|
Database Activity Monitoring
|
|
Hits: 4 |
|
Date added: 06/03/2007 |
|
Database Activity Monitoring:
Intrusion Detection Security Auditing
At its core, security is all about risk reduction. One of the most
effective database security practices, defense-in-depth, employs
multiple layers of protection to reduce the risk of intrusion. It is
analogous to the many defensive layers surrounding a medieval
castle: drawbridge, moat, the outer wall, the inner keep, archers
manning the wall, soldiers stationed outside the wall, etc. No
single level of defense is infallible; and yet all of these layers
cannot ensure the castle will be 100% impenetrable. However,
these layers of protection can make the castle (and its crown
jewels) less vulnerable to attackers. |
|
|
|
|
|
|
Crawling Ajax-driven Web 2.0 Applications
|
|
Hits: 4 |
|
Date added: 05/13/2007 |
|
Crawling web applications is one of the key phases of automated web application scanning. The
objective of crawling is to collect all possible resources from the server in order to automate
vulnerability detection on each of these resources. A resource that is overlooked during this
discovery phase can mean a failure to detect some vulnerabilities. The introduction of Ajax
throws up new challenges [1] for the crawling engine. New ways of handling the crawling
process are required as a result of these challenges. The objective of this paper is to use a
practical approach to address this issue using rbNarcissus, Watir and Ruby . |
|
|
|
|
|
|
Web Application Security - The Overlooked Vulnerab
|
|
Hits: 5 |
|
Date added: 05/10/2007 |
|
Web Application Security - The Overlooked Vulnerabilities
Are you adequately protecting the web applications that your
business depends on?
Software flaws are rapidly becoming the vulnerabilities of choice
to attackers determined to exploit mission critical systems.
However, it isn’t just vulnerabilities in the web applications that
organizations need to be concerned about. Vulnerabilities across
the entire enterprise application stack—including web and
application servers, databases and operating systems—that form
the foundation for web applications, also need to be addressed.
Publicity around breaches and regulatory pressures are pushing
web application security further in the spotlight. Traditional
approaches to web application security, including web
application firewalls, and web security modules, can be costly
and complex, and do not ultimately protect the entire application
stack. Host-based intrusion defense with deep packet inspection
is a new approach that addresses the need of organizations to
shield vulnerabilities across the entire application stack. |
|
|
|
|
|
|
|
|
|
Preventing Injection Attacks with Syntax Embedding
|
|
Hits: 3 |
|
Date added: 05/06/2007 |
|
Preventing Injection Attacks with Syntax Embeddings
A Host and Guest Language Independent Approach
Software written in one language often needs to construct sentences in another language, such as
SQL queries, XML output, or shell command invocations. This is almost always done using unhygienic
string manipulation, the concatenation of constants and client-supplied strings. A client can then supply
specially crafted input that causes the constructed sentence to be interpreted in an unintended way,
leading to an injection attack. We describe a more natural style of programming that yields code that
is impervious to injections by construction. Our approach embeds the grammars of the guest languages
(e.g., SQL) into that of the host language (e.g., Java) and automatically generates code that maps the
embedded language to constructs in the host language that reconstruct the embedded sentences, adding
escaping functions where appropriate. This approach is generic, meaning that it can be applied with
relative ease to any combination of host and guest languages. |
|
|
|
