More/updated/specialized critics

[ai-review] / critic / sql-security.md

# SQL Security Critic Framework (ISO/IEC 9075:2023)

This framework guides the Critic role when evaluating SQL code for security using SQL:2023 standard constructs and features. This critic focuses on SQL language security mechanisms including access control, data protection, audit capabilities, and secure SQL patterns defined in the ISO/IEC 9075:2023 standard.

## SQL Security Evaluation Areas

### 1. SQL Access Control Mechanisms
**What to Look For:**
- Proper use of GRANT and REVOKE statements for privilege management
- Appropriate use of roles and role-based access control (RBAC)
- Correct implementation of column-level and row-level security
- Proper use of WITH GRANT OPTION and privilege propagation
- Appropriate use of PUBLIC and specific user/role privileges

**Common Problems:**
- Excessive privileges granted through GRANT statements
- Missing REVOKE statements for unused privileges
- Improper use of WITH GRANT OPTION leading to privilege escalation
- Granting privileges to PUBLIC when specific roles would suffice
- Missing column-level restrictions on sensitive data

**Evaluation Questions:**
- Are GRANT statements used with minimal necessary privileges?
- Are REVOKE statements used to remove unused privileges?
- Is WITH GRANT OPTION used appropriately without creating privilege escalation?
- Are column-level privileges used to restrict access to sensitive data?
- Are roles used effectively to manage privilege groups?

### 2. SQL Data Protection Features
**What to Look For:**
- Use of SQL encryption functions (ENCRYPT, DECRYPT)
- Proper implementation of data masking and anonymization
- Use of SQL views for data protection and abstraction
- Appropriate use of CHECK constraints for data validation
- Implementation of row-level security using views or triggers

**Common Problems:**
- Sensitive data exposed in plaintext without encryption
- Missing CHECK constraints for data validation
- Views not used to protect underlying table structures
- Row-level security not implemented for sensitive data
- Data masking not applied to sensitive columns in queries

**Evaluation Questions:**
- Are SQL encryption functions used for sensitive data?
- Are CHECK constraints implemented for data validation?
- Are views used to protect table structures and sensitive data?
- Is row-level security implemented using SQL mechanisms?
- Is data masking applied in SELECT statements for sensitive data?

### 3. SQL Injection Prevention in SQL Code
**What to Look For:**
- Use of parameterized queries and prepared statements
- Proper use of SQL string functions for input sanitization
- Avoidance of dynamic SQL construction with user input
- Use of SQL escape functions and proper quoting
- Implementation of input validation using SQL constraints

**Common Problems:**
- Dynamic SQL construction using string concatenation
- Missing parameterization in SQL statements
- Improper use of SQL string functions for sanitization
- Lack of input validation using SQL constraints
- Unsafe use of user input in SQL statements

**Evaluation Questions:**
- Are prepared statements used for all user input?
- Are SQL string functions used properly for input sanitization?
- Is dynamic SQL construction avoided or properly secured?
- Are CHECK constraints used for input validation?
- Are SQL escape functions used for special characters?

### 4. SQL Audit and Logging Features
**What to Look For:**
- Use of SQL triggers for audit logging
- Implementation of audit trails using SQL mechanisms
- Proper use of SQL functions for timestamp and user tracking
- Implementation of change tracking using SQL features
- Use of SQL views for audit data access

**Common Problems:**
- Missing audit triggers for critical operations
- Inadequate audit trail implementation using SQL
- Missing timestamp and user tracking in audit records
- No change tracking implementation using SQL features
- Audit data not properly structured using SQL mechanisms

**Evaluation Questions:**
- Are SQL triggers used for audit logging of critical operations?
- Is audit trail data properly structured using SQL tables?
- Are SQL functions used for timestamp and user tracking?
- Is change tracking implemented using SQL mechanisms?
- Are audit views used for secure audit data access?

### 5. SQL Security Patterns and Best Practices
**What to Look For:**
- Use of SQL views for data abstraction and security
- Proper implementation of stored procedures for security
- Use of SQL functions for secure data operations
- Implementation of security checks using SQL constraints
- Proper use of SQL transactions for security operations

**Common Problems:**
- Direct table access instead of using secure views
- Missing security checks in stored procedures
- Inadequate use of SQL functions for secure operations
- Missing constraints for security validation
- Improper transaction handling in security operations

**Evaluation Questions:**
- Are secure views used instead of direct table access?
- Do stored procedures include proper security checks?
- Are SQL functions used for secure data operations?
- Are constraints used for security validation?
- Are transactions used properly for security operations?

## ISO/IEC Standards-Specific Criticism Process

### Step 1: SQL Access Control Analysis
1. **Review GRANT/REVOKE Usage**: Are privileges granted and revoked appropriately?
2. **Check Role Implementation**: Are roles used effectively for privilege management?
3. **Evaluate Column-Level Security**: Are column-level privileges used for sensitive data?
4. **Assess WITH GRANT OPTION**: Is privilege propagation controlled properly?

### Step 2: SQL Data Protection Assessment
1. **Check Encryption Usage**: Are SQL encryption functions used for sensitive data?
2. **Evaluate View Security**: Are views used to protect sensitive data?
3. **Assess CHECK Constraints**: Are constraints used for data validation?
4. **Review Row-Level Security**: Is row-level security implemented using SQL?

### Step 3: SQL Injection Prevention Analysis
1. **Check Parameterization**: Are prepared statements used for user input?
2. **Evaluate String Functions**: Are SQL string functions used for sanitization?
3. **Assess Dynamic SQL**: Is dynamic SQL construction avoided or secured?
4. **Review Input Validation**: Are SQL constraints used for input validation?

### Step 4: SQL Audit Features Assessment
1. **Check Audit Triggers**: Are SQL triggers used for audit logging?
2. **Evaluate Audit Structure**: Is audit data properly structured using SQL?
3. **Assess Tracking Functions**: Are SQL functions used for audit tracking?
4. **Review Audit Views**: Are views used for secure audit access?

### Step 5: SQL Security Patterns Analysis
1. **Check Secure Views**: Are views used for data abstraction and security?
2. **Evaluate Stored Procedures**: Do procedures include security checks?
3. **Assess SQL Functions**: Are functions used for secure operations?
4. **Review Security Constraints**: Are constraints used for security validation?

## ISO/IEC Standards-Specific Criticism Guidelines

### Focus on SQL Language Security Features
**Good Criticism:**
- "The GRANT statement provides excessive privileges; specific column-level grants would be more secure."
- "Dynamic SQL construction using string concatenation creates injection vulnerabilities; use prepared statements instead."
- "Sensitive data is not protected by views; implement row-level security using SQL views."
- "Missing CHECK constraints allow invalid data; implement SQL constraints for validation."

**Poor Criticism:**
- "This is not secure."
- "This could be vulnerable."
- "This needs better security."

### Emphasize SQL Standard Security Constructs
**Good Criticism:**
- "The use of PUBLIC privileges violates least privilege; grant to specific roles instead."
- "Missing REVOKE statements leave unused privileges active."
- "WITH GRANT OPTION allows privilege escalation; remove or restrict appropriately."
- "Direct table access bypasses security; use secure views for data protection."

**Poor Criticism:**
- "This is insecure."
- "This might be vulnerable."
- "This needs security improvements."

## ISO/IEC Standards-Specific Problem Categories

### SQL Access Control Problems
- **Excessive GRANT Privileges**: Granting more permissions than necessary through GRANT statements
- **Missing REVOKE Statements**: Failure to revoke unused privileges
- **Improper WITH GRANT OPTION**: Allowing privilege escalation through grant propagation
- **PUBLIC Privileges**: Granting privileges to PUBLIC when specific roles would suffice

### SQL Data Protection Problems
- **Missing Encryption Functions**: Not using SQL encryption functions for sensitive data
- **Inadequate Views**: Not using views to protect sensitive data and table structures
- **Missing CHECK Constraints**: Lack of SQL constraints for data validation
- **No Row-Level Security**: Missing row-level security implementation using SQL

### SQL Injection Problems
- **Dynamic SQL Construction**: Using string concatenation for dynamic SQL
- **Missing Parameterization**: Not using prepared statements for user input
- **Inadequate String Functions**: Improper use of SQL string functions for sanitization
- **Missing Input Validation**: Lack of SQL constraints for input validation

### SQL Audit Problems
- **Missing Audit Triggers**: No SQL triggers for audit logging of critical operations
- **Poor Audit Structure**: Inadequate audit data structure using SQL tables
- **Missing Tracking Functions**: Not using SQL functions for timestamp and user tracking
- **No Audit Views**: Missing views for secure audit data access

### SQL Security Pattern Problems
- **Direct Table Access**: Accessing tables directly instead of using secure views
- **Missing Security Checks**: Stored procedures without proper security validation
- **Inadequate Functions**: Not using SQL functions for secure data operations
- **Missing Security Constraints**: Lack of constraints for security validation

## ISO/IEC Standards-Specific Criticism Templates

### For SQL Access Control Issues
```
SQL Access Control Issue: [Specific access control problem]
Problem: [What makes this GRANT/REVOKE usage inadequate]
Impact: [Potential for unauthorized access or privilege escalation]
Evidence: [Specific GRANT/REVOKE statement examples]
Priority: [Critical/High/Medium/Low]
```

### For SQL Data Protection Issues
```
SQL Data Protection Issue: [Specific data protection problem]
Problem: [What makes this SQL data protection inadequate]
Impact: [Potential for data exposure or unauthorized access]
Evidence: [Specific SQL encryption, view, or constraint examples]
Priority: [Critical/High/Medium/Low]
```

### For SQL Injection Issues
```
SQL Injection Issue: [Specific injection vulnerability]
Problem: [What makes this SQL code vulnerable to injection]
Impact: [Potential for data breach, unauthorized access, or data manipulation]
Evidence: [Specific SQL code examples showing injection vulnerability]
Priority: [Critical/High/Medium/Low]
```

### For SQL Audit Issues
```
SQL Audit Issue: [Specific audit problem]
Problem: [What makes this SQL audit implementation inadequate]
Impact: [Potential for missing audit trails or inadequate logging]
Evidence: [Specific SQL trigger, view, or function examples]
Priority: [High/Medium/Low]
```

### For SQL Security Pattern Issues
```
SQL Security Pattern Issue: [Specific security pattern problem]
Problem: [What makes this SQL security pattern inadequate]
Impact: [Potential for security bypass or inadequate protection]
Evidence: [Specific SQL view, procedure, or function examples]
Priority: [High/Medium/Low]
```

## ISO/IEC Standards-Specific Criticism Best Practices

### Do's
- **Focus on SQL Language Features**: Evaluate security using SQL:2023 standard constructs
- **Emphasize Standard Compliance**: Ensure security features conform to SQL:2023
- **Consider SQL Mechanisms**: Use SQL-native security features rather than application-level
- **Assess SQL Patterns**: Evaluate security patterns implemented in SQL code
- **Document SQL Security**: Clearly document SQL security implementations

### Don'ts
- **Ignore SQL Security Features**: Don't overlook SQL-native security mechanisms
- **Accept Non-Standard Security**: Don't tolerate security implementations that don't use SQL features
- **Skip SQL Compliance**: Don't ignore SQL:2023 standard security requirements
- **Overlook SQL Patterns**: Don't accept poor SQL security patterns
- **Forget SQL Documentation**: Don't skip documentation of SQL security implementations

## ISO/IEC Standards-Specific Criticism Checklist

### SQL Access Control Assessment
- [ ] Are GRANT statements used with minimal necessary privileges?
- [ ] Are REVOKE statements used to remove unused privileges?
- [ ] Is WITH GRANT OPTION used appropriately without creating privilege escalation?
- [ ] Are column-level privileges used to restrict access to sensitive data?
- [ ] Are roles used effectively to manage privilege groups?

### SQL Data Protection Assessment
- [ ] Are SQL encryption functions used for sensitive data?
- [ ] Are CHECK constraints implemented for data validation?
- [ ] Are views used to protect table structures and sensitive data?
- [ ] Is row-level security implemented using SQL mechanisms?
- [ ] Is data masking applied in SELECT statements for sensitive data?

### SQL Injection Prevention Assessment
- [ ] Are prepared statements used for all user input?
- [ ] Are SQL string functions used properly for input sanitization?
- [ ] Is dynamic SQL construction avoided or properly secured?
- [ ] Are CHECK constraints used for input validation?
- [ ] Are SQL escape functions used for special characters?

### SQL Audit Assessment
- [ ] Are SQL triggers used for audit logging of critical operations?
- [ ] Is audit trail data properly structured using SQL tables?
- [ ] Are SQL functions used for timestamp and user tracking?
- [ ] Is change tracking implemented using SQL mechanisms?
- [ ] Are audit views used for secure audit data access?

### SQL Security Patterns Assessment
- [ ] Are secure views used instead of direct table access?
- [ ] Do stored procedures include proper security checks?
- [ ] Are SQL functions used for secure data operations?
- [ ] Are constraints used for security validation?
- [ ] Are transactions used properly for security operations?

## ISO/IEC Standards-Specific Evaluation Questions

### For Any SQL Code
1. **Are GRANT statements used with minimal necessary privileges according to SQL:2023?**
2. **Are prepared statements used for all user input to prevent SQL injection?**
3. **Are SQL encryption functions used for sensitive data protection?**
4. **Are SQL triggers used for audit logging of critical operations?**
5. **Are secure views used instead of direct table access?**
6. **Are CHECK constraints used for data validation and security?**
7. **Are SQL functions used for secure data operations?**
8. **Is row-level security implemented using SQL mechanisms?**
9. **Are REVOKE statements used to remove unused privileges?**
10. **Are transactions used properly for security operations?**

### For SQL Access Control
1. **Are privileges granted according to the principle of least privilege?**
2. **Are roles used effectively for privilege management?**
3. **Are column-level privileges used for sensitive data protection?**
4. **Is WITH GRANT OPTION used appropriately without privilege escalation?**
5. **Are PUBLIC privileges avoided in favor of specific roles?**

### For SQL Data Protection
1. **Are SQL encryption functions used for sensitive data?**
2. **Are views used to protect table structures and sensitive data?**
3. **Are CHECK constraints implemented for data validation?**
4. **Is row-level security implemented using SQL mechanisms?**
5. **Is data masking applied in SELECT statements for sensitive data?**

### For SQL Injection Prevention
1. **Are prepared statements used for all user input?**
2. **Are SQL string functions used properly for input sanitization?**
3. **Is dynamic SQL construction avoided or properly secured?**
4. **Are CHECK constraints used for input validation?**
5. **Are SQL escape functions used for special characters?**

### For SQL Audit and Logging
1. **Are SQL triggers used for audit logging of critical operations?**
2. **Is audit trail data properly structured using SQL tables?**
3. **Are SQL functions used for timestamp and user tracking?**
4. **Is change tracking implemented using SQL mechanisms?**
5. **Are audit views used for secure audit data access?**

## SQL:2023 Security Principles Applied

### "Use SQL Access Control Mechanisms"
- Implement proper GRANT and REVOKE statements
- Use roles for privilege management
- Apply column-level and row-level security
- Control privilege propagation with WITH GRANT OPTION

### "Implement SQL Data Protection"
- Use SQL encryption functions for sensitive data
- Implement views for data abstraction and security
- Apply CHECK constraints for data validation
- Use row-level security with SQL mechanisms

### "Prevent SQL Injection Using SQL Features"
- Use prepared statements for all user input
- Apply SQL string functions for sanitization
- Avoid dynamic SQL construction with user input
- Use SQL constraints for input validation

### "Implement SQL Audit and Logging"
- Use SQL triggers for audit logging
- Structure audit data using SQL tables
- Apply SQL functions for tracking and timestamps
- Use views for secure audit data access

### "Follow SQL Security Patterns"
- Use secure views instead of direct table access
- Implement security checks in stored procedures
- Use SQL functions for secure data operations
- Apply constraints for security validation