SlideShare a Scribd company logo

Ab cs of software security

David Klassen
David Klassen
1 of 30
Download to read offline
ABC's of Software Security SQL Injection Prevention Presented by: Colin Buckton Jose Kaharian David Klassen
Introduction ● Colin Buckton ○ OWASP - Web Security Awareness Group ○ SQL Injection Vulnerability Description ● David Klassen ○ Demonstrate SQL Injection and what is at risk ○ Show prevention of SQL Injection at the code level ● Jose Kaharian ○ Business Research Concerning Security (BSIMM) ○ Secure coding is becoming a hiring priority
Colin Buckton ● Easy Ways to Learn about Web App Security ○ OWASP - Web App Security Awareness Group ○ Web App Sec Tutorial Video Series on YouTube ○ Top Ten - Web Application Security Risks ○ Top Ten Item #1 - SQL Injection Vulnerability
Three Stages of Software Security Awareness 1. Progress begetting vulnerability accepted as reality ○ "To make an omelette..." 2. Onus fell on the consumer to protect themselves ○ Firewall, anti-malware, best-practices ○ Preventative measures cost companies money 3. Producers must design securely ○ Build-in security ○ Preventative measures save money ○ Awareness is needed
OWASP - The Open Web Application Security Project ● OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software ● Purpose: Help everyone build more secure web applications and services ● Founded December 1st, 2001 ● Provides information and training materials in an "open-source" model
OWASP WebAppSec Tutorial Series ● OWASP provides a series of training videos ● Goal is to make "top notch" security training accessible to the public ● Making AppSec (Application Security) more visible ● Licensed under Creative Commons so you can share freely
OWASP Top 10 Project ● The Top 10 is a list of security risks to web applications as assessed by the OWASP Risk Rating Methodology. ● The names of the risks in the Top 10 stem from the type of attack, the type of weakness, or the degree of impact they cause.
Top 10 List for 2010
#1 Top 10 item - SQL Injection ● Injection attacks are the top rated threat ● How they work: ○ A section of code in your program is vulnerable ○ Attacker sends text that exploits the syntax ○ This creates an unintended query -> SELECT * FROM accounts WHERE custID='' or '1'='1'; ○ Interpreter returns data on ALL accounts, and may even access special commands and take over!
#1 Top 10 item - SQL Injection ● How to Prevent SQLi ● OWASP makes suggestions on how to fix this ○ Use a specific Application Programming Interface (API) that can interpret user input safely. ■ Interface objects can reinterpret user input in a safe manner ○ "Escaping" the user input for the interpreter ■ e.g. " ' or '1'='1 " ○ Use a whitelist of acceptable characters ■ e.g. Only allow alphanumerics for input ■ Not always feasible if some searches require those special characters
David Klassen ● Demonstrate exploitation of Web App ○ Discuss compromise and worst facts about it ○ Talk about the tools used in detection ○ Show prevention of SQL Injection at the code level ○ Architectural things to think about
#1 Top 10 item - SQL Injection cont. ● input
What SQLi isn't ● Not a client side attack ● Not phishing ● Not a virus ● Not a rootkit ● Not a botnet ● Not blockable with simple firewall
#1 Top 10 item - SQL Injection cont. ● input
What SQLi is ● Can leak data or cause server level penetration. ● It exists in the Web Application itself ● Really this exists because it was coded into the app ● The wrong types of API/SQL calls are made ● Application does not handle/encode corner cases well.
SQLi Demonstration ● Lab21 that has been analyzed via. ZAP ● sqlmap can be used to proof/exploit an SQLi ● review database info enumerated via. SQLi ● Fix the code ● Point out why it is fixed ● Show proof of the fix ■ https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet ● Data model/architecture issues: ○ Never use sys/admin/root accounts ○ Application/Database user separation ○ Privilege separation for Admin features
#1 Top 10 item - SQL Injection cont. ● input
Jose Kaharian ● BSIMM - Business Research about Security ○ Numerous security breach issues/prevention ○ Businesses are busy cleaning up their process/code ○ A study is useful for reflection about what works ○ Secure coding is becoming a hiring priority
SQLi Basic Facts ● Growing History of Actual Attacks ○ Sony PlayStation network ■ http://www.theregister.co. uk/2011/04/26/sony_playstation_network_security_breach/ ○ Dating Site Hacks ■ eHarmony/PlentyOfFish ○ Heartland Payment Systems and TJX retailer (Winners/Homesense) ■ http://www.securityfocus.com/news/11557 ● What is the result? ○ The finances and private lives of consumers are at stake. ○ Reduces consumer confidence in a company
How to reverse the trend? ● What is BSIMM? ○ Building Security In Maturity Model. ○ A study of real-world software security initiatives ○ Designed to help companies understand, measure, and plan a software security initiative ● What makes BSIMM so special? ○ Does not tell you what you should do; instead, it tells you what everyone else is actually doing. ○ This approach stands in sharp contrast to “faith-based” approaches to software security. ○ Can be used as a measuring stick, in comparison to other businesses. ○ Sharing data, can help other organizations tackle real problems.
BSIMM4 Study of 51 Companies ● Businesses getting serious about Security:
Software Security Framework ● Four business areas for change ● Each with three basic security practices ● Note: Code Review and Security Testing included
Important Business Goals ● Convincing reasons for adopting security ● Offers a wide view of potential business benefits ● Compliance with PCI/PII/Privacy and Legal Regulations
Measure 111 Security Activities ● Here is a breakdown of one of the twelve practices ● Shows nine different possible activities ● Not all activities will match a businesses needs
Businesses Can Participate ● The BSIMM study is open to new participants ● By joining the community a business can progress towards better consideration for security ● Businesses who participate can also gain from the anonymous intelligence shared by other businesses ● In general businesses seeking to broaden or strengthen their security stance will benefit from this data
Measure Software Security vs. Peers ● Compare: Software Vendors vs. Financials
Security is becoming important ● More and more companies are attempting to find ways to combat fraud (Amazon, Microsoft, Apple etc.): ○ Big Data solutions to analyze transactions ○ Grappling with Social Engineering of credentials ○ Prevent attacks on users via. your website flaws ● By learning about security risks, and how to create better code, the value of your creations will go up. ● Companies are looking for talent that is willing to embrace a risk savvy way of creating Apps. ● Especially in financial, telecom, and traditional high value markets
Class Exercise Lab12a - Cross Site Scripting (XSS) Discovery: http://dbavedb.comeze.com/xss.htm https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Questions OWASP https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series https://www.owasp.org/index.php/Top_10_2010-Main https://www.owasp.org/index.php/OWASP_Podcast https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet Demo & Exercise https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project http://sqlmap.org/ http://beefproject.com/ http://www.detectmalice.com/ (Book) BSIMM http://bsimm.com/online/ http://www.cigital.com/justice-league-blog/2012/09/18/bsimm4/ http://exploitingonlinegames.com/ (Book) http://www.cigital.com/silver-bullet/
Thanks for Listening to: ABC's of Software Security SQL Injection Prevention Presented by: Colin Buckton Jose Kaharian David Klassen

Recommended

Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationIves Laaf
 
Owasp Top 10 Vulnerabilities List
Owasp Top 10 Vulnerabilities ListOwasp Top 10 Vulnerabilities List
Owasp Top 10 Vulnerabilities ListVamsi K
 
How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...kunwaratul hax0r
 
Nsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smartNsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smartNSC42 Ltd
 
Bob's CPR story
Bob's CPR storyBob's CPR story
Bob's CPR storyguest44d8c85
 
Buffer Overflows Presentation
Buffer Overflows PresentationBuffer Overflows Presentation
Buffer Overflows PresentationDavid Klassen
 
1240934 634561225344818750
1240934 6345612253448187501240934 634561225344818750
1240934 634561225344818750nitesh2357
 
Propelling security
Propelling securityPropelling security
Propelling securityJayant Kumar
 

Recommended

Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationIves Laaf
 
Owasp Top 10 Vulnerabilities List
Owasp Top 10 Vulnerabilities ListOwasp Top 10 Vulnerabilities List
Owasp Top 10 Vulnerabilities ListVamsi K
 
How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...kunwaratul hax0r
 
Nsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smartNsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smartNSC42 Ltd
 
Bob's CPR story
Bob's CPR storyBob's CPR story
Bob's CPR storyguest44d8c85
 
Buffer Overflows Presentation
Buffer Overflows PresentationBuffer Overflows Presentation
Buffer Overflows PresentationDavid Klassen
 
1240934 634561225344818750
1240934 6345612253448187501240934 634561225344818750
1240934 634561225344818750nitesh2357
 
Propelling security
Propelling securityPropelling security
Propelling securityJayant Kumar
 
Year Zero
Year ZeroYear Zero
Year Zeroleifdreizler
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdfKunjJoshi14
 
case analysis 2.1.docxby Urusha PandeySubmission date 2.docx
case analysis 2.1.docxby Urusha PandeySubmission date 2.docxcase analysis 2.1.docxby Urusha PandeySubmission date 2.docx
case analysis 2.1.docxby Urusha PandeySubmission date 2.docxcowinhelen
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?London School of Cyber Security
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsThierry Zoller
 
Eric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core BankingEric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core BankingPositive Hack Days
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdfAbhi Jain
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsBsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsJames '​-- Mckinlay
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowNarola Infotech
 
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...QA or the Highway
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 

More Related Content

Similar to Ab cs of software security

Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdfKunjJoshi14
 
case analysis 2.1.docxby Urusha PandeySubmission date 2.docx
case analysis 2.1.docxby Urusha PandeySubmission date 2.docxcase analysis 2.1.docxby Urusha PandeySubmission date 2.docx
case analysis 2.1.docxby Urusha PandeySubmission date 2.docxcowinhelen
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsThierry Zoller
 
Eric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core BankingEric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core BankingPositive Hack Days
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdfAbhi Jain
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsBsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsJames '​-- Mckinlay
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowNarola Infotech
 
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...QA or the Highway
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 

Similar to Ab cs of software security (20)

Year Zero
Year ZeroYear Zero
Year Zero
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf
 
case analysis 2.1.docxby Urusha PandeySubmission date 2.docx
case analysis 2.1.docxby Urusha PandeySubmission date 2.docxcase analysis 2.1.docxby Urusha PandeySubmission date 2.docx
case analysis 2.1.docxby Urusha PandeySubmission date 2.docx
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendations
 
Eric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core BankingEric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core Banking
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsBsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devops
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should Know
 
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 

Ab cs of software security

  • 1. ABC's of Software Security SQL Injection Prevention Presented by: Colin Buckton Jose Kaharian David Klassen
  • 2. Introduction ● Colin Buckton ○ OWASP - Web Security Awareness Group ○ SQL Injection Vulnerability Description ● David Klassen ○ Demonstrate SQL Injection and what is at risk ○ Show prevention of SQL Injection at the code level ● Jose Kaharian ○ Business Research Concerning Security (BSIMM) ○ Secure coding is becoming a hiring priority
  • 3. Colin Buckton ● Easy Ways to Learn about Web App Security ○ OWASP - Web App Security Awareness Group ○ Web App Sec Tutorial Video Series on YouTube ○ Top Ten - Web Application Security Risks ○ Top Ten Item #1 - SQL Injection Vulnerability
  • 4. Three Stages of Software Security Awareness 1. Progress begetting vulnerability accepted as reality ○ "To make an omelette..." 2. Onus fell on the consumer to protect themselves ○ Firewall, anti-malware, best-practices ○ Preventative measures cost companies money 3. Producers must design securely ○ Build-in security ○ Preventative measures save money ○ Awareness is needed
  • 5. OWASP - The Open Web Application Security Project ● OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software ● Purpose: Help everyone build more secure web applications and services ● Founded December 1st, 2001 ● Provides information and training materials in an "open-source" model
  • 6. OWASP WebAppSec Tutorial Series ● OWASP provides a series of training videos ● Goal is to make "top notch" security training accessible to the public ● Making AppSec (Application Security) more visible ● Licensed under Creative Commons so you can share freely
  • 7. OWASP Top 10 Project ● The Top 10 is a list of security risks to web applications as assessed by the OWASP Risk Rating Methodology. ● The names of the risks in the Top 10 stem from the type of attack, the type of weakness, or the degree of impact they cause.
  • 8. Top 10 List for 2010
  • 9. #1 Top 10 item - SQL Injection ● Injection attacks are the top rated threat ● How they work: ○ A section of code in your program is vulnerable ○ Attacker sends text that exploits the syntax ○ This creates an unintended query -> SELECT * FROM accounts WHERE custID='' or '1'='1'; ○ Interpreter returns data on ALL accounts, and may even access special commands and take over!
  • 10. #1 Top 10 item - SQL Injection ● How to Prevent SQLi ● OWASP makes suggestions on how to fix this ○ Use a specific Application Programming Interface (API) that can interpret user input safely. ■ Interface objects can reinterpret user input in a safe manner ○ "Escaping" the user input for the interpreter ■ e.g. " ' or '1'='1 " ○ Use a whitelist of acceptable characters ■ e.g. Only allow alphanumerics for input ■ Not always feasible if some searches require those special characters
  • 11. David Klassen ● Demonstrate exploitation of Web App ○ Discuss compromise and worst facts about it ○ Talk about the tools used in detection ○ Show prevention of SQL Injection at the code level ○ Architectural things to think about
  • 12. #1 Top 10 item - SQL Injection cont. ● input
  • 13. What SQLi isn't ● Not a client side attack ● Not phishing ● Not a virus ● Not a rootkit ● Not a botnet ● Not blockable with simple firewall
  • 14. #1 Top 10 item - SQL Injection cont. ● input
  • 15. What SQLi is ● Can leak data or cause server level penetration. ● It exists in the Web Application itself ● Really this exists because it was coded into the app ● The wrong types of API/SQL calls are made ● Application does not handle/encode corner cases well.
  • 16. SQLi Demonstration ● Lab21 that has been analyzed via. ZAP ● sqlmap can be used to proof/exploit an SQLi ● review database info enumerated via. SQLi ● Fix the code ● Point out why it is fixed ● Show proof of the fix ■ https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet ● Data model/architecture issues: ○ Never use sys/admin/root accounts ○ Application/Database user separation ○ Privilege separation for Admin features
  • 17. #1 Top 10 item - SQL Injection cont. ● input
  • 18. Jose Kaharian ● BSIMM - Business Research about Security ○ Numerous security breach issues/prevention ○ Businesses are busy cleaning up their process/code ○ A study is useful for reflection about what works ○ Secure coding is becoming a hiring priority
  • 19. SQLi Basic Facts ● Growing History of Actual Attacks ○ Sony PlayStation network ■ http://www.theregister.co. uk/2011/04/26/sony_playstation_network_security_breach/ ○ Dating Site Hacks ■ eHarmony/PlentyOfFish ○ Heartland Payment Systems and TJX retailer (Winners/Homesense) ■ http://www.securityfocus.com/news/11557 ● What is the result? ○ The finances and private lives of consumers are at stake. ○ Reduces consumer confidence in a company
  • 20. How to reverse the trend? ● What is BSIMM? ○ Building Security In Maturity Model. ○ A study of real-world software security initiatives ○ Designed to help companies understand, measure, and plan a software security initiative ● What makes BSIMM so special? ○ Does not tell you what you should do; instead, it tells you what everyone else is actually doing. ○ This approach stands in sharp contrast to “faith-based” approaches to software security. ○ Can be used as a measuring stick, in comparison to other businesses. ○ Sharing data, can help other organizations tackle real problems.
  • 21. BSIMM4 Study of 51 Companies ● Businesses getting serious about Security:
  • 22. Software Security Framework ● Four business areas for change ● Each with three basic security practices ● Note: Code Review and Security Testing included
  • 23. Important Business Goals ● Convincing reasons for adopting security ● Offers a wide view of potential business benefits ● Compliance with PCI/PII/Privacy and Legal Regulations
  • 24. Measure 111 Security Activities ● Here is a breakdown of one of the twelve practices ● Shows nine different possible activities ● Not all activities will match a businesses needs
  • 25. Businesses Can Participate ● The BSIMM study is open to new participants ● By joining the community a business can progress towards better consideration for security ● Businesses who participate can also gain from the anonymous intelligence shared by other businesses ● In general businesses seeking to broaden or strengthen their security stance will benefit from this data
  • 26. Measure Software Security vs. Peers ● Compare: Software Vendors vs. Financials
  • 27. Security is becoming important ● More and more companies are attempting to find ways to combat fraud (Amazon, Microsoft, Apple etc.): ○ Big Data solutions to analyze transactions ○ Grappling with Social Engineering of credentials ○ Prevent attacks on users via. your website flaws ● By learning about security risks, and how to create better code, the value of your creations will go up. ● Companies are looking for talent that is willing to embrace a risk savvy way of creating Apps. ● Especially in financial, telecom, and traditional high value markets
  • 28. Class Exercise Lab12a - Cross Site Scripting (XSS) Discovery: http://dbavedb.comeze.com/xss.htm https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
  • 30. Thanks for Listening to: ABC's of Software Security SQL Injection Prevention Presented by: Colin Buckton Jose Kaharian David Klassen