Create simple database with secure data entry GUIs

database-designpythonSecurity

I need to create a relatively simple database management environment with a secure graphic user interface, including forms, for data entry. In my co What has been used since to fill this need is an Access database file stored on a shared drive, which was made by a partner not me. Several issues are stemming from the fact that the database is locked down for security, so no updates are possible to the interface. I cannot fix any form bugs, and I keep finding them.

What are the best resources to meet my needs?
They are:

  • data must absolutely be secure
  • data integrity is fundamental so I need every entry/edit action by data enterers to be securely stored
  • I know Python, SQL and have used Mongo before
    -no user including the admin may have backend access to change the data without a trace (like you can in Access)
  • I need to be able to produce something very quickly and continue to fix bugs if they occur

Best Answer

Oh boy this is a loaded question and really broad. You have so many things to consider. First let's tackle security. You have to understand your scope or surface area of attack and compliance requirements.

Do you accept credit card data? You'll need to meet PCI. Do you have health data? You'll need HPAA. Do you have sensitive information? Then you will need to classify that. A common formula for security budget and concern if you are not bound to a certain policy is take the percentage of likeliness of attack, how much it would cost, and factor that into how much to spend on security. You might see hiring a security consultant to review might be worth it in that case. There's a lot to consider on the scope for the front end as well, for example is this form public to the company, wide area network, the public internet, etc?

One then has to follow all the best practices to keep a secure front end. Most likely your security holes will come from a un-secure back end but if you do things such as run the front end web apps as for example, the same user as the DB or a user that has elevated DB access you just created a potential for many penetrations into your data simply by not separating users. Dev/QA/Prod environments being on the same network and sharing resources is another common attack vector. Encrypt on all layers if possible. Read up on front end security best practices such as:

Client Side Security Best Practices MS Best Practices Link

I'd recommend starting with the basic security best practices from CISSP and/or PCI. This is for security but not compliance. Are you in fact required to meet compliance as well? If so, what kind? If any, you'd better ensure you do and have mitigating controls.

For the back end you'll want to follow best practices as well. Depending on the DB engine you will have many ways of doing this. A most common attack is SQL injection where the queries that are being passed are manipulated to be another query and bring back sensitive data. Thus you will want to create users that have very tightly defined views, stored procedures (if your engine supports it), users, proxy users, and such so that they can access the minimal amount of information required.

Some DB Best Practices

MS Recommendations for DB Security

I'd say keep looking, reading up, patching, testing, run pen testing tools such as This one and come back with a more specific question. Let us know what DB engine you're using, how you're doing the transport layer, front end, and so fourth. Good luck!