[cs615asa] HW#N

Xiakun Lu xlu9 at stevens.edu
Mon May 18 03:14:04 EDT 2015

Hi Professor,

I joined the "Cyber Security Meet-up @ UBS" on April 15th. (http://www.meetup.com/OWASP-NYC/events/219884058/)

There are totally four sessions:
1. New York Metro Joint Cyber Security Conference
2. Exploiting SAP ASE via SQL injections in database core
2. Teaching the Teachers: Building NextGen Cyber Warriors & Defenders
4. Unifying Appsec Automation Across Dev and Ops with Deep Security Instrumentation

The first session is just an introduction of a organization named OWASP. It seems like a advertisement  more or less.

The second session is about SQL injections, which I think is the most useful part. The speaker is Martin Rakhmanov. At first, he talked about what is SQL injection and how it happens. SQL injection is to insert malicious SQL statements into an entry field for execution. If the database system has an improper privilege management, it will be very dangerous. SQL statements, like CREATE and RESTORE, allow users to run in the highest privileges. Martin gave some examples to show how SQL injection worked under a high privilege. He showed us a real SQL injection by a common web application and got full access to the database. At the end, he gave us some suggestions: gave as low as possible privileges to an application, close the useless function and patch on time.

The third session is about a current situation that many teachers and students do not know much about the security. He thought security was a very important thing for the growing of cyber security field and the threats we are facing, and students should take cyber security class in school. What more, they pointed that the companies should help to improve the education of cyber security.

The last session, whose speaker was Jeff Williams, is my favorite part. Jeff gave a serious survey result, that only 10% of the applications had been tested and only 22.4% of them are secure. The speed of security tests is lower than development. And it is complicated because the developer and the security tester are not the same person. Then he introduced two tools, STAT and DAST to check the program security automatically. They are all eclipse plug-ins and very convenient to use. STAT is a static testing tool to find out the vulnerabilities in the source code. And DAST is a dynamic testing tool that check the context while the program is running. As Jeff said, these tools could save a lot of time for developers .

Best Regards,

Xiakun Lu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.stevens.edu/pipermail/cs615asa/attachments/20150518/bb19e263/attachment.html>

More information about the cs615asa mailing list