Database Security
This section on OWASP SCP will cover all of the database security issues and actions developers and DBAs need to take when using databases in their web applications.
Go doesn't have database drivers, instead there is a core interface driver on the database/sql package. This means that you need to register your SQL driver (eg: MariaDB, sqlite3) when using database connections.
The best practise
Before implementing your database in Go, you should take care of some configurations that we'll cover next:
- Secure database server installation1
- Change/set a password for
rootaccount(s); - Remove the
rootaccounts that are accessible from outside the localhost; - Remove any anonymous-user accounts;
- Remove any existing test database;
- Change/set a password for
- Remove any unnecessary stored procedures, utility packages, unnecessary services, vendor content (e.g. sample schemas).
- Install the minimum set of features and options required for your database to work with Go.
- Disable any default accounts that are not required on your web application to connect to the database.
Also, because it's important to validate input and encode output on the database, be sure to take a look into the Input Validation and Output Encoding sections of this guide.
This basically can be adapted to any programming language when using databases.
1. MySQL/MariaDB have a program for this: mysql_secure_installation1, 2 ↩