Ensure Secure Database Queries in Software
Checks ensure database queries from software are legitimate and correctly formatted.
Plain language
This control means all software talking to databases needs to ensure data is safe and formatted correctly. This matters because if someone manages to send bad or tricky queries, it might mess with your data, make your systems crash, or even let outsiders see information they shouldn't.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
All queries to databases from software are filtered for legitimate content and correct syntax.
Why it matters
If database queries aren’t filtered and validated, SQL injection can allow unauthorised data access, alteration or deletion, causing data breaches and corruption.
Operational notes
Enforce parameterised queries and server-side input validation; block unsafe SQL patterns and log rejected queries. Regularly review validation rules and test using SQL injection test cases.
Implementation tips
- The software development team should create a checklist of safe database queries: Start by documenting the types of data interactions your software needs and the correct way these queries should be written to avoid mistakes or weaknesses. Regularly update this checklist as new functionalities are added.
- The IT security officer should review and approve query handling processes: Organise regular reviews to make sure that queries are only accepted if they meet specific, safe criteria. This involves checking if security measures like parameterised queries are in place to prevent SQL injection attacks.
- Software developers should implement training on secure coding practices: Conduct workshops or find online courses to educate team members on how to write queries securely. This includes teaching developers about common vulnerabilities and defence tactics like input validation.
- The system administrator should monitor database access logs: Regularly check the logs for any unusual query patterns that could suggest someone is trying to access the database incorrectly. Implement alert systems to notify the team if suspicious activity is detected.
- The procurement officer should ensure third-party software includes query security features: Whenever acquiring software that interacts with databases, verify with suppliers that their products include security features to check and manage database queries safely.
Audit / evidence tips
-
Askdocumented query handling procedures: Request a copy of the guidelines and checklists used by developers for creating and reviewing database queries
Goodup-to-date records with clear steps and approval signatures
-
Goodconsistent monitoring entries and actions taken on flagged queries
-
Asktraining records on secure database querying: Request documentation of past training sessions including dates, attendees, and topics covered
Goodrecords showing ongoing education and participation by relevant staff
-
Askevaluation reports or contracts that show database security requirements were considered in purchasing decisions
Goodcontracts or purchase orders with security compliance clauses
-
Askto see logs that show who is accessing the database and when, focusing on the queries executed
Gooddocumented access attempts with details of successful and unsuccessful query executions
Cross-framework mappings
How ISM-1275 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.25 | ISM-1275 requires validation/filtering of database queries generated by software to ensure only legitimate, correctly formed queries are ... | |
| Annex A 8.28 | ISM-1275 requires that all software-to-database queries are filtered/validated for legitimate content and correct syntax (i.e., query inp... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.