Title

Custom and GOTS application source code stored in the database should be protected with encryption or encoding. (Cat III impact)

Discussion

Source code may include information on data relationships, locations of sensitive data that are otherwise obscured, or other processing information that could aid a malicious user. Encoding or encryption of the custom source code objects within the database helps protect against this type of disclosure.

Check Content

If this is not a production database, this check is Not a Finding. From the query prompt: SELECT name AS [Database Name] FROM [master].sys.databases WHERE name NOT IN ('tempdb', 'reportserver', 'reportservertempdb') AND state = 0 Repeat for each database: From the query prompt: USE [Database Name] SELECT USER_NAME(o.schema_id) AS [Schema], o.name AS [Object], o.type_desc AS [Type], o.create_date AS [Create Date] FROM sys.all_objects o, sys.sql_modules s WHERE o.object_id = s.object_id AND s.definition IS NOT NULL AND o.is_ms_shipped = 0 ORDER BY USER_NAME(o.schema_id), o.name Review the listed results. If any results listed are not documented in the System Security Plan and authorized by the IAO, this is a Finding.

Fix Text

Recreate stored procedures and specify encryption using the ALTER PROCEDURE command. Example: ALTER PROCEDURE [MyProc] WITH ENCRYPTION AS SELECT [mycol1], [mycol2] FROM [mytable]... Replace objects specified between the "[]" characters with custom/GOTS procedure references. Document all exceptions to this requirement in the System Security Plan and authorize with the IAO.

Additional Identifiers

Rule ID: SV-24094r2_rule

Vulnerability ID: V-3823

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.