[cs615asa] HM #N: Kenan Li
kli13
kli13 at stevens.edu
Sun May 3 19:28:49 EDT 2015
On April 15, We attended the "Cyber Security Meet-up", which host by
OWASP (Open Web Application Security Project)The meeting was consists of
4 sessions, all about cyber security:
Session 1: New York Metro Joint Cyber Security Conference
Session 2: Teaching the Teachers: Building NextGen Cyber Warriors &
Defenders
Session 3: Exploiting SAP ASE via SQL injections in database core
Session 4: Unifying Appsec Automation Across Dev and Ops with Deep
Security Instrumentation
I think the most related part to system administration, is session 3:
SQL injections in database core, by Martin Rakhmanov.
First, he emphasized the importance of database security, and gave us an
instance that by using some SQL statements, like creating a database or
restore database, will allows user running SQL in highest privileges. If
some of them use malicious code in the SQL, they can access into
database, and even capture administrator permissions. The reason is, by
using some SQL statements in the highest permission, some SQL do not
check the user’s permission when the code in execution. Then user can
inject his or her own SQL code in those statements, and do something bad
to that SQL server.
Martin also gave us some advices to prevent SQL injection. We should
always pay attentions to user’s permission level. Do not grant user
unnecessary permissions; even the user is fully trusted. Never install
unneeded applications. Also do not grant them unnecessary permissions.
The next interesting topic I think is Session 4: Unifying Appsec
Automation Across Dev and Ops with Deep Security Instrumentation, by
Jeff Williams. He presented a serious problem on application security,
that only 10% apps have been tested. And in those apps, only 22.4% of
them are ensuring security. In the same time, more and more apps are
created. So their security group is facing serious challenges. Next Jeff
starting presents some legacy application security tools, like SAST and
DAST. In an application testing, the man who tests apps is not always
the developer. So they need an effective test method. The DAST, which is
dynamic, is good at finding externally visible vulnerabilities and makes
it easy to confirm. Corresponding the SAST is static, which good at
analyzing the source code to help finding threats inside the code. So
they have different strengths, and we should choose them wisely in our
testing.
Link of this meetup: http://www.meetup.com/OWASP-NYC/events/219884058/
More information about the cs615asa
mailing list