Reino: Security Features

Segurança de software não é o mesmo que software de segurança. Aqui, estamos interessados em tópicos como autenticação, controle de acesso, confidencialidade, criptografia e gestão de privilégios.

Privilege Management: Default Package Rights

PLSQL/TSQL

Abstract

Os pacotes sem uma cláusula AUTHID padroniza para AUTHID DEFINER.

Explanation

Os pacotes PL/SQL podem ser AUTHID DEFINER ou AUTHID CURRENT_USER. As funções e procedimentos em um pacote com os direitos do definidor são executados sob os privilégios do usuário que define o código. Isso pode permitir e o acesso a partes específicas de dados e as respectivas atualizações sem conceder acesso a tabelas ou a esquemas inteiros. Em um pacote com os direitos do chamador, ou AUTHID CURRENT_USER, as funções e os procedimentos são executados sob os privilégios do usuário que os invoca. Isso não permite a um usuário o acesso a dados aos quais ele ainda não tem acesso. Se nenhuma cláusula AUTHID for fornecida o pacote padroniza aos direitos do definidor.

Os pacotes são geralmente definidos pelo SYS ou por outro usuário extremamente privilegiado, fazendo com que quaisquer ataques do código sejam potencialmente mais perigosos.

References

[1] Steven Feuerstein Oracle PL/SQL Best Practices O'Reilly

[2] Standards Mapping - Common Weakness Enumeration CWE ID 276

[3] Standards Mapping - Common Weakness Enumeration Top 25 2021 [19] CWE ID 276

[4] Standards Mapping - Common Weakness Enumeration Top 25 2022 [20] CWE ID 276

[5] Standards Mapping - Common Weakness Enumeration Top 25 2023 [25] CWE ID 276

[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235

[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-7 Least Functionality (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-7 Least Functionality

[10] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.4 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)

[12] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[13] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization

[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1

[15] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 7.2

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[49] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[50] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.sql.privilege_management_default_package_rights