Please join your peers on either March 26 (8pm GMT) or March 28 (8am GMT) to watch as user extraordinaire and forum legend @"lindsay.stevens" demonstrates OpenClinica Insight.

See preview and register at https://openclinica.com/insight-webinar

Insight makes it easy to ask questions of ALL of your clinical and operational data and visualize answers via interactive reports and dashboards. The idea is simple, but the results are powerful: ask your questions, choose your visualizations, then return often for updated, interactive results that link you to all of the underlying data.

OpenClinica SQL Injection FISMA Control

We're in the process of reviewing our FISMA compliance and I've been asked to "verify with the vendor that we're protected against SQL injection attacks". I realize this is a general best practice Java development activity, but is there anything official that I could reference? Thank you.
Tagged:

Comments

  • toskriptoskrip Posts: 255 ✭✭
    I don't think you are going to get anything official unless you are paying customer that is able to run an audit focused on development process. In general the most common approach to prevent SQL injection is use of parameterized queries. As the code is open source you may run some static analysis tools on top of it (specifically the DAO part of code base) to get some quantitative data. I have a feeling that you will find that both, parametrized as well as non-parameterized queries are part of codebase. Than the final question would be which of them are mostly in use (there is definitely part of codebase that is not use any more -> replaced with newer modules etc.)

    T
Sign In or Register to comment.