Database Security Code Review

Virtual CISO Services ISO 27001

Database Security Code Review Information

A Security Code Review is the manual review of stored procedures with the database developers to identify source code-level issues that may enable an attacker to compromise the database. Security Code Reviews are always focused on particularly high-risk areas of the code as they are manually intensive and expensive.

Key activities include:

  • Leveraging available information (Threat Assessments, Application System Security Plans, Database Vulnerability Assessment) to understand which portions of the code should be manually reviewed;
    Conducting a security code walkthrough with the developers wherein the stored procedure source code is peer reviewed with an emphasis on the construct and design logic responsible for achieving relevant security objectives; and,
    Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include; root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
    The predominant benefits realized by a Security Code Review are:
  • Enables development teams to identify and correct insecure coding techniques that could lead to security vulnerabilities or possible incidents;
    Educates developers on secure coding techniques and best practices; and,
    If integrated into the Software Development Life Cycle (SDLC), coding issues can be resolved earlier in the development process.

Database Security Code Review: Best Used

For applications where significant functionality is performed in the database and/or where specific stored procedures are integral to the achievement of critical security objectives; and,
As part of a broader “certification and accreditation” exercise to provide a higher level of assurance for critical databases.
For high-risk databases, security-focused code reviews should be conducted as part of the normal SDLC. Reviews may also be needed during or after security testing, prior to implementing system upgrades, prior to making system configuration changes, or immediately following any reported security incidents.