[cs615asa] HW #N

Qing Xu qxu4 at stevens.edu
Mon May 4 00:54:00 EDT 2015 

Hi,

I attended “Cyber Security Meet-up @ UBS” on April 15 2015, New York.

The meetup had 3 lectures which were all related to cyber security. Lecture
1 was about database security via SQL injection. Lecture 2 talked about
education of cyber security – how to build next generation cyber warriors &
defenders. The last lecture introduced a new way to detect vulnerabilities
and prevent cyberattacks, with some automatic tools. Cyber security is
always a great concern of system administrator, so this meetup was related
to the profession of system administration. I will focus on lecture 1 and
lecture 3 to talk about this meetup.

The topic of lecture 1 is “Exploiting SAP ASE via SQL injections in
database core”. The speaker, Martin Rakhmanov, he first introduced how this
kind of SQL injection happened: some SQL statements use the highest
privilege of database so that some malicious code can use them to get
access to database which is quite dangerous. Some SQL do not check user
permissions when executing certain statements. He went over few real
examples about this kind of SQL injections. He shown how a SQL injection
happened via a common web application and got full access to the database
at last. At end of the lecture he gave us some advises about database
security:
  1. Do not grant exclusive privilege.
  2. Do not deploy unused functionality.
  3. Limit permissions to run only required commands.
  4. Monitor database activity.
  5. Patch on time.
  6. Watch for security notes.

After lecture 2 “Teaching the Teachers: Building NextGen Cyber Warriors &
Defenders”, Jeff Williams, the speaker of lecture 3 talked about “Unifying
Appsec Automation Across Dev and Ops with Deep Security Instrumentation”.
He said for an application, security tests can’t always catch up the speed
of development and they were always complicated because the developers and
the people who is responsible for security tests are not always the same
person. He also shown a survey about efficient between security expert and
security automation tools and went out a conclusion: automation tools were
much more efficient. He introduced two tools about security check: STAT and
DAST. STAT represents static test which focus on source code
vulnerabilities check. And DAST represents dynamic test which is taken when
applications is running. It combines context to detect vulnerabilities in
running applications. These tools can help system administrator save lots
of time when they try to find vulnerabilities in system.

Link: http://www.meetup.com/OWASP-NYC/events/219884058/



Regards,
Qing Xu (qxu4)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.stevens.edu/mailman/private/cs615asa/attachments/20150504/c816c7b8/attachment.html>

More information about the cs615asa mailing list