Symantec Interview Question
AssociatesCountry: India
Interview Type: In-Person
This is a very open ended question, with no specific answer, Though, The answer can be given as below:-
The security should be looked in a complete sense, right from installation, access rules, Audit Trail, Back Restore, Privileges, Credential prevention etc.
- In DB's like IBM DB2, it needs a system user to be created, thus, security of the system user is also important. Choose a strong password for the instance user, never use the default username/password for configuration.
- Follow the principle of least privilege, The web application connecting to the database should use a low privilege user account, which is allowed only to execute bare minimum scripts to fulfill the deeds of the application and nothing more.
- The application should not store username/password in plain text in any application configuration files. It should be encoded and then used.
- Its always better to create a datasource and use JNDI lookup.
- Ensure the number of sockets available in the system complements the number of connections that you anticipate to the database from any form of DB connection.
- Perform bound checking for any user inputs.
- Use parameterized SQL queries, in case you are using plain JDBC, Or better go for an ORM.
- Do not create tables in the default schema.
- Review code for functions/triggers/procedures which are present in the database.
- Ensure the sql scripts are encrypted [Eg. use TDE, SQLShield etc]
1. check the user is exist on the Active Directory or not ? based on that we can provide the access on the DB. n prevent the other user to hit database
2. we need to create one custom role and that role we can associate with user so that user have minimum access on the db.
3. there should not be any direct statement used in code to fetch data from db it should be from SP only
there are many ways like
- krishnam6767 September 19, 2012for sql injections use scripting at client side (never allow -- or ')
now even if client disables validation script you have an option of server side scripting
IInd enforce some access level criteria for privilege operations like for drop , union etc
don't allow a user to query the db use dropdown lists for selection
now days nearly all db's are encrypted mostly applications made with Microsoft development tools like visual studio C#.net etc