SlideShare a Scribd company logo

Wp defending-against-sql-injection

C
cheinyeanlim

SQL injection attacks take advantage of poorly secured web applications to access database assets by inputting malicious SQL commands. To defend against these attacks, organizations need to add layers of protection at the database level. DbProtect provides precision database activity monitoring and active response capabilities to proactively eliminate vulnerabilities, continuously monitor for SQL injection signatures, and immediately respond to detected attacks. It helps secure sensitive data by discovering databases, identifying sensitive data, enforcing access controls, and controlling security processes related to the database.

Technology
1 of 3
Download to read offline
WHITE PAPER Defending Against SQL Injection SQL Injection (SQLi) is an attack methodology designed to To effectively protect sensitive data assets from SQL Injection provide hackers with access to database assets. SQLi takes attacks, organizations need to add a second line of defense and advantage of poorly secured web applications to create a protect the data where it lives – in the database. DbProtect connection to the database. This is done by inputting a SQL Precision Database Activity Monitoring (DAM) protects command into an input field of a web application. Once an organizations from SQL Injection attacks by: “injection hole” is found, hackers are free to “explore” the database in search of database vulnerabilities they can exploit. • Proactively eliminating vulnerabilities that SQLi attackers exploit. Network-based defenses, such as Web Application Firewalls (WAFs), are one line of defense against SQLi attacks. However, • Continuously monitoring for SQLi signatures indicating they are limited by their ability to keep pace with the latest SQLi an attack. attack signatures. The experienced hacker will eventually find a way through these perimeter defenses. • Immediately and automatically responding to an SQLi attack. 5 Key Steps to Database Precision DAM enables organizations to secure their databases Security Process Control from SQLi attacks by controlling the security processes that impacts sensitive data. In order to effectively secure their databases, organizations must address five critical requirements: 1. Isolate Sensitive Databases: Maintain an accurate FOUR STEPS TO COST EFFECTIVE SQL INJECTION inventory of all databases deployed across the enterprise and identify all sensitive data residing on PROTECTION those databases. Step 1: Isolate Sensitive Databases 2. Eliminate Vulnerabilities: Identify and fix vulnerabilities that are exposing the database on a continual basis. The first step to effective SQLi protection is to isolate all 3. Enforce Least Privileges: Reset user access controls databases containing sensitive data. Over time, databases and privileges to allow access to only the minimum data become populated with unauthorized databases. These required for employees to do their jobs. “rogue” databases typically fall outside of IT control and are 4. Monitor for Deviations: Implement appropriate rarely configured or secured properly. As a result, they create policies and monitor for any and all activity that deviates from normal and authorized activity. a security risk by giving attackers an easy target to gain a 5. Respond to Suspicious Behavior: Alert and respond foothold on the network and find access to other databases to any abnormal or suspicious behavior in real-time to containing sensitive data. minimize risk of attack.
Defending Against SQL Injection 2 WHITE PAPER DbProtect’s Database Discovery feature generates a complete inventory of all databases deployed enterprise-wide. It identifies all production, test, and temporary databases, and more importantly, any unauthorized databases. DbProtect’s Sensitive Data Discovery identifies and locates all sensitive data residing on those databases. DbProtect helps organizations to protect their sensitive data by: • Ensuring all sensitive data is located on authorized Step 3. Monitor for Deviations and secured databases. DbProtect Database Activity Monitoring (DAM) tracks activity as it hits the database. It watches and evaluates commands, • Restricting access and use of the sensitive data. looking for signatures that identify database activity as a possible SQL Injection attack. • Identifying and removing any unauthorized databases from their networks. DBProtect’s unique approach to DAM is precision monitoring. Precision monitoring employs DbProtect’s powerful policy Step 2: Eliminate Vulnerabilities development engine to streamline monitoring operations to SQL Injection attacks are used to penetrate network defenses. focus on any suspicious activity threatening sensitive data. Once inside, attackers “explore” the network, looking for DbProtect’s precision DAM solution can be customized to a database vulnerabilities they can exploit to gain access to fine level of granularity – A specific activity, performed by a sensitive data. Default and weak passwords, database specific user, accessing a specific data, in a specific database. misconfigurations, and missing security patches provide easy In this way, SQLi attacks are not lost in the noise of other avenues of attack to the experienced hacker. DbProtect’s database activity. Vulnerability Management provides unparalleled database vulnerability assessment, allowing organizations to identify and eliminate vulnerabilities and fix misconfigurations that put their sensitive data at risk. DbProtect’s powerful Policy Development engine is driven by the SHATTER Knowledgebase, the most comprehensive and up-to-date vulnerability and threat knowledgebase in the industry. SHATTER provides checks on database procedures and functions that are exploitable by SQLi attacks. Each check in the SHATTER knowledgebase provides clear and detailed remediation instructions to insure that the vulnerabilities exposing sensitive data to SQLi attacks are fixed in a timely Backed by the same SHATTER knowledgebase, DbProtect‘s manner. Precision DAM reduces risk and offers best-in-class data protection against SQLi attacks.
Defending Against SQL Injection 3 WHITE PAPER Step 4: Respond to Active response can be Suspicious Behavior customized to a fine level DBProtect’s Active of granularity – A specific Response provides activity, performed by a an additional layer specific user, accessing of protection against specific data, in a specific SQL Injection attacks. database. Active Response can be configured to take action Incorporating a when an SQLi signature is identified. For example: When comprehensive and disciplined program of database security DbProtect recognizes an SQL injection signature, Active process control and managing these basic steps will help Response can be configured to: organizations to cost-effectively protect their sensitive data from SQL Injection attacks. • Send an alert to IT Security. • Notify the SIEM system to correlate database activity with web application logs. • Initiate a malware scan to remove any injected code. ABOUT APPLICATION SECURITY, INC. (APPSECINC) AppSecInc is a pioneer and leading provider of database security and compliance solutions for the enterprise. By providing strategic and scalable software-only solutions – AppDetectivePro for auditors and IT advisors, and DbProtect for the enterprise – AppSecInc supports the database lifecycle for some of the most complex and demanding environments in the world across more than 1,300 active commercial and government customers. Leveraging the world’s most comprehensive database security knowledgebase from the company’s renowned team of threat researchers, TeamSHATTER, AppSecInc products help customers achieve unprecedented levels of data security while reducing overall risk and helping to ensure continuous regulatory and industry compliance. For more information, please visit: www.appsecinc.com | www.teamshatter.com For a free database vulnerability assessment visit: www.appsecinc.com/downloads/appdetectivepro Follow us on Twitter: www.twitter.com/appsecinc | www.twitter.com/teamshatter www.appsecinc.com 350 Madison Avenue, 6th Floor, New York, NY 10017 TOLL FREE 866 9APPSEC MAIN +1 212 912 4100 FAX +1 212 947 8788 Copyright © 2012 Application Security Inc. DbProtect and AppDetectivePro are trademarks of Application Security, Inc. WP-SQL REV.1.12 All other product names, service marks, and trademarks mentioned herein are trademarks of their respective owners.

Recommended

Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...Symantec
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defenseZsolt Nemeth
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Anindya Ghosh,
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsZsolt Nemeth
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin RowneySymantec
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec UbiquitySymantec
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetijctet
 

Recommended

Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...Symantec
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defenseZsolt Nemeth
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Anindya Ghosh,
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsZsolt Nemeth
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin RowneySymantec
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec UbiquitySymantec
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetijctet
 
Symantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec
 
Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentationAndrew Wong
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Kuniyasu Suzaki
 
www.ijerd.com
www.ijerd.comwww.ijerd.com
www.ijerd.comIJERD Editor
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+DesignAlfred Ouyang
 
Darktrace white paper_ics_final
Darktrace white paper_ics_finalDarktrace white paper_ics_final
Darktrace white paper_ics_finalCMR WORLD TECH
 
Axoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesAxoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesBulent Buyukkahraman
 
Ldc
LdcLdc
LdcAkosenko
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYjmical
 
Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGtovmug
 
Antigena Overview
Antigena OverviewAntigena Overview
Antigena OverviewAustin Eppstein
 
Vulnerability assessment and penetration testing service.
Vulnerability assessment and penetration testing service.Vulnerability assessment and penetration testing service.
Vulnerability assessment and penetration testing service.Mindtree Ltd.
 
CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2Ian Sommerville
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guideYury Chemerkin
 
Ijnsa050214
Ijnsa050214Ijnsa050214
Ijnsa050214IJNSA Journal
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringQ1 Labs
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflowIan Sommerville
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
 
eForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teasereForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teasereForensicsMag
 
Second Life as a Pedagogical Tool
Second Life as a Pedagogical ToolSecond Life as a Pedagogical Tool
Second Life as a Pedagogical ToolLaura Nicosia
 
Beyond second life_acrl_final version
Beyond second life_acrl_final versionBeyond second life_acrl_final version
Beyond second life_acrl_final versionIlene Frank
 

More Related Content

What's hot

Symantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec
 
Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentationAndrew Wong
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Kuniyasu Suzaki
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+DesignAlfred Ouyang
 
Darktrace white paper_ics_final
Darktrace white paper_ics_finalDarktrace white paper_ics_final
Darktrace white paper_ics_finalCMR WORLD TECH
 
Axoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesAxoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesBulent Buyukkahraman
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYjmical
 
Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGtovmug
 
Vulnerability assessment and penetration testing service.
Vulnerability assessment and penetration testing service.Vulnerability assessment and penetration testing service.
Vulnerability assessment and penetration testing service.Mindtree Ltd.
 
CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2Ian Sommerville
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guideYury Chemerkin
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringQ1 Labs
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflowIan Sommerville
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
 
eForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teasereForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teasereForensicsMag
 

What's hot (20)

Symantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility Strategy
 
Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
 
www.ijerd.com
www.ijerd.comwww.ijerd.com
www.ijerd.com
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+Design
 
Darktrace white paper_ics_final
Darktrace white paper_ics_finalDarktrace white paper_ics_final
Darktrace white paper_ics_final
 
Axoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesAxoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment Services
 
Ldc
LdcLdc
Ldc
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
 
Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUG
 
Antigena Overview
Antigena OverviewAntigena Overview
Antigena Overview
 
Vulnerability assessment and penetration testing service.
Vulnerability assessment and penetration testing service.Vulnerability assessment and penetration testing service.
Vulnerability assessment and penetration testing service.
 
CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2CS5032 L20 cybersecurity 2
CS5032 L20 cybersecurity 2
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
 
Ijnsa050214
Ijnsa050214Ijnsa050214
Ijnsa050214
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk Scoring
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflow
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
 
eForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teasereForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teaser
 

Viewers also liked

Second Life as a Pedagogical Tool
Second Life as a Pedagogical ToolSecond Life as a Pedagogical Tool
Second Life as a Pedagogical ToolLaura Nicosia
 
Beyond second life_acrl_final version
Beyond second life_acrl_final versionBeyond second life_acrl_final version
Beyond second life_acrl_final versionIlene Frank
 
Paddle Canada Client Presentation
Paddle Canada Client PresentationPaddle Canada Client Presentation
Paddle Canada Client PresentationCarlye Oda
 
Symantec Website Security Threat Report
Symantec Website Security Threat ReportSymantec Website Security Threat Report
Symantec Website Security Threat Reportcheinyeanlim
 
Session 210 _accessibility_for_ios
Session 210 _accessibility_for_iosSession 210 _accessibility_for_ios
Session 210 _accessibility_for_ioscheinyeanlim
 

Viewers also liked (7)

Second Life as a Pedagogical Tool
Second Life as a Pedagogical ToolSecond Life as a Pedagogical Tool
Second Life as a Pedagogical Tool
 
Beyond second life_acrl_final version
Beyond second life_acrl_final versionBeyond second life_acrl_final version
Beyond second life_acrl_final version
 
Paddle Canada Client Presentation
Paddle Canada Client PresentationPaddle Canada Client Presentation
Paddle Canada Client Presentation
 
Symantec Website Security Threat Report
Symantec Website Security Threat ReportSymantec Website Security Threat Report
Symantec Website Security Threat Report
 
Second Life Teacher's Toolkit
Second Life Teacher's ToolkitSecond Life Teacher's Toolkit
Second Life Teacher's Toolkit
 
Oracle 0472
Oracle 0472Oracle 0472
Oracle 0472
 
Session 210 _accessibility_for_ios
Session 210 _accessibility_for_iosSession 210 _accessibility_for_ios
Session 210 _accessibility_for_ios
 

Similar to Wp defending-against-sql-injection

Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaSecurity Date
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM AlienVault
 
Database security copy
Database security copyDatabase security copy
Database security copyfika sweety
 
Whitepaper, lynx secure rootkit detection & protection by means of secure vir...
Whitepaper, lynx secure rootkit detection & protection by means of secure vir...Whitepaper, lynx secure rootkit detection & protection by means of secure vir...
Whitepaper, lynx secure rootkit detection & protection by means of secure vir...Avishai Ziv
 
Web security
Web securityWeb security
Web securitydogangcr
 
SQL Injection: Unraveling the Threats
SQL Injection: Unraveling the ThreatsSQL Injection: Unraveling the Threats
SQL Injection: Unraveling the ThreatsInsecureLab
 
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEM
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEMNETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEM
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEMIJORCS
 
Oracle Database Firewall - Pierre Leon
Oracle Database Firewall - Pierre LeonOracle Database Firewall - Pierre Leon
Oracle Database Firewall - Pierre LeonOracleVolutionSeries
 
GreenSQL Security
GreenSQL Security GreenSQL Security
GreenSQL Securityijsrd.com
 
CH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and EthicallyCH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and EthicallySukanya Ben
 
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...Mohammed Abdul Lateef
 
Network Security v1.0 - Module 1.pptx
Network Security v1.0 - Module 1.pptxNetwork Security v1.0 - Module 1.pptx
Network Security v1.0 - Module 1.pptxSamatarHussein
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Boston Institute of Analytics
 
Discovering Computers: Chapter 11
Discovering Computers: Chapter 11Discovering Computers: Chapter 11
Discovering Computers: Chapter 11Anna Stirling
 

Similar to Wp defending-against-sql-injection (20)

Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0beta
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
 
Database security copy
Database security copyDatabase security copy
Database security copy
 
Op2423922398
Op2423922398Op2423922398
Op2423922398
 
Whitepaper, lynx secure rootkit detection & protection by means of secure vir...
Whitepaper, lynx secure rootkit detection & protection by means of secure vir...Whitepaper, lynx secure rootkit detection & protection by means of secure vir...
Whitepaper, lynx secure rootkit detection & protection by means of secure vir...
 
Web security
Web securityWeb security
Web security
 
203135 Muhammad Usama.pptx
203135 Muhammad Usama.pptx203135 Muhammad Usama.pptx
203135 Muhammad Usama.pptx
 
SQL Injection: Unraveling the Threats
SQL Injection: Unraveling the ThreatsSQL Injection: Unraveling the Threats
SQL Injection: Unraveling the Threats
 
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEM
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEMNETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEM
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEM
 
Oracle Database Firewall - Pierre Leon
Oracle Database Firewall - Pierre LeonOracle Database Firewall - Pierre Leon
Oracle Database Firewall - Pierre Leon
 
Double guard
Double guardDouble guard
Double guard
 
PPT_Compiled
PPT_CompiledPPT_Compiled
PPT_Compiled
 
GreenSQL Security
GreenSQL Security GreenSQL Security
GreenSQL Security
 
Database security
Database securityDatabase security
Database security
 
CH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and EthicallyCH11-Managing Computing Securely, Safely and Ethically
CH11-Managing Computing Securely, Safely and Ethically
 
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
 
Network Security v1.0 - Module 1.pptx
Network Security v1.0 - Module 1.pptxNetwork Security v1.0 - Module 1.pptx
Network Security v1.0 - Module 1.pptx
 
Network security
Network securityNetwork security
Network security
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
 
Discovering Computers: Chapter 11
Discovering Computers: Chapter 11Discovering Computers: Chapter 11
Discovering Computers: Chapter 11
 

Recently uploaded

IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Thierry Lestable
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityScyllaDB
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...Product School
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...Sri Ambati
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesThousandEyes
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka DoktorováCzechDreamin
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...Elena Simperl
 

Recently uploaded (20)

IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 

Wp defending-against-sql-injection

  • 1. WHITE PAPER Defending Against SQL Injection SQL Injection (SQLi) is an attack methodology designed to To effectively protect sensitive data assets from SQL Injection provide hackers with access to database assets. SQLi takes attacks, organizations need to add a second line of defense and advantage of poorly secured web applications to create a protect the data where it lives – in the database. DbProtect connection to the database. This is done by inputting a SQL Precision Database Activity Monitoring (DAM) protects command into an input field of a web application. Once an organizations from SQL Injection attacks by: “injection hole” is found, hackers are free to “explore” the database in search of database vulnerabilities they can exploit. • Proactively eliminating vulnerabilities that SQLi attackers exploit. Network-based defenses, such as Web Application Firewalls (WAFs), are one line of defense against SQLi attacks. However, • Continuously monitoring for SQLi signatures indicating they are limited by their ability to keep pace with the latest SQLi an attack. attack signatures. The experienced hacker will eventually find a way through these perimeter defenses. • Immediately and automatically responding to an SQLi attack. 5 Key Steps to Database Precision DAM enables organizations to secure their databases Security Process Control from SQLi attacks by controlling the security processes that impacts sensitive data. In order to effectively secure their databases, organizations must address five critical requirements: 1. Isolate Sensitive Databases: Maintain an accurate FOUR STEPS TO COST EFFECTIVE SQL INJECTION inventory of all databases deployed across the enterprise and identify all sensitive data residing on PROTECTION those databases. Step 1: Isolate Sensitive Databases 2. Eliminate Vulnerabilities: Identify and fix vulnerabilities that are exposing the database on a continual basis. The first step to effective SQLi protection is to isolate all 3. Enforce Least Privileges: Reset user access controls databases containing sensitive data. Over time, databases and privileges to allow access to only the minimum data become populated with unauthorized databases. These required for employees to do their jobs. “rogue” databases typically fall outside of IT control and are 4. Monitor for Deviations: Implement appropriate rarely configured or secured properly. As a result, they create policies and monitor for any and all activity that deviates from normal and authorized activity. a security risk by giving attackers an easy target to gain a 5. Respond to Suspicious Behavior: Alert and respond foothold on the network and find access to other databases to any abnormal or suspicious behavior in real-time to containing sensitive data. minimize risk of attack.
  • 2. Defending Against SQL Injection 2 WHITE PAPER DbProtect’s Database Discovery feature generates a complete inventory of all databases deployed enterprise-wide. It identifies all production, test, and temporary databases, and more importantly, any unauthorized databases. DbProtect’s Sensitive Data Discovery identifies and locates all sensitive data residing on those databases. DbProtect helps organizations to protect their sensitive data by: • Ensuring all sensitive data is located on authorized Step 3. Monitor for Deviations and secured databases. DbProtect Database Activity Monitoring (DAM) tracks activity as it hits the database. It watches and evaluates commands, • Restricting access and use of the sensitive data. looking for signatures that identify database activity as a possible SQL Injection attack. • Identifying and removing any unauthorized databases from their networks. DBProtect’s unique approach to DAM is precision monitoring. Precision monitoring employs DbProtect’s powerful policy Step 2: Eliminate Vulnerabilities development engine to streamline monitoring operations to SQL Injection attacks are used to penetrate network defenses. focus on any suspicious activity threatening sensitive data. Once inside, attackers “explore” the network, looking for DbProtect’s precision DAM solution can be customized to a database vulnerabilities they can exploit to gain access to fine level of granularity – A specific activity, performed by a sensitive data. Default and weak passwords, database specific user, accessing a specific data, in a specific database. misconfigurations, and missing security patches provide easy In this way, SQLi attacks are not lost in the noise of other avenues of attack to the experienced hacker. DbProtect’s database activity. Vulnerability Management provides unparalleled database vulnerability assessment, allowing organizations to identify and eliminate vulnerabilities and fix misconfigurations that put their sensitive data at risk. DbProtect’s powerful Policy Development engine is driven by the SHATTER Knowledgebase, the most comprehensive and up-to-date vulnerability and threat knowledgebase in the industry. SHATTER provides checks on database procedures and functions that are exploitable by SQLi attacks. Each check in the SHATTER knowledgebase provides clear and detailed remediation instructions to insure that the vulnerabilities exposing sensitive data to SQLi attacks are fixed in a timely Backed by the same SHATTER knowledgebase, DbProtect‘s manner. Precision DAM reduces risk and offers best-in-class data protection against SQLi attacks.
  • 3. Defending Against SQL Injection 3 WHITE PAPER Step 4: Respond to Active response can be Suspicious Behavior customized to a fine level DBProtect’s Active of granularity – A specific Response provides activity, performed by a an additional layer specific user, accessing of protection against specific data, in a specific SQL Injection attacks. database. Active Response can be configured to take action Incorporating a when an SQLi signature is identified. For example: When comprehensive and disciplined program of database security DbProtect recognizes an SQL injection signature, Active process control and managing these basic steps will help Response can be configured to: organizations to cost-effectively protect their sensitive data from SQL Injection attacks. • Send an alert to IT Security. • Notify the SIEM system to correlate database activity with web application logs. • Initiate a malware scan to remove any injected code. ABOUT APPLICATION SECURITY, INC. (APPSECINC) AppSecInc is a pioneer and leading provider of database security and compliance solutions for the enterprise. By providing strategic and scalable software-only solutions – AppDetectivePro for auditors and IT advisors, and DbProtect for the enterprise – AppSecInc supports the database lifecycle for some of the most complex and demanding environments in the world across more than 1,300 active commercial and government customers. Leveraging the world’s most comprehensive database security knowledgebase from the company’s renowned team of threat researchers, TeamSHATTER, AppSecInc products help customers achieve unprecedented levels of data security while reducing overall risk and helping to ensure continuous regulatory and industry compliance. For more information, please visit: www.appsecinc.com | www.teamshatter.com For a free database vulnerability assessment visit: www.appsecinc.com/downloads/appdetectivepro Follow us on Twitter: www.twitter.com/appsecinc | www.twitter.com/teamshatter www.appsecinc.com 350 Madison Avenue, 6th Floor, New York, NY 10017 TOLL FREE 866 9APPSEC MAIN +1 212 912 4100 FAX +1 212 947 8788 Copyright © 2012 Application Security Inc. DbProtect and AppDetectivePro are trademarks of Application Security, Inc. WP-SQL REV.1.12 All other product names, service marks, and trademarks mentioned herein are trademarks of their respective owners.