Table of Contents
OVERVIEW    3
WHAT ARE PERSONAS    3
Business Decision Maker    4
Architect    4
Developer    4
Tester/QA    4
UNDERSTANDING SQL INJECTION FOR THE BUSINESS DECISION MAKER    4
Risk    4
Business Impact    5
Fixing the Code    6
Resources and Training for Business Decision Makers    7
UNDERSTANDING SQL INJECTION FOR THE ARCHITECT/PM    7
Identifying the Problem    7
Common SQL Injection Attacks    7
Designing a Fix    7
Tools for Designing Software That Prevents SQL Injection Vulnerabilities    9
Resources and Training for Architects/PMs    9
UNDERSTANDING SQL INJECTION ATTACKS FOR THE DEVELOPER    9
Example of SQL Injection    9
Example of a SQL Injection by Truncation Attack    10
Writing Secure Code    12
Constrain Input    12
Use Parameterized SQL Queries    13
Use Proper Escaping Techniques to Handle Special Input Characters    14
Calculate Buffer Lengths Properly    15
Additional Considerations    16
Use a Least-Privileged Database Account    16
Avoid Disclosing Detailed Error Information    16
Tools and Libraries    17
Resources and Training for Developers    17
UNDERSTANDING SQL INJECTION VULNERABILITIES FOR THE TESTER/QA    17
Map Out the Site and Its Functionality    17
Start Testing and Pay Attention to the Output    18
Techniques for Finding Various Types of SQL Injection Vulnerabilities    18
Code Reviews    18
Building Improvements into Black Box Testing    19
Tools You Can Use    19
Resources and Training for Testers    19
THE MICROSOFT SDL AND PREVENTING SQL INJECTION ATTACKS    20
Long-Term Solutions    20
CONCLUSION    21
ACKNOWLEDGMENTS    21


Share
Related Documents
  1. Security Testing Reference : Cross-Site Scripting (XSS) (2356)
  2. Putting Security Into Your Virtual World (726)
  3. New Advanced SQL Injection For Advanced Security Testing (1963)
  4. [Ebook] Linux 101 Hacks (3124)
  5. Steps to do security testing (1908)
  6. [Free] WebGoat : Security Testing Tool (2474)
  7. [Free] LAPSE : Web Application Security Scanner for Java (4316)
  8. SQL Injection Security Testing? (1657)
  9. Password Recovery for Security Testing (1609)
  10. OWASP Top 10 - 2010 (Security Testing) (2001)
  11. [Free] BFBTester : Brute Force Binary Tester (2075)
  12. [Ebook] Hacker Attack (2994)
  13. [Free] Exploit-Me : Web application security testing tools (3903)
  14. 2010-10-27, SecureWorld Expo @ USA (1648)
  15. [Free] Security Software Testing Suite (SSTS) : Application-based security testing (1942)
  16. Using JTest for Security Testing (2400)
  17. [Ebook] Google Hacks : 2nd Edition (2796)
  18. How to Secure CXF Web Services with SSL/TLS and WS-Security (3779)
  19. [Video] Software Security Testing: Strengthening Your Defense Strategy (998)
  20. [Video] Take Control of your IT Security and Compliance without the Complexity of Traditional SIM Systems (1054)