SANS InfoSec Reading Room - Application and Database Security

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 40 papers as of May 20, 2013

Setting Up a Database Security Logging and Monitoring Program

By: Jim Horwath (posted on May 10, 2013)

This paper is about implementing a database security logging and monitoring program to increase the security posture of a corporate infrastructure.

Endpoint Security through Application Streaming

By: Adam Walter (posted on March 25, 2013)

Throughout the last 30 years technology has undergone a shift in implementation.

Auditing ASP.NET applications for PCI DSS compliance

By: Christian Moldes (posted on February 7, 2012)

This paper intends to provide specific guidance on how to audit ASP.NET applications and validate that they meet PCI DSS requirements. It does not intend to provide guidance on how to conduct penetration tests on ASP.NET applications, identify secure coding vulnerabilities, or remediate ASP.NET vulnerabilities.

Securing Blackboard Learn on Linux

By: David Lyon (posted on December 1, 2011)

Blackboard Learn (Bb Learn) is an application suite providing educational technology to facilitate online, web based learning. It is typical to see Bb Learn hosting courses and content. Common add-ons include the Community and Content systems which are licensed separately.

Mass SQL Injection for Malware Distribution

By: Larry Wichman (posted on April 28, 2011)

Cybercriminals have made alarming improvements to their infrastructure over the last few years. One reason for this expansion is thousands of websites vulnerable to SQL injection. Malicious code writers have exploited these vulnerabilities to distribute malware.

Four Attacks on OAuth - How to Secure Your OAuth Implementation

By: Khash Kiani (posted on March 24, 2011)

A technical study of an emerging open-protocol technology and its security implications.

Application Whitelisting: Panacea or Propaganda

By: Jim Beechey (posted on January 18, 2011)

Every day, organizations of all sizes struggle to protect their endpoints from a constant barrage of malware. The number of threats continues to increase dramatically each year.

Protecting Users: The Importance Of Defending Public Sites

By: Kristen Sullivan (posted on January 18, 2011)

In the application security industry, one of the hardest elements to communicate to customers is the need for building secure web applications even if those applications transmit minimally sensitive data. The purpose of this document is to provide a valid case for why all applications should follow a minimum standard for secure coding practices. Many assume the only applications requiring protection are those which store sensitive or confidential data, but that is a grievous misjudgment. Additionally, with tight budgets and limited security resources, it is hard to justify reasons for securing public facing sites only offering open record information. The main cause of this is a lack of understanding the risk associated.

Reducing Organizational Risk Through Virtual Patching

By: Joseph Faust (posted on January 11, 2011)

Software patching for IT Departments across the organizational landscape has always been an integral part of maintaining functional, usable and stable software. Historically the traditional patch cycle has been focused on fixing or resolving issues which affect functionality. In recent years, with the advancement of more sophisticated and targeted threats which are occurring in quicker cycles, this focus is dramatically changing. (Risk Assessment – Cisco, n.d.; Executive Office of The United States, 2005) . Corporations and Government now have a greater understanding of potential losses and expenses incurred by not maintaining application security and are moving towards an increased focus on patching and security (Epstein, Grow & Tschang, 2008). With organizations’ reputations, consumer confidence and corporate secrets at risk, corporations and government are recognizing the need to shift and address vulnerabilities at a much faster pace than they historically have done so (Chan, 2004). Over roughly the last ten years, the length of time between the documentation of a given vulnerability in a piece of software and the development of an actual exploit that can take advantage of the weakness in the application, has decreased tremendously. According to Andrew Jaquith, senior analyst at Yankee Group, the average time between vulnerability discovery and the release of exploit code is less than one week. (“Shrinking time from,” 2006). It has also been identified that “99% of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available” ("Risk reduction and.," 2010) . Clearly these statistics alone can prove daunting for many businesses trying to keep pace and maintain proper defenses against the bad guys.

AppSec - Cross Site Request Forgery: What Attackers Don't Want You to Know

By: Jason Lam & Johannes B. Ullrich (posted on May 22, 2009)

XMLHttpRequest is the backbone of Web 2.0 applications. It is a powerful JavaScript function that allows the flexible creation of HTTP requests. Lately, with Internet Explorer 8, XDomainRequest was released, which extends and refines the creation of HTTP requests in JavaScript. Both functions had a defined impact on the development of Web standards. However, both functions are also frequently cited for their usefulness in attack tools. We will investigate the evolution of these functions and how these functions evolved to mitigate the harm done. We found that security requirements put forward by the standard are not implemented consistently across different browsers. Developers need to be aware of these inconsistencies to protect applications from cross site request forgery.

AppSec - Protecting Your Web Apps: Two Big Mistakes and 12 Practical Tips to Avoid Them

By: Ed Skoudis and Frank Kim (posted on March 3, 2009)

Web Based Attacks

By: Justin Crist (posted on January 4, 2008)

Analyzing Attack Surface Code Coverage

By: Justin Seitz (posted on November 14, 2007)

Forensic Analysis of a SQL Server 2005 Database Server

By: Kevvie Fowler (posted on September 28, 2007)

Automated Scanning of Oracle 10g Databases

By: Rory McCune (posted on August 7, 2007)

Using Oracle Forensics to determine vulnerability to Zero Day exploits

By: Paul Wright (posted on February 28, 2007)

The aim of this paper is to explain the threat of PLSQL injection on Oracle databases and show how principles from the world of computer forensics can be transferred to Oracle in order to deduce vulnerability to past and future exploits with a high level of certainty. This paper will enable the reader to assess the effects of applying an Oracle security patch (CPU), and identify windows of past vulnerability that can be usefully correlated with archived audit logs in order to locate previous attacks.

Security in Sun Java System Application Server Platform Edition 8.0

By: Sid Ansari (posted on June 29, 2005)

In what follows, we will examine the various parts of this definition before turning to an examination of how Enterprise Java Beans can be secured.

Web Browser Insecurity

By: Paul Asadoorian (posted on June 2, 2005)

There has been much debate lately between two different browsers, namely Microsoft's Internet Explorer and the Mozilla Project's Firefox web browser. Security is in the center of this debate, accompanied by features and usability.

Application Firewalls: Don't Forget About Layer 7

By: Russell Eubanks (posted on May 17, 2005)

Securing web-based communication is and will remain vital to existing business sustainability and future growth.

Reining in the LAN client

By: David Monaco (posted on February 25, 2005)

We'll often see inadequate access control for the local area network (LAN). It is usually considered a "trusted zone" thus unfortunately a frequently neglected zone. While the LAN may well be the most trusted zone, to achieve an appropriate level of layered security, authorizing clients attaching to the LAN is paramount.

Securing SQL Connection String

By: Dmitry Dessiatnikov (posted on April 8, 2004)

Securing authentication information used to establish connection between two applications is one of the most critical aspects of application security. This paper will focus on protecting connection strings used to authenticate communication between the web server and the back-end database.

Assessing Vendor Application Security A Practical Way to Begin

By: Barton Hubbs (posted on April 8, 2004)

Many companies are adopting a preference toward buying vendor software versus building software in-house to meet business needs. Some of the drivers for this preference are integration, scalability, outsourcing, support, speed-to market, process savings, and reducing the cost of information technology (IT).

Application Development Technology and Tools: Vulnerabilities and threat management with secure programming practices, a defense in-depth approach

By: Vilas Ankolekar (posted on December 13, 2003)

This paper addresses the security challenges that exist due to programming flaws, and explains how simple programming practices can reduce the risks.

SQL Server 2000: Permissions on System Tables Granted to Logins Due to the Public Role

By: K Brian Kelley (posted on December 13, 2003)

Microsoft SQL Server 7.0 and 2000 make use of the concept of roles at the server level and within each database which is discussed in this paper, specifically taking a close look at the public role.

Service Account Vulnerabilities

By: Barbara Guhanick (posted on October 31, 2003)

This paper discusses "powerful" accounts used to run application sofware service, and/or, internally to provide data access as vulnerabilities in application security (Microsoft NT/2000 environment).

Source Code Revelation Vulnerabilities

By: Christopher Short (posted on October 31, 2003)

Application security cannot be ignored in today's complex and competitive environment.

Database - The Final Firewall

By: Brian Suddeth (posted on October 31, 2003)

Multiple layers of security may be set in your database management system, this last line of defense, helping to control access, monitor usage, set tripwires for intrusions, and attempt to maintain evidence needed if intrusions or misuse occur

An Approach to Application Security

By: Ian Rathie (posted on October 31, 2003)

This document discusses an approach to assessing application security and developing a simple Security Development Life Cycle to complement an organization's Systems Development Life Cycle.

Distributed Object Technology: Security Perspective

By: Subbu Cherukuwada (posted on October 31, 2003)

An introduction to distributed object technology and an overview of security features available in Microsoft.NET and CORBA.

Making Your Network Safe for Databases

By: Duane Winner (posted on October 31, 2003)

Guidelines for securing a database-driven web site.

Web Application Security for Managers

By: Pierre de la Brassinne (posted on October 31, 2003)

Recommendations to managers for securing web applications

Distributed Systems Security: Java, CORBA, and COM+

By: April L. Moreno (posted on October 31, 2003)

The purpose of this paper is to examine three popular architectures for distributed systems applications and their security implications.

Security Scenarios in Analysis and Design

By: Dwight A. Haworth (posted on October 31, 2003)

This article addresses the issue of designing security into systems rather than trying to add it to systems after development.

Framework for Secure Application Design and Development

By: Chris McCown (posted on October 31, 2003)

This paper presents a framework to assist developers in the practice of secure application design and development.

Security for a CRM environment

By: Jason LaFrance (posted on October 31, 2003)

This paper is designed to help the security professional determine the considerations that are involved with a secure CRM rollout.

Securing Server Side Java

By: William Rushmore (posted on October 31, 2003)

Although Java has many security features, some Java programmers may think these built-in protections are adequate for securing their applications, however, nothing could be further from the truth.

Deploying a Secure Web Application: From a Coding Perspective

By: Jaime Spicciati (posted on October 31, 2003)

The purpose of this document is to give a developer a very detailed and reproducible guideline for the development of a typical web application, focused on common flaws that recently emerged in popular web applications.

J.D. Edwards Security using RBAC

By: Scott Gordee (posted on October 31, 2003)

Although OneWorld security is incredibly flexible, it can also become convoluted and difficult to manage if a security model isn't created and enforced in the infancy of its implementation.

Securing End User Active Server Page Applications on an Intranet

By: Bob Bohn (posted on October 31, 2003)

This paper discusses the evolution of end user computing as well as the issues involved, and explores a number of techniques which can be used to secure end user applications in a Microsoft IIS 4.0 intranet environment.

SQL Server Email - vulnerability issues and prevention strategies

By: Frank Ress (posted on October 31, 2003)

This paper will explore some of the ways this feature could be used by both legitimate users and intruders.