Академический Документы
Профессиональный Документы
Культура Документы
About Cigital
A leading consulting firm specializing in helping
organizations improve their software security and software
quality posture
Recognized experts in “Building Security In”
Extensive Industry Standards, Best Practices, and
Regulatory Compliance Experience
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 2
1
Software Security Is A Challenge
.NET
unexpected ways and
are changed on the fly This simple interface…
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 3
9000 8064
8000
7000
5690
6000
5000 4129 3784 3780
4000
3000 2437
2000 1090
1000
0
2000 2001 2002 2003 2004 2005 2006
Source: CERT
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 4
2
Web-based Application Vulnerability
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 5
20.00%
XSS
15.00%
buf
sql-inject
10.00%
dot
5.00%
0.00%
2000 2001 2002 2003 2004 2005 2006 2007
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 6
3
Software Security Touchpoints
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 7
SQL Injection
Insert SQL commands into data fields to alter
behavior of server
Return different data
Overwork server with unbounded queries and
joins (denial of service)
Alter data
Execute blocks of arbitrary SQL statements
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 8
4
Example SQL Injection Vulnerability
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 9
JRM2
SQL Injection
Insert SQL commands into data fields to alter
behavior of application
Example: Enter x’ OR ‘a’=‘a instead of
“Visa” to produce
SELECT cc_type, cc_num FROM cc_data
WHERE id=‘123456789’ AND
cc_type =‘x’ OR ‘a’ = ‘a’
Results in all credit card data being returned
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 10
5
Slide 10
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tuesday, May 01, 2007 12