1. ABC's of Software Security
SQL Injection Prevention
Presented by:
Colin Buckton
Jose Kaharian
David Klassen
2. Introduction
● Colin Buckton
○ OWASP - Web Security Awareness Group
○ SQL Injection Vulnerability Description
● David Klassen
○ Demonstrate SQL Injection and what is at risk
○ Show prevention of SQL Injection at the code level
● Jose Kaharian
○ Business Research Concerning Security (BSIMM)
○ Secure coding is becoming a hiring priority
3. Colin Buckton
● Easy Ways to Learn about Web App Security
○ OWASP - Web App Security Awareness Group
○ Web App Sec Tutorial Video Series on YouTube
○ Top Ten - Web Application Security Risks
○ Top Ten Item #1 - SQL Injection Vulnerability
4. Three Stages of Software Security
Awareness
1. Progress begetting vulnerability accepted as
reality
○ "To make an omelette..."
2. Onus fell on the consumer to protect
themselves
○ Firewall, anti-malware, best-practices
○ Preventative measures cost companies money
3. Producers must design securely
○ Build-in security
○ Preventative measures save money
○ Awareness is needed
5. OWASP - The Open Web Application
Security Project
● OWASP is a worldwide not-for-profit
charitable organization focused on
improving the security of software
● Purpose: Help everyone build more secure
web applications and services
● Founded December 1st, 2001
● Provides information and training materials
in an "open-source" model
6. OWASP WebAppSec Tutorial Series
● OWASP provides a series of training videos
● Goal is to make "top notch" security training
accessible to the public
● Making AppSec (Application Security) more
visible
● Licensed under Creative Commons so you
can share freely
7. OWASP Top 10 Project
● The Top 10 is a list of security risks to web
applications as assessed by the OWASP Risk
Rating Methodology.
● The names of the risks in the Top 10 stem
from the type of attack, the type of
weakness, or the degree of impact they
cause.
9. #1 Top 10 item - SQL Injection
● Injection attacks are the top rated threat
● How they work:
○ A section of code in your program is vulnerable
○ Attacker sends text that exploits the syntax
○ This creates an unintended query -> SELECT * FROM
accounts WHERE custID='' or '1'='1';
○ Interpreter returns data on ALL accounts, and may
even access special commands and take over!
10. #1 Top 10 item - SQL Injection
● How to Prevent SQLi
● OWASP makes suggestions on how to fix this
○ Use a specific Application Programming Interface
(API) that can interpret user input safely.
■ Interface objects can reinterpret user input in a
safe manner
○ "Escaping" the user input for the interpreter
■ e.g. " ' or '1'='1 "
○ Use a whitelist of acceptable characters
■ e.g. Only allow alphanumerics for input
■ Not always feasible if some searches require
those special characters
11. David Klassen
● Demonstrate exploitation of Web App
○ Discuss compromise and worst facts about it
○ Talk about the tools used in detection
○ Show prevention of SQL Injection at the code level
○ Architectural things to think about
15. What SQLi is
● Can leak data or cause server level penetration.
● It exists in the Web Application itself
● Really this exists because it was coded into the app
● The wrong types of API/SQL calls are made
● Application does not handle/encode corner cases well.
16. SQLi Demonstration
● Lab21 that has been analyzed via. ZAP
● sqlmap can be used to proof/exploit an
SQLi
● review database info enumerated via. SQLi
● Fix the code
● Point out why it is fixed
● Show proof of the fix
■ https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
● Data model/architecture issues:
○ Never use sys/admin/root accounts
○ Application/Database user separation
○ Privilege separation for Admin features
18. Jose Kaharian
● BSIMM - Business Research about Security
○ Numerous security breach issues/prevention
○ Businesses are busy cleaning up their process/code
○ A study is useful for reflection about what works
○ Secure coding is becoming a hiring priority
19. SQLi Basic Facts
● Growing History of Actual Attacks
○ Sony PlayStation network
■ http://www.theregister.co.
uk/2011/04/26/sony_playstation_network_security_breach/
○ Dating Site Hacks
■ eHarmony/PlentyOfFish
○ Heartland Payment Systems and TJX retailer (Winners/Homesense)
■ http://www.securityfocus.com/news/11557
● What is the result?
○ The finances and private lives of consumers are at stake.
○ Reduces consumer confidence in a company
20. How to reverse the trend?
● What is BSIMM?
○ Building Security In Maturity Model.
○ A study of real-world software security initiatives
○ Designed to help companies understand, measure, and plan a
software security initiative
● What makes BSIMM so special?
○ Does not tell you what you should do; instead, it tells you what
everyone else is actually doing.
○ This approach stands in sharp contrast to “faith-based” approaches
to software security.
○ Can be used as a measuring stick, in comparison to other businesses.
○ Sharing data, can help other organizations tackle real problems.
21. BSIMM4 Study of 51 Companies
● Businesses getting serious about Security:
22. Software Security Framework
● Four business areas for change
● Each with three basic security practices
● Note: Code Review and Security Testing included
23. Important Business Goals
● Convincing reasons for adopting security
● Offers a wide view of potential business benefits
● Compliance with PCI/PII/Privacy and Legal Regulations
24. Measure 111 Security Activities
● Here is a breakdown of one of the twelve practices
● Shows nine different possible activities
● Not all activities will match a businesses needs
25. Businesses Can Participate
● The BSIMM study is open to new participants
● By joining the community a business can progress
towards better consideration for security
● Businesses who participate can also gain from the
anonymous intelligence shared by other businesses
● In general businesses seeking to broaden or strengthen
their security stance will benefit from this data
27. Security is becoming important
● More and more companies are attempting to find ways
to combat fraud (Amazon, Microsoft, Apple etc.):
○ Big Data solutions to analyze transactions
○ Grappling with Social Engineering of credentials
○ Prevent attacks on users via. your website flaws
● By learning about security risks, and how to create
better code, the value of your creations will go up.
● Companies are looking for talent that is willing to
embrace a risk savvy way of creating Apps.
● Especially in financial, telecom, and traditional high
value markets
28. Class Exercise
Lab12a - Cross Site Scripting (XSS) Discovery:
http://dbavedb.comeze.com/xss.htm
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet