SlideShare a Scribd company logo

How to Destroy a Database

John Ashmead
John Ashmead

Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.

Technology
1 of 45
Download to read offline
How to destroy a database John Ashmead
Six dumbest ideas in computer security • default permit • enumerating badness • penetrate & patch (turd polishing) • hacking is cool • educating users • action is better than inaction http://www.ranum.com/index.html
• Attacks • Defenses • Principles • How to write insecure code • Where to go for more
Attacks • Unauthorized information release • Unauthorized information modification • Unauthorized denial of use
Attackers • Disgruntled staff or developers • “Drive by attacks”, i.e. side effects of malware • Criminal attacks • Defacers • Script kiddies
Most common attacks • SQL Injection • Insufficient authorization • Insufficient authentication • Information leakage http://www.webappsec.org/projects/whid/statistics.shtml
40 incidents in media for 2007 • Defacement • Money • Medical data • Budget for US spy agencies • Personal data (i.e. SS#’s) • Unauthorized snow day http://www.webappsec.org/projects/whid/list_year_2007.shtml
UN's website breached by hackers The United Nations web site has been defaced this morning. The speeches of the Secretary-General Ban Ki-Moon [2] have been replaced with the following lines: Hacked By kerem125 M0sted and Gsy That is CyberProtest Hey Ýsrail and Usa dont kill children and other people Peace for ever No war screenshot http://news.bbc.co.uk/2/hi/technology/6943385.stm
http://hackademix.net/2007/08/12/united-nations-vs-sql-injections/ As you can easily verify by opening this URL, the site is vulnerable to an attack called SQL Injection. This is a very well known kind of vulnerability, fairly easy to avoid and very surprising to find in such a high profile web site. [3] http://www.un.org/apps/news/infocus/sgspeeches/statments_full.asp?statID=105' ADODB.Recordset.1 error '80004005' SQLState: 37000 Native Error Code: 8180 SQLState: 37000 Native Error Code: 105 [MERANT][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ''. [MERANT][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared. /apps/news/infocus/sgspeeches/statments_full.asp, line 26
While most of us may agree with the message, many will object to the spelling, and specifically to the dont used instead of don’t. There’s a technical reason for the missing apostrophe, though, because messing with this very character (’) is part of the technique apparently used by the attackers. If only prepared SQL statements were used properly*, this embarrassing incident would have been easily prevented. And yes, prepared statements are available even in the very obsolete ASP “Classic” + ADODB Microsoft setup they’ve got. (screenshot) *properly means strictly constant statement strings and type checked bound parameters, see Roland Bouman’s comment and my answer below. I will write some other time about prepared statements and database layer security. In the meanwhile, if you’re a planetary organization and you’re planning to cut the budget for the security training of your web developers staff, please dont… er… do not ;)
SQL Injection • Main attack; part of most attacks • Basic SQL Injection • Blind SQL Injection see also: Advanced SQL Injection - Victor Chapela - at OWASP
Basic SQL Injection select * from items where owner = ` $hacker’and itemname = `$itemname’; name’ or ‘a’ = ‘a’;-- select * from items where owner = ‘hacker’ and itemname = ‘ name’ or ‘a’ = ‘a’;--’; select * from items;
12 most common attacks, 1-6 • cookie poisoning • hidden field manipulation • parameter tampering • buffer overflow • cross-site scripting • backdoor & debug options www.watchfire.com
12 most common, 7-12 • forceful browsing • http response splitting • stealth • 3rd party misconfiguration • known vulnerabilities • xml & web services vulnerabilities
Privilege escalation • Horizontal privilege escalation • Vertical privilege escalation www.watchfire.com
Defenses • Good code is a prerequisite for secure code • Build security in from the start • Use existing tools as much as possible
Taint mode • pert -T • data from outside has to be scrubbed before it can be used unsafely • plumbing model of data: data presumed dirty
Data Validation Strategies • Exact match • Known good • Reject known bad • Sanitize • Prayer
Quoting • Sanitize strategy • Use database supplied function; do not role your own • Consider rejection
Bind variables • Use with prepared SQL (also a good idea) • Takes advantage of built in type-checking • In accord with “trust no-one”
Perl’s DBI • generic interface • prepare & bind calls available • logging available • much better than building your own! www.cpan.org
Stored procedures • isolate users from database changes • isolate database from hostile users • makes it easy to install gatekeeper functions • makes it easy to log all access • only practical way to get SOX compliance
Do not use dynamic SQL • Often a sign of poor design • Hard to debug • Easy to corrupt, especially if the table names are dynamic • Use stored procedures or, at a minimum, prepared SQL and bind variables
What to log • Session open/close • Authentication • Authorization requests • CUD: Create, Update, Delete • Errors & exceptions
How to manage logs • Logs have to be highly secure • Don’t write user-supplied data into the logs • Automate log scanning: everything not uninteresting is interesting!
Error handling • Uniform error handling (i.e. library routines) • Don’t tell the user stuff he/she doesn’t need to know • Review error logs
Backup & restore • Last resort recovery (in case of defacement and the like) • Intruder tracking (old versus new) • Backup data must be protected as well as original data
Principles • Good code establishes foundation for secure code • Build security in from start • Trust no one
Minimize attack surface area • Every feature weakens the system • Do not show the outside world more than you need to • Code that doesn’t exist can’t break
Complete mediation • Check every access • Be able to track every authorization (i.e. in logs) • Be skeptical of worries about performance (usually over-stated)
Least privilege • every user gets only the privileges they need • reduces damage from errors • reduces complexity of interactions, making system more reliable • makes incident response easier
Defense in depth • Fortress principle • Assume client data is corrupt • Assume client-side code is corrupt • Assume network has been penetrated • Assume server has been hacked • And don’t trust yourself, either
Fail securely • Default should be to deny access • If you have been over-rigid, that will show up quickly in testing. • But if you are under-rigid, that will not show up in testing!
Separation • Separate users of duties • Separate privileges
Don’t trust services Many organizations utilize the processing capabilities of third party partners, who more than likely have differing security policies and posture than you. It is unlikely that you can influence or control any external third party, whether they are home users or major suppliers or partners. Therefore, implicit trust of externally run systems is not warranted. All external systems should be treated in a similar fashion. For example, a loyalty program provider provides data that is used by Internet Banking, providing the number of reward points and a small list of potential redemption items. However, the data should be checked to ensure that it is safe to display to end users, and that the reward points are a positive number, and not improbably large. http://www.owasp.org/index.php/Secure_Coding_Principles
Avoid security by obscurity • Assume they have your source code • In fact, if the source code is public, outside reviewers can check!
KISS “Keep the design as simple and small as possible. This well-known principle applies to any aspect of a system, but it deserves emphasis for protection mechanisms for this reason: design and implementation errors that result in unwanted access paths will not be noticed during normal use (since normal use usually does not include attempts to exercise improper access paths). As a result, techniques such as line-by-line inspection of software and physical examination of hardware that implements protection mechanisms are necessary. For such techniques to be successful, a small and simple design is essential.” http://web.mit.edu/Saltzer/www/publications/protection/Basic.html
Fix security issues correctly Once a security issue has been identified, it is important to develop a test for it, and to understand the root cause of the issue. When design patterns are used, it is likely that the security issue is widespread amongst all code bases, so developing the right fix without introducing regressions is essential. For example, a user has found that they can see another user’s balance by adjusting their cookie. The fix seems to be relatively straightforward, but as the cookie handling code is shared amongst all applications, a change to just one application will trickle through to all other applications. The fix must therefore be tested on all affected applications. OWASPGuide2.0.1.pdf
How to write insecure code • Use dynamic code • Rely on security being done elsewhere • Use logs to debug • Build your own encryption/authentication • Validation is for wusses • Make development as complex & free form as possible http://www.owasp.org/index.php/How_to_write_insecure_code
How to write unmaintainable code In the interests of creating employment opportunities in the Java programming field, I am passing on these tips from the masters on how to write code that is so difficult to maintain, that the people who come after you will take years to make even the simplest changes. Further, if you follow all these rules religiously, you will even guarantee yourself a lifetime of employment, since no one but you has a hope in hell of maintaining the code. Then again, if you followed all these rules religiously, even you wouldn't be able to maintain the code! You don't want to overdo this. Your code should not look hopelessly unmaintainable, just be that way. Otherwise it stands the risk of being rewritten or refactored. http://mindprod.com/jgloss/unmain.html
H2RiteUnMCd “Quidquid latine dictum sit, altum sonatur.” “Whatever is said in Latin sounds profound.” To foil the maintenance programmer, you have to understand how he thinks. He has your giant program. He has no time to read it all, much less understand it. He wants to rapidly find the place to make his change, make it and get out and have no unexpected side effects from the change. He views your code through a toilet paper tube. He can only see a tiny piece of your program at a time. You want to make sure he can never get at the big picture from doing that. You want to make it as hard as possible for him to find the code he is looking for. But even more important, you want to make it as awkward as possible for him to safely ignore anything. Programmers are lulled into complacency by conventions. By every once in a while, by subtly violating convention, you force him to read every line of your code with a magnifying glass. You might get the idea that every language feature makes code unmaintainable -- not so, only if properly misused.
Where to go next • Use the web, Luke! • www.owasp.org • Security articles on MySQL, Perl,...
OWASP About The Open Web Application Security Project (Redirected from About OWASP) Overview The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas. We can be found at http://www.owasp.org. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. The OWASP Foundation is a not-for-profit entity that ensures the project's long-term success.
A study conducted by Sanctum (acquired by Watchfire in 2004) of over 100 applications at large corporate and government sites places some hard numbers on security failure rates. The study found that 92 percent of all applications failed security testing conducted in the integration or production stages. The average time to fix the errors was 2.5 months, and the cost to the business team averaged $25M. When the failed applications were tested again, 20 percent (16 percent of the total) security testing failed a second time. Half of these re-failed applications (8 percent of the total) never passed
Be careful out there!

Recommended

The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Lets talk about bug hunting
Lets talk about bug huntingLets talk about bug hunting
Lets talk about bug huntingKirill Ermakov
 
Don't blink creating secure software
Don't blink creating secure softwareDon't blink creating secure software
Don't blink creating secure softwarelogsentinel
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityOWASPKerala
 

Recommended

The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Lets talk about bug hunting
Lets talk about bug huntingLets talk about bug hunting
Lets talk about bug huntingKirill Ermakov
 
Don't blink creating secure software
Don't blink creating secure softwareDon't blink creating secure software
Don't blink creating secure softwarelogsentinel
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityOWASPKerala
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Kirill Ermakov
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 
An Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreAn Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreBlake Carver
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
BSides London 2018 - Solving Threat Detection
BSides London 2018 - Solving Threat DetectionBSides London 2018 - Solving Threat Detection
BSides London 2018 - Solving Threat DetectionAlex Davies
 
IT system security principles practices
IT system security principles practicesIT system security principles practices
IT system security principles practicesgufranresearcher
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 201450 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014Chris Nickerson
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh SmithEC-Council
 
Security is not a feature
Security is not a featureSecurity is not a feature
Security is not a featureElizabeth Smith
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 

More Related Content

What's hot

Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Kirill Ermakov
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 
An Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreAn Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreBlake Carver
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
BSides London 2018 - Solving Threat Detection
BSides London 2018 - Solving Threat DetectionBSides London 2018 - Solving Threat Detection
BSides London 2018 - Solving Threat DetectionAlex Davies
 
IT system security principles practices
IT system security principles practicesIT system security principles practices
IT system security principles practicesgufranresearcher
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 201450 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014Chris Nickerson
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh SmithEC-Council
 
Security is not a feature
Security is not a featureSecurity is not a feature
Security is not a featureElizabeth Smith
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 

What's hot (20)

Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 
An Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And MoreAn Introduction To IT Security And Privacy - Servers And More
An Introduction To IT Security And Privacy - Servers And More
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
BSides London 2018 - Solving Threat Detection
BSides London 2018 - Solving Threat DetectionBSides London 2018 - Solving Threat Detection
BSides London 2018 - Solving Threat Detection
 
IT system security principles practices
IT system security principles practicesIT system security principles practices
IT system security principles practices
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 201450 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh Smith
 
Security is not a feature
Security is not a featureSecurity is not a feature
Security is not a feature
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
 

Similar to How to Destroy a Database

OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOsama Mustafa
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securityNicholas Davis
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A PentesterNorthBayWeb
 

Similar to How to Destroy a Database (20)

OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical security
 
Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Web Security
Web SecurityWeb Security
Web Security
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A Pentester
 

More from John Ashmead

The Quantum Internet: Hype or the Next Step
The Quantum Internet: Hype or the Next StepThe Quantum Internet: Hype or the Next Step
The Quantum Internet: Hype or the Next StepJohn Ashmead
 
How to build a PostgreSQL-backed website quickly
How to build a PostgreSQL-backed website quicklyHow to build a PostgreSQL-backed website quickly
How to build a PostgreSQL-backed website quicklyJohn Ashmead
 
The Quantum Internet: Hype or the Next Step
The Quantum Internet: Hype or the Next StepThe Quantum Internet: Hype or the Next Step
The Quantum Internet: Hype or the Next StepJohn Ashmead
 
Artificial Intelligence: Past, Present, Futures
Artificial Intelligence: Past, Present, FuturesArtificial Intelligence: Past, Present, Futures
Artificial Intelligence: Past, Present, FuturesJohn Ashmead
 
Time dispersion in time-of-arrival measurements
Time dispersion in time-of-arrival measurementsTime dispersion in time-of-arrival measurements
Time dispersion in time-of-arrival measurementsJohn Ashmead
 
Time dispersion in quantum mechanics -- Philcon 2019 version
Time dispersion in quantum mechanics -- Philcon 2019 versionTime dispersion in quantum mechanics -- Philcon 2019 version
Time dispersion in quantum mechanics -- Philcon 2019 versionJohn Ashmead
 
Time dispersion in quantum mechanics
Time dispersion in quantum mechanicsTime dispersion in quantum mechanics
Time dispersion in quantum mechanicsJohn Ashmead
 
Practical Telepathy: The Science & Engineering of Mind-Reading
Practical Telepathy: The Science & Engineering of Mind-ReadingPractical Telepathy: The Science & Engineering of Mind-Reading
Practical Telepathy: The Science & Engineering of Mind-ReadingJohn Ashmead
 
From Startup to Mature Company: PostgreSQL Tips and techniques
From Startup to Mature Company: PostgreSQL Tips and techniquesFrom Startup to Mature Company: PostgreSQL Tips and techniques
From Startup to Mature Company: PostgreSQL Tips and techniquesJohn Ashmead
 
Practical Telepathy: The Science & Engineering of Mind-Reading
Practical Telepathy: The Science & Engineering of Mind-ReadingPractical Telepathy: The Science & Engineering of Mind-Reading
Practical Telepathy: The Science & Engineering of Mind-ReadingJohn Ashmead
 
Stargates: Theory and Practice
Stargates: Theory and PracticeStargates: Theory and Practice
Stargates: Theory and PracticeJohn Ashmead
 
StarGates: Theory and Practice
StarGates: Theory and PracticeStarGates: Theory and Practice
StarGates: Theory and PracticeJohn Ashmead
 
Star Gates: the Theory and Practice
Star Gates: the Theory and PracticeStar Gates: the Theory and Practice
Star Gates: the Theory and PracticeJohn Ashmead
 
Time to the power of Tim
Time to the power of TimTime to the power of Tim
Time to the power of TimJohn Ashmead
 
How many universes are there, anyway
How many universes are there, anywayHow many universes are there, anyway
How many universes are there, anywayJohn Ashmead
 
A Quantum of Mystery
A Quantum of MysteryA Quantum of Mystery
A Quantum of MysteryJohn Ashmead
 
Converting from MySQL to PostgreSQL
Converting from MySQL to PostgreSQLConverting from MySQL to PostgreSQL
Converting from MySQL to PostgreSQLJohn Ashmead
 
Seven War Stories and a Moral
Seven War Stories and a MoralSeven War Stories and a Moral
Seven War Stories and a MoralJohn Ashmead
 

More from John Ashmead (20)

The Quantum Internet: Hype or the Next Step
The Quantum Internet: Hype or the Next StepThe Quantum Internet: Hype or the Next Step
The Quantum Internet: Hype or the Next Step
 
How to build a PostgreSQL-backed website quickly
How to build a PostgreSQL-backed website quicklyHow to build a PostgreSQL-backed website quickly
How to build a PostgreSQL-backed website quickly
 
The Quantum Internet: Hype or the Next Step
The Quantum Internet: Hype or the Next StepThe Quantum Internet: Hype or the Next Step
The Quantum Internet: Hype or the Next Step
 
Artificial Intelligence: Past, Present, Futures
Artificial Intelligence: Past, Present, FuturesArtificial Intelligence: Past, Present, Futures
Artificial Intelligence: Past, Present, Futures
 
Time dispersion in time-of-arrival measurements
Time dispersion in time-of-arrival measurementsTime dispersion in time-of-arrival measurements
Time dispersion in time-of-arrival measurements
 
Time dispersion in quantum mechanics -- Philcon 2019 version
Time dispersion in quantum mechanics -- Philcon 2019 versionTime dispersion in quantum mechanics -- Philcon 2019 version
Time dispersion in quantum mechanics -- Philcon 2019 version
 
Time dispersion in quantum mechanics
Time dispersion in quantum mechanicsTime dispersion in quantum mechanics
Time dispersion in quantum mechanics
 
Mars Or Bust!
Mars Or Bust!Mars Or Bust!
Mars Or Bust!
 
Practical Telepathy: The Science & Engineering of Mind-Reading
Practical Telepathy: The Science & Engineering of Mind-ReadingPractical Telepathy: The Science & Engineering of Mind-Reading
Practical Telepathy: The Science & Engineering of Mind-Reading
 
From Startup to Mature Company: PostgreSQL Tips and techniques
From Startup to Mature Company: PostgreSQL Tips and techniquesFrom Startup to Mature Company: PostgreSQL Tips and techniques
From Startup to Mature Company: PostgreSQL Tips and techniques
 
Practical Telepathy: The Science & Engineering of Mind-Reading
Practical Telepathy: The Science & Engineering of Mind-ReadingPractical Telepathy: The Science & Engineering of Mind-Reading
Practical Telepathy: The Science & Engineering of Mind-Reading
 
Stargates: Theory and Practice
Stargates: Theory and PracticeStargates: Theory and Practice
Stargates: Theory and Practice
 
StarGates: Theory and Practice
StarGates: Theory and PracticeStarGates: Theory and Practice
StarGates: Theory and Practice
 
Quantum dots
Quantum dotsQuantum dots
Quantum dots
 
Star Gates: the Theory and Practice
Star Gates: the Theory and PracticeStar Gates: the Theory and Practice
Star Gates: the Theory and Practice
 
Time to the power of Tim
Time to the power of TimTime to the power of Tim
Time to the power of Tim
 
How many universes are there, anyway
How many universes are there, anywayHow many universes are there, anyway
How many universes are there, anyway
 
A Quantum of Mystery
A Quantum of MysteryA Quantum of Mystery
A Quantum of Mystery
 
Converting from MySQL to PostgreSQL
Converting from MySQL to PostgreSQLConverting from MySQL to PostgreSQL
Converting from MySQL to PostgreSQL
 
Seven War Stories and a Moral
Seven War Stories and a MoralSeven War Stories and a Moral
Seven War Stories and a Moral
 

Recently uploaded

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 

Recently uploaded (20)

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 

How to Destroy a Database

  • 1. How to destroy a database John Ashmead
  • 2. Six dumbest ideas in computer security • default permit • enumerating badness • penetrate & patch (turd polishing) • hacking is cool • educating users • action is better than inaction http://www.ranum.com/index.html
  • 3. • Attacks • Defenses • Principles • How to write insecure code • Where to go for more
  • 4. Attacks • Unauthorized information release • Unauthorized information modification • Unauthorized denial of use
  • 5. Attackers • Disgruntled staff or developers • “Drive by attacks”, i.e. side effects of malware • Criminal attacks • Defacers • Script kiddies
  • 6. Most common attacks • SQL Injection • Insufficient authorization • Insufficient authentication • Information leakage http://www.webappsec.org/projects/whid/statistics.shtml
  • 7. 40 incidents in media for 2007 • Defacement • Money • Medical data • Budget for US spy agencies • Personal data (i.e. SS#’s) • Unauthorized snow day http://www.webappsec.org/projects/whid/list_year_2007.shtml
  • 8. UN's website breached by hackers The United Nations web site has been defaced this morning. The speeches of the Secretary-General Ban Ki-Moon [2] have been replaced with the following lines: Hacked By kerem125 M0sted and Gsy That is CyberProtest Hey Ýsrail and Usa dont kill children and other people Peace for ever No war screenshot http://news.bbc.co.uk/2/hi/technology/6943385.stm
  • 9. http://hackademix.net/2007/08/12/united-nations-vs-sql-injections/ As you can easily verify by opening this URL, the site is vulnerable to an attack called SQL Injection. This is a very well known kind of vulnerability, fairly easy to avoid and very surprising to find in such a high profile web site. [3] http://www.un.org/apps/news/infocus/sgspeeches/statments_full.asp?statID=105' ADODB.Recordset.1 error '80004005' SQLState: 37000 Native Error Code: 8180 SQLState: 37000 Native Error Code: 105 [MERANT][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ''. [MERANT][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared. /apps/news/infocus/sgspeeches/statments_full.asp, line 26
  • 10. While most of us may agree with the message, many will object to the spelling, and specifically to the dont used instead of don’t. There’s a technical reason for the missing apostrophe, though, because messing with this very character (’) is part of the technique apparently used by the attackers. If only prepared SQL statements were used properly*, this embarrassing incident would have been easily prevented. And yes, prepared statements are available even in the very obsolete ASP “Classic” + ADODB Microsoft setup they’ve got. (screenshot) *properly means strictly constant statement strings and type checked bound parameters, see Roland Bouman’s comment and my answer below. I will write some other time about prepared statements and database layer security. In the meanwhile, if you’re a planetary organization and you’re planning to cut the budget for the security training of your web developers staff, please dont… er… do not ;)
  • 11. SQL Injection • Main attack; part of most attacks • Basic SQL Injection • Blind SQL Injection see also: Advanced SQL Injection - Victor Chapela - at OWASP
  • 12. Basic SQL Injection select * from items where owner = ` $hacker’and itemname = `$itemname’; name’ or ‘a’ = ‘a’;-- select * from items where owner = ‘hacker’ and itemname = ‘ name’ or ‘a’ = ‘a’;--’; select * from items;
  • 13. 12 most common attacks, 1-6 • cookie poisoning • hidden field manipulation • parameter tampering • buffer overflow • cross-site scripting • backdoor & debug options www.watchfire.com
  • 14. 12 most common, 7-12 • forceful browsing • http response splitting • stealth • 3rd party misconfiguration • known vulnerabilities • xml & web services vulnerabilities
  • 15. Privilege escalation • Horizontal privilege escalation • Vertical privilege escalation www.watchfire.com
  • 16. Defenses • Good code is a prerequisite for secure code • Build security in from the start • Use existing tools as much as possible
  • 17. Taint mode • pert -T • data from outside has to be scrubbed before it can be used unsafely • plumbing model of data: data presumed dirty
  • 18. Data Validation Strategies • Exact match • Known good • Reject known bad • Sanitize • Prayer
  • 19. Quoting • Sanitize strategy • Use database supplied function; do not role your own • Consider rejection
  • 20. Bind variables • Use with prepared SQL (also a good idea) • Takes advantage of built in type-checking • In accord with “trust no-one”
  • 21. Perl’s DBI • generic interface • prepare & bind calls available • logging available • much better than building your own! www.cpan.org
  • 22. Stored procedures • isolate users from database changes • isolate database from hostile users • makes it easy to install gatekeeper functions • makes it easy to log all access • only practical way to get SOX compliance
  • 23. Do not use dynamic SQL • Often a sign of poor design • Hard to debug • Easy to corrupt, especially if the table names are dynamic • Use stored procedures or, at a minimum, prepared SQL and bind variables
  • 24. What to log • Session open/close • Authentication • Authorization requests • CUD: Create, Update, Delete • Errors & exceptions
  • 25. How to manage logs • Logs have to be highly secure • Don’t write user-supplied data into the logs • Automate log scanning: everything not uninteresting is interesting!
  • 26. Error handling • Uniform error handling (i.e. library routines) • Don’t tell the user stuff he/she doesn’t need to know • Review error logs
  • 27. Backup & restore • Last resort recovery (in case of defacement and the like) • Intruder tracking (old versus new) • Backup data must be protected as well as original data
  • 28. Principles • Good code establishes foundation for secure code • Build security in from start • Trust no one
  • 29. Minimize attack surface area • Every feature weakens the system • Do not show the outside world more than you need to • Code that doesn’t exist can’t break
  • 30. Complete mediation • Check every access • Be able to track every authorization (i.e. in logs) • Be skeptical of worries about performance (usually over-stated)
  • 31. Least privilege • every user gets only the privileges they need • reduces damage from errors • reduces complexity of interactions, making system more reliable • makes incident response easier
  • 32. Defense in depth • Fortress principle • Assume client data is corrupt • Assume client-side code is corrupt • Assume network has been penetrated • Assume server has been hacked • And don’t trust yourself, either
  • 33. Fail securely • Default should be to deny access • If you have been over-rigid, that will show up quickly in testing. • But if you are under-rigid, that will not show up in testing!
  • 34. Separation • Separate users of duties • Separate privileges
  • 35. Don’t trust services Many organizations utilize the processing capabilities of third party partners, who more than likely have differing security policies and posture than you. It is unlikely that you can influence or control any external third party, whether they are home users or major suppliers or partners. Therefore, implicit trust of externally run systems is not warranted. All external systems should be treated in a similar fashion. For example, a loyalty program provider provides data that is used by Internet Banking, providing the number of reward points and a small list of potential redemption items. However, the data should be checked to ensure that it is safe to display to end users, and that the reward points are a positive number, and not improbably large. http://www.owasp.org/index.php/Secure_Coding_Principles
  • 36. Avoid security by obscurity • Assume they have your source code • In fact, if the source code is public, outside reviewers can check!
  • 37. KISS “Keep the design as simple and small as possible. This well-known principle applies to any aspect of a system, but it deserves emphasis for protection mechanisms for this reason: design and implementation errors that result in unwanted access paths will not be noticed during normal use (since normal use usually does not include attempts to exercise improper access paths). As a result, techniques such as line-by-line inspection of software and physical examination of hardware that implements protection mechanisms are necessary. For such techniques to be successful, a small and simple design is essential.” http://web.mit.edu/Saltzer/www/publications/protection/Basic.html
  • 38. Fix security issues correctly Once a security issue has been identified, it is important to develop a test for it, and to understand the root cause of the issue. When design patterns are used, it is likely that the security issue is widespread amongst all code bases, so developing the right fix without introducing regressions is essential. For example, a user has found that they can see another user’s balance by adjusting their cookie. The fix seems to be relatively straightforward, but as the cookie handling code is shared amongst all applications, a change to just one application will trickle through to all other applications. The fix must therefore be tested on all affected applications. OWASPGuide2.0.1.pdf
  • 39. How to write insecure code • Use dynamic code • Rely on security being done elsewhere • Use logs to debug • Build your own encryption/authentication • Validation is for wusses • Make development as complex & free form as possible http://www.owasp.org/index.php/How_to_write_insecure_code
  • 40. How to write unmaintainable code In the interests of creating employment opportunities in the Java programming field, I am passing on these tips from the masters on how to write code that is so difficult to maintain, that the people who come after you will take years to make even the simplest changes. Further, if you follow all these rules religiously, you will even guarantee yourself a lifetime of employment, since no one but you has a hope in hell of maintaining the code. Then again, if you followed all these rules religiously, even you wouldn't be able to maintain the code! You don't want to overdo this. Your code should not look hopelessly unmaintainable, just be that way. Otherwise it stands the risk of being rewritten or refactored. http://mindprod.com/jgloss/unmain.html
  • 41. H2RiteUnMCd “Quidquid latine dictum sit, altum sonatur.” “Whatever is said in Latin sounds profound.” To foil the maintenance programmer, you have to understand how he thinks. He has your giant program. He has no time to read it all, much less understand it. He wants to rapidly find the place to make his change, make it and get out and have no unexpected side effects from the change. He views your code through a toilet paper tube. He can only see a tiny piece of your program at a time. You want to make sure he can never get at the big picture from doing that. You want to make it as hard as possible for him to find the code he is looking for. But even more important, you want to make it as awkward as possible for him to safely ignore anything. Programmers are lulled into complacency by conventions. By every once in a while, by subtly violating convention, you force him to read every line of your code with a magnifying glass. You might get the idea that every language feature makes code unmaintainable -- not so, only if properly misused.
  • 42. Where to go next • Use the web, Luke! • www.owasp.org • Security articles on MySQL, Perl,...
  • 43. OWASP About The Open Web Application Security Project (Redirected from About OWASP) Overview The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas. We can be found at http://www.owasp.org. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. The OWASP Foundation is a not-for-profit entity that ensures the project's long-term success.
  • 44. A study conducted by Sanctum (acquired by Watchfire in 2004) of over 100 applications at large corporate and government sites places some hard numbers on security failure rates. The study found that 92 percent of all applications failed security testing conducted in the integration or production stages. The average time to fix the errors was 2.5 months, and the cost to the business team averaged $25M. When the failed applications were tested again, 20 percent (16 percent of the total) security testing failed a second time. Half of these re-failed applications (8 percent of the total) never passed
  • 45. Be careful out there!