[cs615asa] HW #N:Pengfei Zhang.

Pengfei Zhang pzhang11 at stevens.edu
Thu Apr 30 12:26:15 EDT 2015 

Home work N:
MEETUP: Cyber Security Meet-up at UBS, New York, April 15 2015.

This meet-up was held by Open Web Application Security Project. It has 4
sessions and 3 of them are about cyber security. In those 3 sessions, one
is about a dev platform for security test, one is about how to educate next
generation security professionals. The last one is test instrumentation. .
And I pick this SQL injection lecture  as my report.

In this lecture, Speaker Matrin Rakhmanov talked about SQL injection in
database core. Using this leak, any unprivileged user could gain system
administrator access in just a few SQL statements. He show some examples
about how to gain those privileges with an unprivileged role.

Some SQL statements, like create tables, drop tables, views, will use the
top permission in database without check user privilege. If, an
unprivileged user injects some other statements, like grant privilege,
those statements would be submitted and run successfully. This is dangerous
and easy to accomplish.

So, Matrin gave us advices that don‘t grant excess privilege to users even
sys admin fully trust this user, and don't deployed needless applications
or functionality, and gave application privilege only required.

After that, Thomas Ryan, Renee Pollack and Morgan Strobel talked about
Building next generation cyber warriors and defenders. They talking that
cyber security is large file and should be universal in school, student
should take cyber security class in school, and there should have a
universal standard certification for cyber security area.

Finally Jeff Williams talked an automation platform about dev and ops
"Unifying Appsec Automation Across Dev and Ops with Deep Security
Instrumentation". Here he introduce two test tools, SAST and DAST. SAST
test on source code, byte code and binaries. And DAST test on context and
environment when binaries running. He also introduce an agent could
automatically do DAST and SAST test. But now it's not so intelligence to do
everything well, he would share this options and see who would interested
in this field.


Meetup link: http://www.meetup.com/OWASP-NYC/events/219884058/

-- 
Best regards
Pengfei Zhang
---------------------------------------------------------------------------
Github: https://github.com/andysim3d
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.stevens.edu/pipermail/cs615asa/attachments/20150430/1a621c65/attachment.html>

More information about the cs615asa mailing list