Reading Room

Application and Database Security

Featuring 41 Papers as of June 14, 2013

• • Overview
  • Download
  Web Application Injection Vulnerabilities: A Web App's Security Nemesis? Erik Couture - June 14, 2013

  An ever-increasing number of high profile data breaches have plagued organizations over the past decade.

• • Overview
  • Download
  Setting Up a Database Security Logging and Monitoring Program Jim Horwath - May 10, 2013

  This paper is about implementing a database security logging and monitoring program to increase the security posture of a corporate infrastructure.

• • Overview
  • Download
  Endpoint Security through Application Streaming Adam Walter - March 25, 2013

  Throughout the last 30 years technology has undergone a shift in implementation.

• • Overview
  • Download
  Auditing ASP.NET applications for PCI DSS compliance Christian Moldes - February 7, 2012

  This paper intends to provide specific guidance on how to audit ASP.NET applications and validate that they meet PCI DSS requirements. It does not intend to provide guidance on how to conduct penetration tests on ASP.NET applications, identify secure coding vulnerabilities, or remediate ASP.NET vulnerabilities.

• • Overview
  • Download
  Securing Blackboard Learn on Linux David Lyon - December 1, 2011

  Blackboard Learn (Bb Learn) is an application suite providing educational technology to facilitate online, web based learning. It is typical to see Bb Learn hosting courses and content. Common add-ons include the Community and Content systems which are licensed separately.

• • Overview
  • Download
  Mass SQL Injection for Malware Distribution Larry Wichman - April 28, 2011

  Cybercriminals have made alarming improvements to their infrastructure over the last few years. One reason for this expansion is thousands of websites vulnerable to SQL injection. Malicious code writers have exploited these vulnerabilities to distribute malware.

• • Overview
  • Download
  Four Attacks on OAuth - How to Secure Your OAuth Implementation Khash Kiani - March 24, 2011

  A technical study of an emerging open-protocol technology and its security implications.

• • Overview
  • Download
  Application Whitelisting: Panacea or Propaganda Jim Beechey - January 18, 2011

  Every day, organizations of all sizes struggle to protect their endpoints from a constant barrage of malware. The number of threats continues to increase dramatically each year.

• • Overview
  • Download
  Protecting Users: The Importance Of Defending Public Sites Kristen Sullivan - January 18, 2011

  In the application security industry, one of the hardest elements to communicate to customers is the need for building secure web applications even if those applications transmit minimally sensitive data. The purpose of this document is to provide a valid case for why all applications should follow a minimum standard for secure coding practices. Many assume the only applications requiring protection are those which store sensitive or confidential data, but that is a grievous misjudgment. Additionally, with tight budgets and limited security resources, it is hard to justify reasons for securing public facing sites only offering open record information. The main cause of this is a lack of understanding the risk associated.

• • Overview
  • Download
  Reducing Organizational Risk Through Virtual Patching Joseph Faust - January 11, 2011

  Software patching for IT Departments across the organizational landscape has always been an integral part of maintaining functional, usable and stable software. Historically the traditional patch cycle has been focused on fixing or resolving issues which affect functionality. In recent years, with the advancement of more sophisticated and targeted threats which are occurring in quicker cycles, this focus is dramatically changing. (Risk Assessment Cisco, n.d.; Executive Office of The United States, 2005) . Corporations and Government now have a greater understanding of potential losses and expenses incurred by not maintaining application security and are moving towards an increased focus on patching and security (Epstein, Grow & Tschang, 2008). With organizations reputations, consumer confidence and corporate secrets at risk, corporations and government are recognizing the need to shift and address vulnerabilities at a much faster pace than they historically have done so (Chan, 2004). Over roughly the last ten years, the length of time between the documentation of a given vulnerability in a piece of software and the development of an actual exploit that can take advantage of the weakness in the application, has decreased tremendously. According to Andrew Jaquith, senior analyst at Yankee Group, the average time between vulnerability discovery and the release of exploit code is less than one week. (Shrinking time from, 2006). It has also been identified that 99% of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available ("Risk reduction and.," 2010) . Clearly these statistics alone can prove daunting for many businesses trying to keep pace and maintain proper defenses against the bad guys.

• • Overview
  • Download
  AppSec - Cross Site Request Forgery: What Attackers Don't Want You to Know Jason Lam & Johannes B. Ullrich - May 22, 2009

  XMLHttpRequest is the backbone of Web 2.0 applications. It is a powerful JavaScript function that allows the flexible creation of HTTP requests. Lately, with Internet Explorer 8, XDomainRequest was released, which extends and refines the creation of HTTP requests in JavaScript. Both functions had a defined impact on the development of Web standards. However, both functions are also frequently cited for their usefulness in attack tools. We will investigate the evolution of these functions and how these functions evolved to mitigate the harm done. We found that security requirements put forward by the standard are not implemented consistently across different browsers. Developers need to be aware of these inconsistencies to protect applications from cross site request forgery.

• • Overview
  • Download
  AppSec - Protecting Your Web Apps: Two Big Mistakes and 12 Practical Tips to Avoid Them Ed Skoudis and Frank Kim - March 3, 2009

  Many web application vulnerabilities are a direct result of improper input validation and output filtering, which leads to numerous kinds of attacks, including cross-site scripting (XSS), SQL injection, command injection, buffer overflows and many others. This article describes some of the best defenses against such attacks, which every Web application developer should master.

• • Overview
  • Download
  Web Based Attacks Justin Crist - January 4, 2008

  Attacks upon information security infrastructures have continued to evolve steadily overtime; legacy network based attacks have largely been replaced by more sophisticated web application based attacks. This paper will introduce and address web based attacks from attack to detection. Information security professionals new to application layer attacks will be in a better position to understand the underlying application attack vectors and methods of mitigation after reading this paper.

• • Overview
  • Download
  Analyzing Attack Surface Code Coverage Justin Seitz - November 14, 2007

  The art of analyzing a software system for security and robustness flaws can be a daunting task, and often begs a question: when is the analysis complete? Commonly a researcher or analyst answers this question by determining whether they have run out of budget, time, or have found bugs. However, these are not empirical pieces of evidence, what is really required is to understand how much of the software that is attackable was exercised.

• • Overview
  • Download
  Forensic Analysis of a SQL Server 2005 Database Server Kevvie Fowler - September 28, 2007

  In-depth analysis of a forensic analysis of a SQL Server 2005 Database Server.

• • Overview
  • Download
  Automated Scanning of Oracle 10g Databases Rory McCune - August 7, 2007

  This paper analyses the various areas of Oracle security covered by the course and seeks to propose details of which checks could be carried out automatically and how (for example what parameters to check, and what the various resultant values would indicate about the security of the database).

• • Overview
  • Download
  Using Oracle Forensics to determine vulnerability to Zero Day exploits Paul Wright - February 28, 2007

  The aim of this paper is to explain the threat of PLSQL injection on Oracle databases and show how principles from the world of computer forensics can be transferred to Oracle in order to deduce vulnerability to past and future exploits with a high level of certainty. This paper will enable the reader to assess the effects of applying an Oracle security patch (CPU), and identify windows of past vulnerability that can be usefully correlated with archived audit logs in order to locate previous attacks.

• • Overview
  • Download
  Security in Sun Java System Application Server Platform Edition 8.0 Sid Ansari - June 29, 2005

  In what follows, we will examine the various parts of this definition before turning to an examination of how Enterprise Java Beans can be secured.

• • Overview
  • Download
  Web Browser Insecurity Paul Asadoorian - June 2, 2005

  There has been much debate lately between two different browsers, namely Microsoft's Internet Explorer and the Mozilla Project's Firefox web browser. Security is in the center of this debate, accompanied by features and usability.

• • Overview
  • Download
  Application Firewalls: Don't Forget About Layer 7 Russell Eubanks - May 17, 2005

  Securing web-based communication is and will remain vital to existing business sustainability and future growth.

• • Overview
  • Download
  Reining in the LAN client David Monaco - February 25, 2005

  We'll often see inadequate access control for the local area network (LAN). It is usually considered a "trusted zone" thus unfortunately a frequently neglected zone. While the LAN may well be the most trusted zone, to achieve an appropriate level of layered security, authorizing clients attaching to the LAN is paramount.

• • Overview
  • Download
  Securing SQL Connection String Dmitry Dessiatnikov - April 8, 2004

  Securing authentication information used to establish connection between two applications is one of the most critical aspects of application security. This paper will focus on protecting connection strings used to authenticate communication between the web server and the back-end database.

• • Overview
  • Download
  Assessing Vendor Application Security A Practical Way to Begin Barton Hubbs - April 8, 2004

  Many companies are adopting a preference toward buying vendor software versus building software in-house to meet business needs. Some of the drivers for this preference are integration, scalability, outsourcing, support, speed-to market, process savings, and reducing the cost of information technology (IT).

• • Overview
  • Download
  Application Development Technology and Tools: Vulnerabilities and threat management with secure programming practices, a defense in-depth approach Vilas Ankolekar - December 13, 2003

  This paper addresses the security challenges that exist due to programming flaws, and explains how simple programming practices can reduce the risks.

• • Overview
  • Download
  SQL Server 2000: Permissions on System Tables Granted to Logins Due to the Public Role K Kelley - December 13, 2003

  Microsoft SQL Server 7.0 and 2000 make use of the concept of roles at the server level and within each database which is discussed in this paper, specifically taking a close look at the public role.

• • Overview
  • Download
  Service Account Vulnerabilities Barbara Guhanick - October 31, 2003

  This paper discusses "powerful" accounts used to run application sofware service, and/or, internally to provide data access as vulnerabilities in application security (Microsoft NT/2000 environment).

• • Overview
  • Download
  Source Code Revelation Vulnerabilities Christopher Short - October 31, 2003

  Application security cannot be ignored in today's complex and competitive environment.

• • Overview
  • Download
  Database - The Final Firewall Brian Suddeth - October 31, 2003

  Multiple layers of security may be set in your database management system, this last line of defense, helping to control access, monitor usage, set tripwires for intrusions, and attempt to maintain evidence needed if intrusions or misuse occur

• • Overview
  • Download
  An Approach to Application Security Ian Rathie - October 31, 2003

  This document discusses an approach to assessing application security and developing a simple Security Development Life Cycle to complement an organization's Systems Development Life Cycle.

• • Overview
  • Download
  Distributed Object Technology: Security Perspective Subbu Cherukuwada - October 31, 2003

  An introduction to distributed object technology and an overview of security features available in Microsoft.NET and CORBA.

• • Overview
  • Download
  Making Your Network Safe for Databases Duane Winner - October 31, 2003

  Guidelines for securing a database-driven web site.

• • Overview
  • Download
  Web Application Security for Managers Pierre Brassinne - October 31, 2003

  Recommendations to managers for securing web applications

• • Overview
  • Download
  Distributed Systems Security: Java, CORBA, and COM+ April Moreno - October 31, 2003

  The purpose of this paper is to examine three popular architectures for distributed systems applications and their security implications.

• • Overview
  • Download
  Security Scenarios in Analysis and Design Dwight Haworth - October 31, 2003

  This article addresses the issue of designing security into systems rather than trying to add it to systems after development.

• • Overview
  • Download
  Framework for Secure Application Design and Development Chris McCown - October 31, 2003

  This paper presents a framework to assist developers in the practice of secure application design and development.

• • Overview
  • Download
  Security for a CRM environment Jason LaFrance - October 31, 2003

  This paper is designed to help the security professional determine the considerations that are involved with a secure CRM rollout.

• • Overview
  • Download
  Securing Server Side Java William Rushmore - October 31, 2003

  Although Java has many security features, some Java programmers may think these built-in protections are adequate for securing their applications, however, nothing could be further from the truth.

• • Overview
  • Download
  Deploying a Secure Web Application: From a Coding Perspective Jaime Spicciati - October 31, 2003

  The purpose of this document is to give a developer a very detailed and reproducible guideline for the development of a typical web application, focused on common flaws that recently emerged in popular web applications.

• • Overview
  • Download
  J.D. Edwards Security using RBAC Scott Gordee - October 31, 2003

  Although OneWorld security is incredibly flexible, it can also become convoluted and difficult to manage if a security model isn't created and enforced in the infancy of its implementation.

• • Overview
  • Download
  Securing End User Active Server Page Applications on an Intranet Bob Bohn - October 31, 2003

  This paper discusses the evolution of end user computing as well as the issues involved, and explores a number of techniques which can be used to secure end user applications in a Microsoft IIS 4.0 intranet environment.

• • Overview
  • Download
  SQL Server Email - vulnerability issues and prevention strategies Frank Ress - October 31, 2003

  This paper will explore some of the ways this feature could be used by both legitimate users and intruders.

Masters This paper was created by a SANS Technology Institute student as part of their Master's curriculum.