[cs615asa] HW #N: Zhizhuo Ding

zding4 zding4 at stevens.edu
Sun Apr 26 15:45:16 EDT 2015 

#TITLE: cs615-HWN
#AUTHOR: Zhizhuo Ding(zding4)
#MEETUP: Cyber Security Meet-up at UBS (OWASP Foundation), New York, April 
15 2015

This cyber security meet-up is held by OWASP(Open Web Application 
Security Project),
it had 4 sessions which talked about general information about New York 
Metro Joint
Cyber Security Conference, how to teach students and teacher about cyber 
security,
the SQL injection in database core and the automation across dev and ops 
with deep
security instrumentation.

Cause there is a lot of stuff going on, I just pick up the most 
interesting sessions.
`Martin Rakhmanov` talked about `Exploiting SAP ASE via SQL injections 
in database core`
This kind of SQLi happens in database core, some SQL statements(like 
create a database)
will use the highest permission in database and do not check the user 
permission in
execution. If malicious `unprivileged` user can inject other sql(like 
gain sys admin
access) in these statements, it will be very dangerous. But these sql 
statement do need
a relatively high access(not everyone can do it, you need to have the 
right to create
database at least) which means sysadmin trust these users and give them 
the access. But
this session teaches us sysadmin should only give user the access they 
need even you
fully trust the user. Sysadmin should also patch the bug asap and check 
the activity
log more often.

`Jeff Williams` talked about `Unifying Appsec Automation Across Dev and 
Ops with Deep
Security Instrumentation`. This session is very interesting cause 
sysadmin wants to do
everything automatically. Usually we develop the application first and 
then we test the
code to find vulnerabilities and prevent cyberattacks, this process 
seems all right.
But with more and more apps we want to make, our test and security team 
can't catch up
the scale speed. We need more money and people to do the test and ensure 
the security.
The automation across dev and ops use a special `agent` which will 
monitor the code
and give information and advice to the developer(like these code may 
cause SQL
injection) in the development process. When application is online, the 
agent will detect
the upcoming attack and adjust itself to defend the hacker. Now with 
this kind of agent
we can do the test and security check along with the development which 
will save a lot
of resource. I have some concern about the performance issue of the 
agent, but it looks
cool and useful. It will solve a lot of problems(SQLi etc.) in early 
stage and save a
lot of time but it definitely can't do everything. You still need your 
security experts
to check your products and do some dirty work.

Link:[http://www.meetup.com/OWASP-NYC/events/219884058/]

More information about the cs615asa mailing list