The February meeting of the scottish OWASP chapter went pretty well on the 28th.
We had Steve Moyle doing a presentation on Database security (slides can be found here )
I picked up some interesting ideas from his presentation. Firstly the idea that relational databases have a fundamental flaw when it comes to security, which is that the channel used to control them and the channel used to access the information they contain, are the same. This allows for someone who should only have access to information in the system to easily attack it as well.
The other thought which occurred to me when I was listening to the presentation was that any IDS/IPS style device which wants to block "malicious" traffic going to a system needs to parse the information it's seeing in the same way as the protected system otherwise there's a risk that quirks of rendering will introduce false positives or negatives.
It's something I was talking to a WAF vendor about recently, as I was asking them whether their product rendered JavaScript when looking for malicious traffic, as there's a specific problem with the idea of self-modifying JavaScript, looking innocuous in transit but then being malicious when executed
Leave a comment