Thursday 29 October 2015

How to detect SQL Injection at SQL Server level (via SQL Errors)

Question: how to detect SQL injection on an high-volume SQL Server just by looking at SQL Queries errors?

I know some guys (like ETSY) are doing this, but when I was talking with some MS SQL Server DBAs today, they couldn't find an easy way to do it at the SQL server.

The logic is that there should be no SQL compilation errors in an Production SQL server, so any errors that occur, must be:

Monday 19 October 2015

What are Security Champions and what do they do?

Security Champions are a key element of an AppSec team, since they create an cross-functional team focused on Application Security 

Here is an good definition for you to customise to your culture and workflows:

What is an Security Champion?
  • Security Champions are active members of a team that may help to make decisions about when to engage the Security Team
  • Act as the "voice" of security for the given product or team
  • Assist in the triage of security bugs for their team or area
What do they do?
  • Actively participate in the AppSec JIRA and WIKI
  • Collaborate with other security champions
    • Review impact of 'breaking changes' made in other projects
  • Attend weekly meetings
  • Are the single point of contact for their assigned team
  • Ensure that security is not a blocker on active development or reviews
  • Assist in making security decisions for their team
    • Low-Moderate security impact
      • Empowered to make decisions
      • Document decisions made in bugs or wiki
    • High-Critical security impact
      • Work with AppSec team on mitigations strategies
  • Help with QA and Testing
    • Write Tests (from Unit Tests to Integration tests)
    • Help with development of CI (Continuous Integration) environments
Further reading

Wednesday 14 October 2015

Mapping the attack surface for client side code (i.e. JS code)

Although at first it might look that on a browser the concept of attack surface doesn’t matter, unless you are building a pure html website with NO Javascript, you will also need to consider the attack surface of your code.

The attack surface is basically the ways the code execution can be affected/influenced by an attacker’s data/actions 

For Javascript code that is running on browser there are three main sources of malicious data