- Training
- Training Live Events
- Training Without Travel
- Security Courses
- Security Curricula
- Certified Instructors
- Training Calendars
- SANS vLive!
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- Coins
- SANS Onsite
- SANS SelfStudy
- SANS Summit Series
- SANS Partnership Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- List of Resources
- Top Security Risks
- Top 25 Programming Errors
- 20 Coolest Jobs
- Application Security Procurement Language
- Top 10 Security Trends
- Top 5 Essential Log Reports
- Reading Room
- Webcasts
- AudioCasts
- WhatWorks
- Newsletters
- RSS Feeds
- Calendar Feeds
- Security Thought Leaders
- Security Policy Project
- Security+ Study Guide
- SANS Buyers Guide
- Security Tool Demos
- 2008 Salary Survey
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
The most trusted source for computer security training, certification and research.
SANS InfoSec Reading Room - Application/Database Sec
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.
Featuring 33 papers as of Feb 10, 2010
Implementing Data-at-Rest Encryption within the Oracle RDBMS
RDC, Inc. - November 2009
Best Practices in Data Protection: Encryption, Key Management and Tokenization
nuBridges, Inc. - September 2009
AppSec - Cross Site Request Forgery: What Attackers Don't Want You to Know- By: Jason Lam & Johannes B. Ullrich (posted on May 22, 2009)
- XMLHttpRequest is the backbone of Web 2.0 applications. It is a powerful JavaScript function that allows the flexible creation of HTTP requests. Lately, with Internet Explorer 8, XDomainRequest was released, which extends and refines the creation of HTTP requests in JavaScript. Both functions had a defined impact on the development of Web standards. However, both functions are also frequently cited for their usefulness in attack tools. We will investigate the evolution of these functions and how these functions evolved to mitigate the harm done. We found that security requirements put forward by the standard are not implemented consistently across different browsers. Developers need to be aware of these inconsistencies to protect applications from cross site request forgery.
- AppSec - Protecting Your Web Apps: Two Big Mistakes and 12 Practical Tips to Avoid Them
- By: Ed Skoudis and Frank Kim (posted on March 3, 2009)
- Web Based Attacks
- By: Justin Crist (posted on January 4, 2008)
- Analyzing Attack Surface Code Coverage
- By: Justin Seitz (posted on November 14, 2007)
- Forensic Analysis of a SQL Server 2005 Database Server
- By: Kevvie Fowler (posted on September 28, 2007)
- Automated Scanning of Oracle 10g Databases
- By: Rory McCune (posted on August 7, 2007)
- Using Oracle Forensics to determine vulnerability to Zero Day exploits
- By: Paul Wright (posted on February 28, 2007)
- The aim of this paper is to explain the threat of PLSQL injection on Oracle databases and show how principles from the world of computer forensics can be transferred to Oracle in order to deduce vulnerability to past and future exploits with a high level of certainty. This paper will enable the reader to assess the effects of applying an Oracle security patch (CPU), and identify windows of past vulnerability that can be usefully correlated with archived audit logs in order to locate previous attacks.
- Security in Sun Java System Application Server Platform Edition 8.0
- By: Sid Ansari (posted on June 29, 2005)
- In what follows, we will examine the various parts of this definition before turning to an examination of how Enterprise Java Beans can be secured.
- Web Browser Insecurity
- By: Paul Asadoorian (posted on June 2, 2005)
- There has been much debate lately between two different browsers, namely Microsoft's Internet Explorer and the Mozilla Project's Firefox web browser. Security is in the center of this debate, accompanied by features and usability.
- Application Firewalls: Don't Forget About Layer 7
- By: Russell Eubanks (posted on May 17, 2005)
- Securing web-based communication is and will remain vital to existing business sustainability and future growth.
- Reining in the LAN client
- By: David Monaco (posted on February 25, 2005)
- We'll often see inadequate access control for the local area network (LAN). It is usually considered a "trusted zone" thus unfortunately a frequently neglected zone. While the LAN may well be the most trusted zone, to achieve an appropriate level of layered security, authorizing clients attaching to the LAN is paramount.
- Securing SQL Connection String
- By: Dmitry Dessiatnikov (posted on April 8, 2004)
- Securing authentication information used to establish connection between two applications is one of the most critical aspects of application security. This paper will focus on protecting connection strings used to authenticate communication between the web server and the back-end database.
- Assessing Vendor Application Security A Practical Way to Begin
- By: Barton Hubbs (posted on April 8, 2004)
- Many companies are adopting a preference toward buying vendor software versus building software in-house to meet business needs. Some of the drivers for this preference are integration, scalability, outsourcing, support, speed-to market, process savings, and reducing the cost of information technology (IT).
- Application Development Technology and Tools: Vulnerabilities and threat management with secure programming practices, a defense in-depth approach
- By: Vilas Ankolekar (posted on December 13, 2003)
- This paper addresses the security challenges that exist due to programming flaws, and explains how simple programming practices can reduce the risks.
- SQL Server 2000: Permissions on System Tables Granted to Logins Due to the Public Role
- By: K Brian Kelley (posted on December 13, 2003)
- Microsoft SQL Server 7.0 and 2000 make use of the concept of roles at the server level and within each database which is discussed in this paper, specifically taking a close look at the public role.
- Service Account Vulnerabilities
- By: Barbara Guhanick (posted on October 31, 2003)
- This paper discusses "powerful" accounts used to run application sofware service, and/or, internally to provide data access as vulnerabilities in application security (Microsoft NT/2000 environment).
- Source Code Revelation Vulnerabilities
- By: Christopher Short (posted on October 31, 2003)
- Application security cannot be ignored in today's complex and competitive environment.
- Database - The Final Firewall
- By: Brian Suddeth (posted on October 31, 2003)
- Multiple layers of security may be set in your database management system, this last line of defense, helping to control access, monitor usage, set tripwires for intrusions, and attempt to maintain evidence needed if intrusions or misuse occur
- An Approach to Application Security
- By: Ian Rathie (posted on October 31, 2003)
- This document discusses an approach to assessing application security and developing a simple Security Development Life Cycle to complement an organization's Systems Development Life Cycle.
- Distributed Object Technology: Security Perspective
- By: Subbu Cherukuwada (posted on October 31, 2003)
- An introduction to distributed object technology and an overview of security features available in Microsoft.NET and CORBA.
- Making Your Network Safe for Databases
- By: Duane Winner (posted on October 31, 2003)
- Guidelines for securing a database-driven web site.
- Web Application Security for Managers
- By: Pierre de la Brassinne (posted on October 31, 2003)
- Recommendations to managers for securing web applications
- Distributed Systems Security: Java, CORBA, and COM+
- By: April L. Moreno (posted on October 31, 2003)
- The purpose of this paper is to examine three popular architectures for distributed systems applications and their security implications.
- Security Scenarios in Analysis and Design
- By: Dwight A. Haworth (posted on October 31, 2003)
- This article addresses the issue of designing security into systems rather than trying to add it to systems after development.
- Framework for Secure Application Design and Development
- By: Chris McCown (posted on October 31, 2003)
- This paper presents a framework to assist developers in the practice of secure application design and development.
- Security for a CRM environment
- By: Jason LaFrance (posted on October 31, 2003)
- This paper is designed to help the security professional determine the considerations that are involved with a secure CRM rollout.
- Securing Server Side Java
- By: William Rushmore (posted on October 31, 2003)
- Although Java has many security features, some Java programmers may think these built-in protections are adequate for securing their applications, however, nothing could be further from the truth.
- Deploying a Secure Web Application: From a Coding Perspective
- By: Jaime Spicciati (posted on October 31, 2003)
- The purpose of this document is to give a developer a very detailed and reproducible guideline for the development of a typical web application, focused on common flaws that recently emerged in popular web applications.
- J.D. Edwards Security using RBAC
- By: Scott Gordee (posted on October 31, 2003)
- Although OneWorld security is incredibly flexible, it can also become convoluted and difficult to manage if a security model isn't created and enforced in the infancy of its implementation.
- Securing End User Active Server Page Applications on an Intranet
- By: Bob Bohn (posted on October 31, 2003)
- This paper discusses the evolution of end user computing as well as the issues involved, and explores a number of techniques which can be used to secure end user applications in a Microsoft IIS 4.0 intranet environment.
- SQL Server Email - vulnerability issues and prevention strategies
- By: Frank Ress (posted on October 31, 2003)
- This paper will explore some of the ways this feature could be used by both legitimate users and intruders.
Check Them Out!
Real world people giving real world training.
-John Szyszlo, The Gem Group, Inc.
- © 2000-2010 The SANS™ Institute
- Web Privacy Policy | Web Contact |
- Press Room | Trademark Usage Policy