OpenClinica SQL Injection FISMA Control

We're in the process of reviewing our FISMA compliance and I've been asked to "verify with the vendor that we're protected against SQL injection attacks". I realize this is a general best practice Java development activity, but is there anything official that I could reference? Thank you.

Comments

  • toskriptoskrip Posts: 244 ✭✭
    I don't think you are going to get anything official unless you are paying customer that is able to run an audit focused on development process. In general the most common approach to prevent SQL injection is use of parameterized queries. As the code is open source you may run some static analysis tools on top of it (specifically the DAO part of code base) to get some quantitative data. I have a feeling that you will find that both, parametrized as well as non-parameterized queries are part of codebase. Than the final question would be which of them are mostly in use (there is definitely part of codebase that is not use any more -> replaced with newer modules etc.)

    T
Sign In or Register to comment.