Nicholas Davis, profile picture
Uploaded byNicholas Davis
PPT, PDF313 views

Sql vulnerability advisory presentation

A SQL injection vulnerability has been identified that puts organizational data at high risk of unauthorized access and theft. To mitigate this high-level threat, a three-phased approach is recommended: 1) Implement immediate authentication protections, 2) Develop a project plan within 90 days to re-write vulnerable software, 3) Provide long-term SQL injection security training to prevent future vulnerabilities. Management approval is requested to proceed with Phase I while gaining support for resource-intensive Phases II-III.

Embed presentation

Downloaded 12 times
Security Vulnerability Advisory SQL Injection Attacks Nicholas Davis December 16, 2010
Overview Executive Summary SQL Injection Threat Defined Risk of SQL Injection Attack Impact of SQL Injection Attack Potential Costs and Penalties Threat Level Recommendations Organizational Constraints Phase I Immediate Response Phase II Medium Range Response Phase III Long Term Response Suggested Next Steps Other Sources Questions
Executive Summary • A security related vulnerability in SQL software code has been identified • Data at risk for unauthorized access, alteration, theft and misuse • Both risk and impact are high, meaning overall threat level is high • Take a three step approach to mitigate the threat
SQL Injection Threat Defined • Attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data. • Usually, values are inserted into a SELECT query • Interact with the database in illicit ways, including making unauthorized changes, which would damage data integrity
Example of SQL Injection
Risk of SQL Injection is High • Manual attack • Automated attack • Risk of SQL injection exploits is on the rise due to the proliferation of automated attack tools.
Impact of SQL Injection is High • Allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
Costs and Penalties • HIPAA, FERPA, PCI • Fines, penalties, lawsuits • Prison in extreme cases • Image and reputation
Threat Level is High • As both the risk and potential impact of an SQL injection attack are rated as high, the overall threat level is also rated as high, meaning that an SQL injection attack is very likely to occur and that the damage which could be caused by such an attack is capable of being devastating.
Recommendations • It is recommended that the organization take immediate as well as phased-in action, to mitigate the risk of an SQL Injection Attack on our database application. • Three phases, ranging from immediate to medium range to long term
Organizational Constraints • Organizational constraints are extensive • Complex work/project • Time required (280 hours) • Cost is $25,000 • Other priorities
Phase I - Immediate • Leverage the organization’s centralized login service to place authentication protection in front of the database. • Does not fix the underlying SQL injection software code, it does place a perimeter of protection around the vulnerable database • Inexpensive, easy to implement
Phase II – Medium Range • Next 90 days, develop a specific project plan and work plan to re- write the vulnerable software application. • Present to upper management, outlining the risks and impacts of this threat and a solid case can be made for staff time and funding required to prioritize and fix the software application.
Phase III – Long Term • As time and budgets permit, ask the software engineers to attend training sessions • Will ensure that database software applications built in the future will has SQL Injection Attack security baked in from the beginning
Next Steps • Obtain management’s permission to immediately proceed with the tactical authentication solution, to place a perimeter of security around the vulnerable SQL software code. • Develop a presentation for upper management which describes the threat posed by an SQL Injection Attack and ask for their permission to develop a project plan and work plan to re-write the vulnerable database software application, beginning three months from now. • Contact the education department and ask them to research dates and costs for SQL Injection Attack training for software engineers, over the course of the next year.
More Details • http://www.owasp.org/index.php/SQL_Injection • http://www.owasp.org/index.php/SQL_Injection_Pr • http://en.wikipedia.org/wiki/Sql_injection
Questions • Is the information clear? • Would you like more details? • How would like to proceed? • How can I help you? • Other

More Related Content

PPT
Security testing
bybaskar p
 
PPTX
Security vulnerability
byA. Shamel
 
PDF
BSidesQuebec2013_fred
byBSidesQuebec2013
 
PPTX
How to develop an AppSec culture in your project
by99X Technology
 
PPTX
Introduction to security testing raj
byRajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
PPTX
Data base security and injection
byA. Shamel
 
PDF
Threat Modeling to Reduce Software Security Risk
bySecurity Innovation
 
PPT
Web Application Security
byAbdul Wahid
 
Security testing
bybaskar p
 
Security vulnerability
byA. Shamel
 
BSidesQuebec2013_fred
byBSidesQuebec2013
 
How to develop an AppSec culture in your project
by99X Technology
 
Introduction to security testing raj
byRajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
Data base security and injection
byA. Shamel
 
Threat Modeling to Reduce Software Security Risk
bySecurity Innovation
 
Web Application Security
byAbdul Wahid
 

What's hot

PPTX
What is security testing and why it is so important?
byONE BCG
 
PPT
Software Security (Vulnerabilities) And Physical Security
byNicholas Davis
 
PDF
Testing Web Application Security
byTed Husted
 
PDF
Presentation on vulnerability analysis
byAsif Anik
 
PDF
Security Implications of the Cloud
byAlert Logic
 
PPTX
Security testing
byRihab Chebbah
 
PPTX
Application Threat Modeling
byRochester Security Summit
 
PDF
Security Testing for Test Professionals
byTechWell
 
PDF
Pertemuan 14 keamanan sistem operasi
bynewbie2019
 
PPTX
Application Security-Understanding The Horizon
byLalit Kale
 
PPTX
Os Command Injection Attack
byRaghav Bisht
 
PDF
VSEC LAN Security Assessment Service Profile
byVietnamese Network Security J.S.C
 
PDF
Security Implications of the Cloud - CSS Dallas Azure
byAlert Logic
 
PPTX
Vapt( vulnerabilty and penetration testing ) services
byAkshay Kurhade
 
PPT
Software Security Testing
byankitmehta21
 
PPT
Software Security Engineering
byMarco Morana
 
PPTX
A Brief Introduction to Penetration Testing
byEC-Council
 
PPS
Security testing
byTabăra de Testare
 
PDF
The Complete Web Application Security Testing Checklist
byCigital
 
What is security testing and why it is so important?
byONE BCG
 
Software Security (Vulnerabilities) And Physical Security
byNicholas Davis
 
Testing Web Application Security
byTed Husted
 
Presentation on vulnerability analysis
byAsif Anik
 
Security Implications of the Cloud
byAlert Logic
 
Security testing
byRihab Chebbah
 
Application Threat Modeling
byRochester Security Summit
 
Security Testing for Test Professionals
byTechWell
 
Pertemuan 14 keamanan sistem operasi
bynewbie2019
 
Application Security-Understanding The Horizon
byLalit Kale
 
Os Command Injection Attack
byRaghav Bisht
 
VSEC LAN Security Assessment Service Profile
byVietnamese Network Security J.S.C
 
Security Implications of the Cloud - CSS Dallas Azure
byAlert Logic
 
Vapt( vulnerabilty and penetration testing ) services
byAkshay Kurhade
 
Software Security Testing
byankitmehta21
 
Software Security Engineering
byMarco Morana
 
A Brief Introduction to Penetration Testing
byEC-Council
 
Security testing
byTabăra de Testare
 
The Complete Web Application Security Testing Checklist
byCigital
 

Similar to Sql vulnerability advisory presentation

PDF
Op2423922398
byIJERA Editor
 
PPTX
SQL Injection: Unraveling the Threats
byInsecureLab
 
PDF
Owasp Backend Security Project 1.0beta
bySecurity Date
 
DOCX
Understanding SQL Injection_ A Guide to Website Security.docx
byOscp Training
 
PPTX
Sql Injection
bypenetration Tester
 
PDF
A Review Report on Security Threats on Database
byShivnandan Singh
 
PPTX
Sql injections (Basic bypass authentication)
byRavindra Singh Rathore
 
PDF
Protect Your Database_ SQL Injection Attack Prevention.pdf
bySachin FromDev
 
DOC
SalemPhilip_ResearchReport
byPhilip Salem
 
PPTX
research desgn on SQL injection attacks 4th april.
bynwabudikeaugustine
 
PPTX
research desgn on SQL injection attacks 4th april on SQL injection attack
bynwabudikeaugustine
 
PPTX
SQLi for Security Champions
byPetraVukmirovic
 
PPTX
csf_ppt.pptx
by0567Padma
 
PPTX
Understanding and preventing sql injection attacks
byKevin Kline
 
PPTX
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
PPTX
Sql server security in an insecure world
byGianluca Sartori
 
PDF
Full MSSQL Injection PWNage
byPrathan Phongthiproek
 
DOCX
Database security
byMehrdad Jingoism
 
PPTX
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
byprasadGade6
 
PDF
A METHOD OF DETECTING SQL INJECTION ATTACK TO SECURE WEB APPLICATIONS
bysamueljackson3773
 
Op2423922398
byIJERA Editor
 
SQL Injection: Unraveling the Threats
byInsecureLab
 
Owasp Backend Security Project 1.0beta
bySecurity Date
 
Understanding SQL Injection_ A Guide to Website Security.docx
byOscp Training
 
Sql Injection
bypenetration Tester
 
A Review Report on Security Threats on Database
byShivnandan Singh
 
Sql injections (Basic bypass authentication)
byRavindra Singh Rathore
 
Protect Your Database_ SQL Injection Attack Prevention.pdf
bySachin FromDev
 
SalemPhilip_ResearchReport
byPhilip Salem
 
research desgn on SQL injection attacks 4th april.
bynwabudikeaugustine
 
research desgn on SQL injection attacks 4th april on SQL injection attack
bynwabudikeaugustine
 
SQLi for Security Champions
byPetraVukmirovic
 
csf_ppt.pptx
by0567Padma
 
Understanding and preventing sql injection attacks
byKevin Kline
 
SQL Injection Stegnography in Pen Testing
by191013607gouthamsric
 
Sql server security in an insecure world
byGianluca Sartori
 
Full MSSQL Injection PWNage
byPrathan Phongthiproek
 
Database security
byMehrdad Jingoism
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
byprasadGade6
 
A METHOD OF DETECTING SQL INJECTION ATTACK TO SECURE WEB APPLICATIONS
bysamueljackson3773
 

More from Nicholas Davis

PPTX
Conducting a NIST Cybersecurity Framework (CSF) Assessment
byNicholas Davis
 
PPTX
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
PPTX
UW-Madison, Information Systems 371 - Decision Support Systems
byNicholas Davis
 
PPTX
Lecture blockchain
byNicholas Davis
 
PPTX
Software Development Methodologies
byNicholas Davis
 
PPTX
Information systems 365 - Cloud and BYOD Security
byNicholas Davis
 
PPTX
Information Security Awareness: at Work, at Home, and For Your Kids
byNicholas Davis
 
PPTX
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
byNicholas Davis
 
PPTX
Information Systems 371 -The Internet of Things Overview
byNicholas Davis
 
PPTX
Cyberwar Gets Personal
byNicholas Davis
 
PPTX
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
byNicholas Davis
 
PPT
Bringing the Entire Information Security Semester Together With a Team Project
byNicholas Davis
 
PPT
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
byNicholas Davis
 
PPTX
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
byNicholas Davis
 
PPTX
Information Security Fall Semester 2016 - Course Wrap Up Summary
byNicholas Davis
 
PPTX
Organizational Phishing Education
byNicholas Davis
 
PPT
Security Operations -- An Overview
byNicholas Davis
 
PPT
Network Design, Common Network Terminology and Security Implications
byNicholas Davis
 
PPT
Survey Presentation About Application Security
byNicholas Davis
 
PPT
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
byNicholas Davis
 
Conducting a NIST Cybersecurity Framework (CSF) Assessment
byNicholas Davis
 
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
UW-Madison, Information Systems 371 - Decision Support Systems
byNicholas Davis
 
Lecture blockchain
byNicholas Davis
 
Software Development Methodologies
byNicholas Davis
 
Information systems 365 - Cloud and BYOD Security
byNicholas Davis
 
Information Security Awareness: at Work, at Home, and For Your Kids
byNicholas Davis
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
byNicholas Davis
 
Information Systems 371 -The Internet of Things Overview
byNicholas Davis
 
Cyberwar Gets Personal
byNicholas Davis
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
byNicholas Davis
 
Bringing the Entire Information Security Semester Together With a Team Project
byNicholas Davis
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
byNicholas Davis
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
byNicholas Davis
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
byNicholas Davis
 
Organizational Phishing Education
byNicholas Davis
 
Security Operations -- An Overview
byNicholas Davis
 
Network Design, Common Network Terminology and Security Implications
byNicholas Davis
 
Survey Presentation About Application Security
byNicholas Davis
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
byNicholas Davis
 

Recently uploaded

PDF
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PDF
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
PDF
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PDF
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
A Simple Guide to Real Estate Tokenization on XRP Ledger.pdf
byemmajoh2025
 
PPTX
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
A Simple Guide to Real Estate Tokenization on XRP Ledger.pdf
byemmajoh2025
 
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 

Sql vulnerability advisory presentation

  • 1.
    Security Vulnerability Advisory SQL Injection Attacks Nicholas Davis December 16, 2010
  • 2.
    Overview Executive Summary SQL InjectionThreat Defined Risk of SQL Injection Attack Impact of SQL Injection Attack Potential Costs and Penalties Threat Level Recommendations Organizational Constraints Phase I Immediate Response Phase II Medium Range Response Phase III Long Term Response Suggested Next Steps Other Sources Questions
  • 3.
    Executive Summary • Asecurity related vulnerability in SQL software code has been identified • Data at risk for unauthorized access, alteration, theft and misuse • Both risk and impact are high, meaning overall threat level is high • Take a three step approach to mitigate the threat
  • 4.
    SQL Injection ThreatDefined • Attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data. • Usually, values are inserted into a SELECT query • Interact with the database in illicit ways, including making unauthorized changes, which would damage data integrity
  • 5.
    Example of SQLInjection
  • 6.
    Risk of SQLInjection is High • Manual attack • Automated attack • Risk of SQL injection exploits is on the rise due to the proliferation of automated attack tools.
  • 7.
    Impact of SQLInjection is High • Allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
  • 8.
    Costs and Penalties • HIPAA, FERPA, PCI • Fines, penalties, lawsuits • Prison in extreme cases • Image and reputation
  • 9.
    Threat Level isHigh • As both the risk and potential impact of an SQL injection attack are rated as high, the overall threat level is also rated as high, meaning that an SQL injection attack is very likely to occur and that the damage which could be caused by such an attack is capable of being devastating.
  • 10.
    Recommendations • It isrecommended that the organization take immediate as well as phased-in action, to mitigate the risk of an SQL Injection Attack on our database application. • Three phases, ranging from immediate to medium range to long term
  • 11.
    Organizational Constraints • Organizationalconstraints are extensive • Complex work/project • Time required (280 hours) • Cost is $25,000 • Other priorities
  • 12.
    Phase I -Immediate • Leverage the organization’s centralized login service to place authentication protection in front of the database. • Does not fix the underlying SQL injection software code, it does place a perimeter of protection around the vulnerable database • Inexpensive, easy to implement
  • 13.
    Phase II –Medium Range • Next 90 days, develop a specific project plan and work plan to re- write the vulnerable software application. • Present to upper management, outlining the risks and impacts of this threat and a solid case can be made for staff time and funding required to prioritize and fix the software application.
  • 14.
    Phase III –Long Term • As time and budgets permit, ask the software engineers to attend training sessions • Will ensure that database software applications built in the future will has SQL Injection Attack security baked in from the beginning
  • 15.
    Next Steps • Obtain management’s permission to immediately proceed with the tactical authentication solution, to place a perimeter of security around the vulnerable SQL software code. • Develop a presentation for upper management which describes the threat posed by an SQL Injection Attack and ask for their permission to develop a project plan and work plan to re-write the vulnerable database software application, beginning three months from now. • Contact the education department and ask them to research dates and costs for SQL Injection Attack training for software engineers, over the course of the next year.
  • 16.
    More Details • http://www.owasp.org/index.php/SQL_Injection •http://www.owasp.org/index.php/SQL_Injection_Pr • http://en.wikipedia.org/wiki/Sql_injection
  • 17.
    Questions • Is the information clear? • Would you like more details? • How would like to proceed? • How can I help you? • Other