One thing that I’ve realized is that although “expensive” from a performance standpoint when set to log every query, it will also log SQL Injection. (When someone actually exploits a vulnerability, not their existance.) So in addition to hardening the individual pages, we can also improve security by making detection of injection attacks easier.
As an example, in addition to logging the query itself, it might make sense to also include the filename of the page which creates a given query. That way the logs could be more easily examined for suspicious activity.
We should strengthen by exploiting I can run a injection on every single instance to test for code execution then see if I can upload to get a reverse shell or download PHI we need to test on a live hardened system. I am looking for other developers who would lke to set this up. Then we may be able to setup a contest to see if anyone can break in. Eventually like this we will have bragging rights maybe for the most secure system out there?
As Brady mentioned in the other security vulnerability thread, you don’t really need to use a “live hardended” system to test against. Just setup your own instance.
“Most secure system out there” would be a meaningless statement IMHO. True security isn’t about an inventory of vulnerabilities. It’s about being vigilant and understanding the risks. Some level of risk will always exist, and it’s how you manage those risks that defines how a secure a system is.