An SQL database is no longer accessible online due to a recent security breach.
An investigation reveals that unauthorized access to the database was possible due to an SQL injection vulnerability.
To prevent this type of breach in the future, which of the following security controls should be put in place before bringing the database back online? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D. E. F.CF.
The correct answers are C. Input validation and D. Web application firewall.
Explanation: SQL injection is a type of attack that occurs when an attacker inserts malicious SQL statements into a web application's input fields. These statements can then be executed by the application's database, leading to unauthorized access to sensitive information.
To prevent SQL injection attacks, input validation is necessary. Input validation checks whether the data being inputted by a user is in the correct format, within the allowed range, and is not malicious. Input validation is typically implemented in the web application itself or in a middleware layer.
A web application firewall (WAF) is another security control that should be put in place to prevent SQL injection attacks. A WAF is a firewall specifically designed to protect web applications by monitoring and filtering HTTP traffic between a web application and the Internet. WAFs can detect and block SQL injection attacks, as well as other types of attacks such as cross-site scripting (XSS) and cross-site request forgery (CSRF).
Secure storage policies (A) are important for protecting data at rest, but do not directly address the issue of SQL injection. Browser security updates (B) are important for preventing browser-based attacks, but do not directly address the issue of SQL injection. Secure coding standards (E) are important for preventing vulnerabilities in software development, but are not directly related to preventing SQL injection attacks. Database activity monitoring (F) is important for detecting unauthorized activity within a database, but does not directly address the issue of SQL injection.
Therefore, the two security controls that should be put in place before bringing the SQL database back online are input validation (C) and web application firewall (D).