Visual Basic 6: How to create a secure DAL (even developers cannot gain access to login info)?

Posted on 2007-08-03
Last Modified: 2013-11-26
Visual Basic 6: How to create a secure DAL (even developers cannot gain access to login info)?

Scenario: We currently have a data access layer (DAL) created in VB 6 which has the ability to run stored procedures, get recordsets, etc  your basic DAL functions. The login information is stored in a hash which gets decrypted prior to each call. Security hasnt been an issue in the past, and we havent had any unauthorized access that we know of. Developers can currently see the connection string info as they step through the code. Prior this was ok and acceptable.

The company is much larger now and is preparing for a Sarbanes-Oxley audit. One of the requirements is to limit who has access to the database login information on production servers  including developers.

This brings up some interesting points for the project&&&&
1. Give the database admin the ability to frequently change the user name and password for the account that is used for many of our applications.
2. The DAL would then need to use the login information changes.
3. Through some method, developers would not be able to see these values while viewing source, debugging, or stepping through code, etc.

I have been asked to try and accomplish this project using VB6 type technology; if absolutely necessary, use .Net (because many of our client machines are old and they would be forced to update O/S, hardware). I mentioned having a web service which controlled the logins and passed back data  which was shot down (because of the increased bandwidth issues and reduplicating some DAL logic).

Its important that the current DAL stay relatively intact (because the developers still have to maintain the code if there is a problem), while allowing login credentials to change securely.
1.      Is it possible to hide a variables value from other developers in VB6 (including debugging, watches, and stepping through code)? For example, a variable can be set and used, but the value of the variable cannot be retrieved?
2.      If you can suggest another approach for this unique situation, could you provide some high level design or point me in the direction of an example? (VB6 has higher priority if possible, but suggest .net solutions if thats all you know of).
Question by:awp5379
    LVL 7

    Accepted Solution

    Are you using SQL Server?  Can you use Integrated Security instead of SQL accounts?  That way you could use the users login credentials for accessing the database without the developers ever knowing the passwords.

    Author Comment

    Yes, we are using SQL 2005. Up to this point, one "master account" is being used for all programs/computers. We have several thousand PCs in various manufacturing lines, which many different users could be using within the hour - it was deemed not necessary at the time, but perhaps now it is?

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    The debugging module of the VB 6 IDE can be accessed by way of the Debug menu item. That menu item can normally be found in the IDE's main menu line as shown in this picture.   There is also a companion Debug Toolbar that looks like the followin…
    If you have ever used Microsoft Word then you know that it has a good spell checker and it may have occurred to you that the ability to check spelling might be a nice piece of functionality to add to certain applications of yours. Well the code that…
    Get people started with the process of using Access VBA to control Excel using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Excel. Using automation, an Access application can laun…
    Get people started with the utilization of class modules. Class modules can be a powerful tool in Microsoft Access. They allow you to create self-contained objects that encapsulate functionality. They can easily hide the complexity of a process from…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now