Darryle Merlette

Early in my career, a wise man once told me: “There are only three things you can do with a computer: read, write, and change (RWC) data.” At first, I didn’t appreciate this reduction to the field of computer science—reductio ad computatrum scientia—where I had just devoted more than six years studying. But as time went by, I realized he was actually correct. Although databases teach us the notion of create/read/update/delete (CRUD), the correspondence to his trifecta classification is clear.

The history of computer security shows that databases are a prime target for exploitation through attacking applications. What are the implications of the RWC classification? Whenever a new exploit or attack is disclosed, it can be instructive to examine where and how the three processes come into play—a reduction to application security or reductio ad applicationem securitatis so to speak—can provide insight to developers and help them apply proper controls to the applications and databases.

Read

When data is read by an application, it is used as input to a process that allows the application to do that for which it was intended. For example, an unsorted list of numbers will be used to create a sorted list in a sorting application. However, some applications can be given data that allows it to do that for which it was ...