Minimise Database Error Information in Software
Software should reveal minimal database structure details in error messages.
Plain language
When software malfunctions or runs into a problem, it often displays error messages. This control means that these messages should not reveal too much about the database structure behind them. This is important because if attackers know the details of your database, they could exploit its weaknesses, put your data at risk, and potentially cause financial or reputational harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Software is designed or configured to provide as little error information as possible about the structure of databases.
Why it matters
Detailed database errors can reveal schema/table names and queries, enabling SQL injection and leading to data breach and financial loss.
Operational notes
Regularly test error handling so DB/schema details are not disclosed to users; send full errors to secure logs for developer triage.
Implementation tips
- IT team should configure error messages: They should ensure that error messages only contain essential information without revealing database details. This can be done by modifying the software settings or code to show user-friendly error messages instead.
- Software developers should review code: Developers need to review and update the software code to suppress detailed database error messages. This involves checking how the software communicates errors and making adjustments to reduce information leaks.
- System owners should liaise with software vendors: They should ask vendors to provide guidance or updates that minimise database error information in their software. This could include a patch or setting changes in the software configuration.
- IT security staff should conduct tests: They should run tests simulating database errors to ensure that only minimal information is displayed. They can do this by deliberately causing errors in a safe environment and observing the output.
- Office managers should ensure staff awareness: They should inform staff about where to report error messages that seem too detailed. This can help quickly identify and address potential risks if detailed information is being exposed.
Audit / evidence tips
-
Asksoftware error message policy document: Request documentation that outlines how the organisation controls and manages error messages
Goodshows clear guidelines limiting sensitive data exposure
-
Aska demonstration of error message handling: Request a practical demonstration of how database errors are handled in the software
Goodis generic messages that inform without exposing technical details
-
Asktesting records: Request logs or reports from testing where database error message handling was assessed
Goodincludes detailed testing records showing compliance with the control requirements
-
Askabout communication with vendors: Request emails or meeting notes discussing minimizing error information with software vendors
Goodshows active communication and steps taken based on vendor recommendations
-
Askstaff training records: Request evidence of training sessions for staff on reporting overly detailed error messages
Gooddemonstrates that staff are aware of reporting procedures and can recognise inappropriate error messages
Cross-framework mappings
How ISM-1278 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.25 | ISM-1278 requires software to be designed or configured to minimise database error information disclosed to users | |
| Annex A 8.28 | ISM-1278 requires software to avoid exposing database structure details through error messages | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.