Minimise Database Error Information in Software
Software should reveal minimal database structure details in error messages.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for software developmentSoftware is designed or configured to provide as little error information as possible about the structure of databases.
Source: ASD Information Security Manual (ISM)
Plain language
When software malfunctions or runs into a problem, it often displays error messages. This control means that these messages should not reveal too much about the database structure behind them. This is important because if attackers know the details of your database, they could exploit its weaknesses, put your data at risk, and potentially cause financial or reputational harm.
Why it matters
Detailed database errors can reveal schema/table names and queries, enabling SQL injection and leading to data breach and financial loss.
Operational notes
Regularly test error handling so DB/schema details are not disclosed to users; send full errors to secure logs for developer triage.
Implementation tips
- IT team should configure error messages: They should ensure that error messages only contain essential information without revealing database details. This can be done by modifying the software settings or code to show user-friendly error messages instead.
- Software developers should review code: Developers need to review and update the software code to suppress detailed database error messages. This involves checking how the software communicates errors and making adjustments to reduce information leaks.
- System owners should liaise with software vendors: They should ask vendors to provide guidance or updates that minimise database error information in their software. This could include a patch or setting changes in the software configuration.
- IT security staff should conduct tests: They should run tests simulating database errors to ensure that only minimal information is displayed. They can do this by deliberately causing errors in a safe environment and observing the output.
- Office managers should ensure staff awareness: They should inform staff about where to report error messages that seem too detailed. This can help quickly identify and address potential risks if detailed information is being exposed.
Audit / evidence tips
-
Ask: software error message policy document: Request documentation that outlines how the organisation controls and manages error messages
Good: shows clear guidelines limiting sensitive data exposure
-
Ask: a demonstration of error message handling: Request a practical demonstration of how database errors are handled in the software
Good: is generic messages that inform without exposing technical details
-
Ask: testing records: Request logs or reports from testing where database error message handling was assessed
Good: includes detailed testing records showing compliance with the control requirements
-
Ask: about communication with vendors: Request emails or meeting notes discussing minimizing error information with software vendors
Good: shows active communication and steps taken based on vendor recommendations
-
Ask: staff training records: Request evidence of training sessions for staff on reporting overly detailed error messages
Good: demonstrates that staff are aware of reporting procedures and can recognise inappropriate error messages
Cross-framework mappings
How ISM-1278 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 8.25 | ISM-1278 requires software to be designed or configured to minimise database error information disclosed to users | |
| Annex A 8.28 | ISM-1278 requires software to avoid exposing database structure details through error messages | |