Your SlideShare is downloading. ×
Sql vulnerability advisory presentation
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Sql vulnerability advisory presentation


Published on

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Security Vulnerability Advisory SQL Injection Attacks Nicholas DavisDecember 16, 2010
  • 2. OverviewExecutive SummarySQL Injection Threat DefinedRisk of SQL Injection AttackImpact of SQL Injection AttackPotential Costs and PenaltiesThreat LevelRecommendationsOrganizational ConstraintsPhase I Immediate ResponsePhase II Medium Range ResponsePhase III Long Term ResponseSuggested Next StepsOther SourcesQuestions
  • 3. Executive Summary• A security related vulnerability in SQL software code has been identified• Data at risk for unauthorized access, alteration, theft and misuse• Both risk and impact are high, meaning overall threat level is high• Take a three step approach to mitigate the threat
  • 4. SQL Injection Threat Defined • Attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data. • Usually, values are inserted into a SELECT query • Interact with the database in illicit ways, including making unauthorized changes, which would damage data integrity
  • 5. Example of SQL Injection
  • 6. Risk of SQL Injection is High • Manual attack • Automated attack • Risk of SQL injection exploits is on the rise due to the proliferation of automated attack tools.
  • 7. Impact of SQL Injection is High • Allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
  • 8. Costs and Penalties• HIPAA, FERPA, PCI• Fines, penalties, lawsuits• Prison in extreme cases• Image and reputation
  • 9. Threat Level is High• As both the risk and potential impact of an SQL injection attack are rated as high, the overall threat level is also rated as high, meaning that an SQL injection attack is very likely to occur and that the damage which could be caused by such an attack is capable of being devastating.
  • 10. Recommendations• It is recommended that the organization take immediate as well as phased-in action, to mitigate the risk of an SQL Injection Attack on our database application.• Three phases, ranging from immediate to medium range to long term
  • 11. Organizational Constraints• Organizational constraints are extensive• Complex work/project• Time required (280 hours)• Cost is $25,000• Other priorities
  • 12. Phase I - Immediate• Leverage the organization’s centralized login service to place authentication protection in front of the database.• Does not fix the underlying SQL injection software code, it does place a perimeter of protection around the vulnerable database• Inexpensive, easy to implement
  • 13. Phase II – Medium Range• Next 90 days, develop a specific project plan and work plan to re- write the vulnerable software application.• Present to upper management, outlining the risks and impacts of this threat and a solid case can be made for staff time and funding required to prioritize and fix the software application.
  • 14. Phase III – Long Term• As time and budgets permit, ask the software engineers to attend training sessions• Will ensure that database software applications built in the future will has SQL Injection Attack security baked in from the beginning
  • 15. Next Steps• Obtain management’s permission to immediately proceed with the tactical authentication solution, to place a perimeter of security around the vulnerable SQL software code.• Develop a presentation for upper management which describes the threat posed by an SQL Injection Attack and ask for their permission to develop a project plan and work plan to re-write the vulnerable database software application, beginning three months from now.• Contact the education department and ask them to research dates and costs for SQL Injection Attack training for software engineers, over the course of the next year.
  • 16. More Details•••
  • 17. Questions• Is the information clear?• Would you like more details?• How would like to proceed?• How can I help you?• Other