[cs615asa] HW #N - lin liu

Lin Liu lliu19 at stevens.edu
Fri May 8 21:19:41 EDT 2015 

Title : CS615-HWN
Meetup : Cyber Security Meet-up @ UBS (OWASP Foundation)
Session 1: New York Metro Joint Cyber Security Conference
Session 2: Teaching the Teachers: Building NextGen Cyber Warriors &
Defenders
Session 3: Exploiting SAP ASE via SQL injections in database core
Session 4: Unifying Appsec Automation Across Dev and Ops with Deep Security
Instrumentation

In these four sections, the session 3 is most related to the the system
administration.It is about the SQL injection which is an old way to attack
the database.I am interested it because I have tried this kind of attack
way to some websites with low security level before.

In this session, Speaker Matrin Rakhmanov introduced what is the SQL
injection and how it happen using some code examples.Some SQL statements
need to use high permission in the database like create tables ,drop
tables.When a user can input some character in the input table, if the
system don't do enough check or filter ,the hacker can input some SQL
statement in the input table and then the database will run the SQL
statement successfully as usual.This is very dangerous!

So Matrin gave us some advices to defend this attack.For example ,do not
grant exclusive privilege to users even he/she is fully trusted.The SA need
to patch its system frequently and monitor the log to find whether there
are leak vulnerable to attack.

In the section 4, Speaker Jeff Williams introduce the automation tool to
keep the source code and system safe.Usually we develop the application and
then test it whether it is safe but when the application is huge, the
security team may do a lot of complex test which cost a lot of money and
time.So he has an idea that we can detect the leak when we are developing
the application through the automation tools.He demonstrate a tool in
Eclipse which can follow the security leak in source code in real time such
as SQL injection.It also show the potential leak in your source code.This
tool can solve a part of security problem in early development stage.


link of the meetup: http://www.meetup.com/OWASP-NYC/events/219884058/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.stevens.edu/mailman/private/cs615asa/attachments/20150508/252b66e6/attachment.html>

More information about the cs615asa mailing list