[cs615asa] HW#N: Cyber Security Meet-up @ UBS
Peng Yin
pyin at stevens.edu
Sun Apr 26 17:48:37 EDT 2015
Hi,
On April 15, I joined the "Cyber Security Meet-up @ UBS".
This meeting mainly talks about the Cyber Security from three aspects:
How it existed in our life- The introduction of Cyber Security.
Cyber Security in the education.
Creating security program.
The author Martin Rakhmanov talked about "Exploiting SAP ASE via SQL
injections in database core". The SQL injection happened in the application
and the database. First he gave an example of how the SQL injection
happened by a series normal execution of SQL, as different command requires
different priority, like the "RESTORE DATABASE" and "CREATE DATABASE"
command allows user to run SQL code with highest privileges, but if user
run malicious code with these command, then user can become the system
administrators. After that he gave several protections in current
applications: Don't deploy unused functionality; Give the application the
privilege that only required; Monitor and patch the system more often;
The example and content are published on their website:
https://www.owasp.org/index.php/SQL_Injection
Then Thomas Ryan, Renee Pollack and Morgan Strobel talked about the Cyber
Security in NextGen education including:
The cyber security is a large field, but the profession of cybersecurity
isn't so universal in the school;
Still no law to require students must take the cyber security class in
school.
Tools should be available for teachers and students to learn about cyber
security, open source is a good way.
Finally, Jeff Williams talked about "Unifying Appsec Automation Across Dev
and Ops with Deep Security Instrumentation". In this session, he presents
that only 22.4% of the apps are tested to ensure security, and test
coverage are only 10%. Because the test is a little complicated due to the
developer and securer isn't always the same one, so the tools should be
used to solve the test and improve efficiency. Then script test comes,
which is most automated with little manual. But the difficulty for script
test also existed, due to the large amount code and library. The tools are
SAST(static) and DAST(dynamic). The static test mainly tests based on the
source code, the byte code and the binaries line by line to detect the
defect. Whereas, the dynamic tools tests based on the context, at which
point the application is running. Only the resource of an application is
available and known to you, can you guarantee the non-malicious. But the
library of others are not always known, so the dynamic detect tools are
used. Also there should be separate tools for detecting attacks and stop
attacks.
The meetup link: http://www.meetup.com/OWASP-NYC/events/219884058/
Owning SAP ASE: Chained Database Attack:
http://www.rsaconference.com/writable/presentations/file_upload/hta-r01-owning-sap-ase-chained-database-attack_final.pdf
Regards,
Peng Yin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.stevens.edu/pipermail/cs615asa/attachments/20150426/6f909820/attachment.html>
More information about the cs615asa
mailing list