270 Security Functions of IBM DB2 10 for z/OS
11.3.3 Lessons learned
Today, many transactions that run on a DB2 subsystem originate outside of z/OS from the
internet. They are initiated by users who authenticate their identities on web-based or
distributed application servers, such as with Spiffy Computer Company.
The ability to monitor and identify remote users behind an application user ID was already
provided by DB2 9 with trusted contexts and the “allow use for” option. With distributed
identity filters, similar extended functionality and auditing is provided by both DB2 10 and
A distributed identity filter is a RACF mapping association between a RACF user ID and one
or more distributed user identities. You can use the RACF RACMAP command to associate a
distributed user identity with a RACF user ID.
DB2 10 supports the RACF distributed identity filter. Using this function, we can identify
remote applications and we can have a better monitoring and auditing environment.
You need to look at the DB2 trusted context definition and the RACF mapping to know who is
allowed to use the trusted connection.
11.4 Considerations about SQL injection
SQL injection is yet another common vulnerability that is the result of lax input validation.
Unlike cross-site scripting vulnerabilities that are ultimately directed at your site’s visitors,
SQL injection is an attack on the site itself.
The vulnerability is present when user input is either incorrectly filtered for string literal
escape characters embedded in SQL statements or the user input is not strongly typed and
thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that
can occur whenever one programming or scripting language is embedded inside another.
SQL injection attacks are also known as SQL insertion attacks.
We can avoid most SQL injection using several techniques, such as implementing secure
coding best practices and limiting web application coding privileges, reducing debugging
information, and testing web applications regularly. We can also use a product like pureQuery,
IBM DataPower®, and so on. For more information about pureQuery, refer to 14.3, “SQL
injection and IBM Optim pureQuery Runtime” on page 340.
11.4.1 Background information
Spiffy Computer Company needs to protect itself from SQL injection attacks by enhancing the
remote dynamic SQL statement application’s security. So they review several product
solutions and methodologies.
11.4.2 Implementation scenario
You need to understand the limitations of security within an application. System security can
use security and integrity mechanisms that are not available to application programs. The
level of assurance that can be provided in system security can be much higher. If the
applications are run on the client or have fewer protection layers and firewalls than the
database, make sure to address those limitations.