[cs615asa] HW #N: Zhizhuo Ding
zding4
zding4 at stevens.edu
Sun Apr 26 15:45:16 EDT 2015
#TITLE: cs615-HWN
#AUTHOR: Zhizhuo Ding(zding4)
#MEETUP: Cyber Security Meet-up at UBS (OWASP Foundation), New York, April
15 2015
This cyber security meet-up is held by OWASP(Open Web Application
Security Project),
it had 4 sessions which talked about general information about New York
Metro Joint
Cyber Security Conference, how to teach students and teacher about cyber
security,
the SQL injection in database core and the automation across dev and ops
with deep
security instrumentation.
Cause there is a lot of stuff going on, I just pick up the most
interesting sessions.
`Martin Rakhmanov` talked about `Exploiting SAP ASE via SQL injections
in database core`
This kind of SQLi happens in database core, some SQL statements(like
create a database)
will use the highest permission in database and do not check the user
permission in
execution. If malicious `unprivileged` user can inject other sql(like
gain sys admin
access) in these statements, it will be very dangerous. But these sql
statement do need
a relatively high access(not everyone can do it, you need to have the
right to create
database at least) which means sysadmin trust these users and give them
the access. But
this session teaches us sysadmin should only give user the access they
need even you
fully trust the user. Sysadmin should also patch the bug asap and check
the activity
log more often.
`Jeff Williams` talked about `Unifying Appsec Automation Across Dev and
Ops with Deep
Security Instrumentation`. This session is very interesting cause
sysadmin wants to do
everything automatically. Usually we develop the application first and
then we test the
code to find vulnerabilities and prevent cyberattacks, this process
seems all right.
But with more and more apps we want to make, our test and security team
can't catch up
the scale speed. We need more money and people to do the test and ensure
the security.
The automation across dev and ops use a special `agent` which will
monitor the code
and give information and advice to the developer(like these code may
cause SQL
injection) in the development process. When application is online, the
agent will detect
the upcoming attack and adjust itself to defend the hacker. Now with
this kind of agent
we can do the test and security check along with the development which
will save a lot
of resource. I have some concern about the performance issue of the
agent, but it looks
cool and useful. It will solve a lot of problems(SQLi etc.) in early
stage and save a
lot of time but it definitely can't do everything. You still need your
security experts
to check your products and do some dirty work.
Link:[http://www.meetup.com/OWASP-NYC/events/219884058/]
More information about the cs615asa
mailing list