[cs615asa] HM #N: Haoyang Li

Haoyang Li hli40 at stevens.edu
Sun May 17 00:58:00 EDT 2015 

Hi prof,

I'm Haoyang Li, I attended “Cyber Security Meet-up @ UBS” on April 15, in
New York.

This meetup's topic is cyber security, which is a important part of system
administrator, so I think this meetup is appropriate for this homework.

The meetup first introduced the OWASP (Open Web Application Project), about
what is OWASP, the purpose of OWASP and the principle of OWASP.

The meetup had three main lectures:

The first lecture was about database security and talked the detail of SQL
injection.

The second lecture was about how to build next generation cyber warriors
and defenders.

The third lecture introduced a new way to detect vulnerabilities and how to
prevent cyberattacks.

Martin Rakhmanov gave us the first lecture named “Exploiting SAP ASE via
SQL injections in database core”. He gave us an example: by showing some
SQL statements which can let user to run SQL in highest privileges. This is
a typical SQL injection method. If someone want to do some malicious things
in database, they can access into it via SQL, it is very dangerous. At the
end, Martin gave us some advises: first, do not grant exclusive privilege.
Then, do not deploy unused functionality. Third, limit permissions to run
only required commands. And watch security notes.

Jeff Williams gave us “Teaching the Teachers: Building NextGen Cyber
Warriors and Defenders”. However, his lecture talked more about the general
idea rather than
detailed and useful knowledge, so I decided to skip this.

The last lectured is “Unifying Appsec Automation Across Dev and Ops with
Deep Security Instrumentation”. The lecturer gave us a principle: security
tests can hardly catch up the speed of development and they were always
complicated because the security tests' developers are not the people who
use them. He shown us some chart and data to proved his statement. Then he
introduced two tools about security check: STAT and DAST. STAT is static
test which focus on source code vulnerabilities check. DAST is dynamic test
which is implemented while applications is running. STAT, DAST and other
tools will help a lot when system administrator  do their jobs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.stevens.edu/pipermail/cs615asa/attachments/20150517/fc517b64/attachment.html>

More information about the cs615asa mailing list