[cs615asa] HM #N: Kenan Li

kli13 kli13 at stevens.edu
Sun May 3 19:28:49 EDT 2015 

On April 15, We attended the "Cyber Security Meet-up", which host by 
OWASP (Open Web Application Security Project)The meeting was consists of 
4 sessions, all about cyber security:
Session 1: New York Metro Joint Cyber Security Conference
Session 2: Teaching the Teachers: Building NextGen Cyber Warriors & 
Defenders
Session 3: Exploiting SAP ASE via SQL injections in database core
Session 4: Unifying Appsec Automation Across Dev and Ops with Deep 
Security Instrumentation

I think the most related part to system administration, is session 3: 
SQL injections in database core, by Martin Rakhmanov.

First, he emphasized the importance of database security, and gave us an 
instance that by using some SQL statements, like creating a database or 
restore database, will allows user running SQL in highest privileges. If 
some of them use malicious code in the SQL, they can access into 
database, and even capture administrator permissions. The reason is, by 
using some SQL statements in the highest permission, some SQL do not 
check the user’s permission when the code in execution. Then user can 
inject his or her own SQL code in those statements, and do something bad 
to that SQL server.
Martin also gave us some advices to prevent SQL injection. We should 
always pay attentions to user’s permission level. Do not grant user 
unnecessary permissions; even the user is fully trusted. Never install 
unneeded applications. Also do not grant them unnecessary permissions.

The next interesting topic I think is Session 4: Unifying Appsec 
Automation Across Dev and Ops with Deep Security Instrumentation, by 
Jeff Williams. He presented a serious problem on application security, 
that only 10% apps have been tested. And in those apps, only 22.4% of 
them are ensuring security. In the same time, more and more apps are 
created. So their security group is facing serious challenges. Next Jeff 
starting presents some legacy application security tools, like SAST and 
DAST. In an application testing, the man who tests apps is not always 
the developer. So they need an effective test method. The DAST, which is 
dynamic, is good at finding externally visible vulnerabilities and makes 
it easy to confirm. Corresponding the SAST is static, which good at 
analyzing the source code to help finding threats inside the code. So 
they have different strengths, and we should choose them wisely in our 
testing.


Link of this meetup: http://www.meetup.com/OWASP-NYC/events/219884058/

More information about the cs615asa mailing list