Setting Database Permissions

A good way to reduce the potential attack surface of your application is to explicitly deny it the permissions to perform actions that it’s not supposed to be able to do. If it’s not meant to write files to the file system, deny it that privilege. If it’s not meant to access ports other than 80 and 443, deny it that privilege. And if it’s not meant to read from or write to certain tables in the database, deny it those privileges too.

In many cases, reducing application attack surface is a tradeoff between security and functionality; for example, no one likes having to solve a CAPTCHA to post an update to a wiki, but we put up with these inconveniences so that our wikis don’t get filled up with spam. But in this case, ...

Get Web Application Security, A Beginner's Guide now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.