the application developer is going out of business.
If a user finds a flaw, but it simply result in an error because the layer
of security behind it prevents an information leak, then the application
developer doesn't look very bad at all. Layered security saves the day!
> If you have an application server sitting in the middle you can limit
> connections to the database to the app server itself. Or even put the appserver
> on the same box as the database server and limit connections only to localhost.
> In that case the attacker needs to be able to log-in to the server directly.
You're assuming that the application is perfect. With the data we're
protecting, we don't have that luxury.
This isn't a particularly new view of security. CERT has hundreds or pages
documented on how this is correct security practice. If it wasn't there
wouldn't need to be firewalls between Windows servers and the Internet.
The part that's unique (from my experience) is the demand that the data
be so readily assessable. Usually, highly secure data is understood to
be difficult to access, but that understanding doesn't exist in this
market. It's an unreasonable expectation on the part of our clients, to
be honest, but if we can find a way to meet it, we leave the competition
in the dust.
Thanks for the feedback so far.
--
Bill Moran
http://www.potentialtech.com