• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 327
  • Last Modified:

Visual Basic 6: How to create a secure DAL (even developers cannot gain access to login info)?

Visual Basic 6: How to create a secure DAL (even developers cannot gain access to login info)?

Scenario: We currently have a data access layer (DAL) created in VB 6 which has the ability to run stored procedures, get recordsets, etc  your basic DAL functions. The login information is stored in a hash which gets decrypted prior to each call. Security hasnt been an issue in the past, and we havent had any unauthorized access that we know of. Developers can currently see the connection string info as they step through the code. Prior this was ok and acceptable.

The company is much larger now and is preparing for a Sarbanes-Oxley audit. One of the requirements is to limit who has access to the database login information on production servers  including developers.

This brings up some interesting points for the project&&&&
1. Give the database admin the ability to frequently change the user name and password for the account that is used for many of our applications.
2. The DAL would then need to use the login information changes.
3. Through some method, developers would not be able to see these values while viewing source, debugging, or stepping through code, etc.

I have been asked to try and accomplish this project using VB6 type technology; if absolutely necessary, use .Net (because many of our client machines are old and they would be forced to update O/S, hardware). I mentioned having a web service which controlled the logins and passed back data  which was shot down (because of the increased bandwidth issues and reduplicating some DAL logic).

Its important that the current DAL stay relatively intact (because the developers still have to maintain the code if there is a problem), while allowing login credentials to change securely.
1.      Is it possible to hide a variables value from other developers in VB6 (including debugging, watches, and stepping through code)? For example, a variable can be set and used, but the value of the variable cannot be retrieved?
2.      If you can suggest another approach for this unique situation, could you provide some high level design or point me in the direction of an example? (VB6 has higher priority if possible, but suggest .net solutions if thats all you know of).
0
awp5379
Asked:
awp5379
1 Solution
 
TheNigeCommented:
Are you using SQL Server?  Can you use Integrated Security instead of SQL accounts?  That way you could use the users login credentials for accessing the database without the developers ever knowing the passwords.
0
 
awp5379Author Commented:
Yes, we are using SQL 2005. Up to this point, one "master account" is being used for all programs/computers. We have several thousand PCs in various manufacturing lines, which many different users could be using within the hour - it was deemed not necessary at the time, but perhaps now it is?
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now