Security Vulnerability Advisory    SQL Injection Attacks Nicholas DavisDecember 16, 2010
OverviewExecutive SummarySQL Injection Threat DefinedRisk of SQL Injection AttackImpact of SQL Injection AttackPotential C...
Executive Summary• A security related vulnerability in  SQL software code has been  identified• Data at risk for unauthori...
SQL Injection Threat Defined    • Attacker adds Structured Query Language      (SQL) code to a Web form input box to gain ...
Example of SQL Injection
Risk of SQL Injection is High   • Manual attack   • Automated attack   • Risk of SQL     injection exploits     is on the ...
Impact of SQL Injection is High       • Allow attackers to spoof identity,         tamper with existing data, cause       ...
Costs and Penalties•   HIPAA, FERPA, PCI•   Fines, penalties, lawsuits•   Prison in extreme cases•   Image and reputation
Threat Level is High• As both the risk and potential  impact of an SQL injection  attack are rated as high, the  overall t...
Recommendations• It is recommended that the  organization take immediate as well  as phased-in action, to mitigate the  ri...
Organizational Constraints• Organizational constraints are  extensive• Complex work/project• Time required (280 hours)• Co...
Phase I - Immediate• Leverage the organization’s  centralized login service to place  authentication protection in front o...
Phase II – Medium Range• Next 90 days, develop a specific  project plan and work plan to re-  write the vulnerable softwar...
Phase III – Long Term• As time and budgets permit, ask the  software engineers to attend training  sessions• Will ensure t...
Next Steps•   Obtain management’s permission to immediately    proceed with the tactical authentication solution, to    pl...
More Details• http://www.owasp.org/index.php/SQL_Injection• http://www.owasp.org/index.php/SQL_Injection_Pr• http://en.wik...
Questions•   Is the information clear?•   Would you like more details?•   How would like to proceed?•   How can I help you...
Upcoming SlideShare
Loading in …5
×

Sql vulnerability advisory presentation

410 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
410
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Sql vulnerability advisory presentation

  1. 1. Security Vulnerability Advisory SQL Injection Attacks Nicholas DavisDecember 16, 2010
  2. 2. OverviewExecutive SummarySQL Injection Threat DefinedRisk of SQL Injection AttackImpact of SQL Injection AttackPotential Costs and PenaltiesThreat LevelRecommendationsOrganizational ConstraintsPhase I Immediate ResponsePhase II Medium Range ResponsePhase III Long Term ResponseSuggested Next StepsOther SourcesQuestions
  3. 3. Executive Summary• A security related vulnerability in SQL software code has been identified• Data at risk for unauthorized access, alteration, theft and misuse• Both risk and impact are high, meaning overall threat level is high• Take a three step approach to mitigate the threat
  4. 4. SQL Injection Threat Defined • Attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data. • Usually, values are inserted into a SELECT query • Interact with the database in illicit ways, including making unauthorized changes, which would damage data integrity
  5. 5. Example of SQL Injection
  6. 6. Risk of SQL Injection is High • Manual attack • Automated attack • Risk of SQL injection exploits is on the rise due to the proliferation of automated attack tools.
  7. 7. Impact of SQL Injection is High • Allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
  8. 8. Costs and Penalties• HIPAA, FERPA, PCI• Fines, penalties, lawsuits• Prison in extreme cases• Image and reputation
  9. 9. Threat Level is High• As both the risk and potential impact of an SQL injection attack are rated as high, the overall threat level is also rated as high, meaning that an SQL injection attack is very likely to occur and that the damage which could be caused by such an attack is capable of being devastating.
  10. 10. Recommendations• It is recommended that the organization take immediate as well as phased-in action, to mitigate the risk of an SQL Injection Attack on our database application.• Three phases, ranging from immediate to medium range to long term
  11. 11. Organizational Constraints• Organizational constraints are extensive• Complex work/project• Time required (280 hours)• Cost is $25,000• Other priorities
  12. 12. Phase I - Immediate• Leverage the organization’s centralized login service to place authentication protection in front of the database.• Does not fix the underlying SQL injection software code, it does place a perimeter of protection around the vulnerable database• Inexpensive, easy to implement
  13. 13. Phase II – Medium Range• Next 90 days, develop a specific project plan and work plan to re- write the vulnerable software application.• Present to upper management, outlining the risks and impacts of this threat and a solid case can be made for staff time and funding required to prioritize and fix the software application.
  14. 14. Phase III – Long Term• As time and budgets permit, ask the software engineers to attend training sessions• Will ensure that database software applications built in the future will has SQL Injection Attack security baked in from the beginning
  15. 15. Next Steps• Obtain management’s permission to immediately proceed with the tactical authentication solution, to place a perimeter of security around the vulnerable SQL software code.• Develop a presentation for upper management which describes the threat posed by an SQL Injection Attack and ask for their permission to develop a project plan and work plan to re-write the vulnerable database software application, beginning three months from now.• Contact the education department and ask them to research dates and costs for SQL Injection Attack training for software engineers, over the course of the next year.
  16. 16. More Details• http://www.owasp.org/index.php/SQL_Injection• http://www.owasp.org/index.php/SQL_Injection_Pr• http://en.wikipedia.org/wiki/Sql_injection
  17. 17. Questions• Is the information clear?• Would you like more details?• How would like to proceed?• How can I help you?• Other

×