How to know if a database in a container environment should be trusted

Question

My application (or microservice, etc.) running in a container is reading from a database. How can I know if the database should be trusted?

Answer

Fortify views all data that comes from outside an application as a potential vector for an attack. It therefore marks all data coming into an application as potentially tainted and requires the data to be validated before it is used. This includes data coming in from a containerized database.

Best practice is that all data should be validated close to where it is used, including data that is read from a trusted database, to ensure all data is validated and that it is validated correctly for how it will be used. For example, it’s usually preferable to validate data for cross site scripting just before sending it to a web page instead of validating the data for cross site scripting before it is placed in the database.

The following are examples of additional criteria that are recommended:

  • No other application may have access to tables or views accessed by the application
  • Table, row, and/or column-based access controls are in place to limit access to the database application data
  • Connection strings used to connect to the database are encrypted or access is restricted to database connections by the production hosting facility according to VA policy
  • Connections to the database are encrypted or sensitive data sent across connections is first encrypted by the application

Additional Guidance

OIS Software Assurance recognizes that the above is not always feasible for all applications. To alternately show that a database running in a container can be trusted the following criteria must be met:

  • Requirement: The developer will need to provide documentation[1] that attests:
    • The database was instantiated using authorized[2] infrastructure configuration files, DevSecOps tool configuration scripts, and/or application run-time configuration scripts, and
    • Required database monitoring and security auditing is being performed to ensure that the database is protected from unauthorized access.
  • Requirement: No SQL injection vulnerabilities (including no SQL injection findings categorized as Medium or Low by Fortify) may be present in your application
  • Requirement: All data inserted into the database must be validated appropriately before it is inserted.[3]

[1] There are no specific presentation or content requirements for the above attestation documentation, aside from addressing the specific technical concerns.

[2] The VA office or organizational entity that provided the authorization must be identified in the attestation.

[3] Validations of the data inserted into the database must be appropriate for how the data is used. For example, if a string retrieved from the database is placed in a web page, it must be validated against cross-site scripting before it is inserted into the database. The audit comments must include pointers to all places in the code where that data is put in the database and where it is validated so the reviewer can confirm the correct validations are in place.