Reino: Security Features

La seguridad de un software no es un software de seguridad. Nos preocupamos de cuestiones como la autenticación, el control de acceso, la confidencialidad, la criptografía y la gestión de privilegios.

Privilege Management: Default Package Rights

PLSQL/TSQL

Abstract

Los paquetes que no dispongan de una cláusula AUTHID utilizan AUTHID DEFINER de forma predeterminada.

Explanation

Los paquetes PL/SQL pueden ser AUTHID DEFINER o AUTHID CURRENT_USER. Las funciones y los procedimientos de un paquete con los derechos del definidor se ejecutan con los privilegios del usuario que define el paquete. De este modo se podrán implementar las actualizaciones y obtener acceso a datos específicos sin permitir el acceso a todo el contenido de las tablas o los esquemas. En un paquete con los derechos del invocador o AUTHID CURRENT_USER, las funciones y los procedimientos se ejecutan con los privilegios del usuario que los invoca. Así, un usuario no tendrá acceso a los datos a los que aún no podía acceder. Si la cláusula AUTHID no se proporciona, el paquete utilizará los derechos del definidor de forma predeterminada.

Por lo general, los paquetes se definen mediante SYS u otro usuario con privilegios elevados, lo cual hace que las vulnerabilidades de seguridad del código sean potencialmente más peligrosas.

References

[1] Steven Feuerstein Oracle PL/SQL Best Practices O'Reilly

[2] Standards Mapping - Common Weakness Enumeration CWE ID 276

[3] Standards Mapping - Common Weakness Enumeration Top 25 2021 [19] CWE ID 276

[4] Standards Mapping - Common Weakness Enumeration Top 25 2022 [20] CWE ID 276

[5] Standards Mapping - Common Weakness Enumeration Top 25 2023 [25] CWE ID 276

[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235

[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-7 Least Functionality (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-7 Least Functionality

[10] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.4 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)

[12] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[13] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization

[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1

[15] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 7.2

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[49] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[50] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.sql.privilege_management_default_package_rights