Following the Wh1t3 Rabbit - Practical Enterprise Security

Enterprise Security organizations often find themselves caught between the ever-changing needs of the agile business, and the ever-present, ever-evolving threats to that business. At the same time – all too often we security professionals get caught up in “shiny object syndrome” which leads us to spend poorly, allocate resources unwisely, and generally de-couple from the organization we’re chartered to defend. Knowing how to defend begins with knowing what you’ll be defending, why it is worth defending, and who you’ll be defending from… and therein lies the trick. This blog takes the issue of enterprise security head-on, challenging outdated thinking and bringing a pragmatic, business-aligned, beyond the tools perspective … so follow the Wh1t3 Rabbit and remember that tools alone don’t solve problems, strategic thinkers are the key.

Rafal (Principal, Strategic Security Services)

MySQL WebSite Hacked by (Ironically) Blind SQL Injection

Allow me to point out a little bit of irony in this headline ... a website for one of the more popular open-source database alternatives gets completely compromised using blind SQL Injection.  Ouch.

Web App's Public Enemy Number 1: SQL Injection

I don't know if you've paid attention to the media lately, but there has been some high-profile chaos on the Internet the last few weeks.  Hacking web applications is not only in season, but it's apparently so easy a Caveman can do it ...sorry Geico I just love that phrase!  As the incidents pile up I've gone from annoyed, to angry to downright amused with how bad the state of application security is ...really.  I said earlier this week in an interview with Bill Brenner of CSO Online that I think on the whole the state of web application security is actually worse than where we were a few years ago... now I have something to measure against.

Labels: SQL Injection| ssa

Select * from ...FAIL

What ever happened to the concept of least-privlige?


One of the interesting mitigations that I think people are missing for some of the attacks against SQL-based web applications is restricting data access.  While you can't really keep applications from stealing data (reading from tables) because odds are your application needs to read most of the tables in the database that's designed for that application - you can keep yourself from being injected to an extent if you follow a few relatively simple tips...

Labels: SQL Injection
About the Author(s)
Follow Us
Twitter Stream

Community Announcements
HP Blog

Technical Support Services Blog

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation