Re: SQL injection

From: Matt Davis (stackinjection@gmail.com)
Date: Thu Jun 09 2005 - 17:58:15 EDT

• Next message: Ofer Shezaf: "RE: SQL injection"
• Previous message: Tomasz Piotr Palarz: "Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services"
• In reply to: Faisal Khan: "Re: SQL injection"
• Next in thread: Aric Perminter: "RE: SQL injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Just kind of an FYI...

It is probably not a good idea to list the vendors you use to protect
your network with to a security mailing list... especially a pen-test
one.

:-D

Cheers,
Matt

On 6/9/05, Faisal Khan <faisal@netxs.com.pk> wrote:
>
>
> Well I'll be dog gone! I just wasn't aware of such devices out there in the
> market (and I thought I was up to date! evidently not).
>
> We protect our network with IPS (TopLayer), IDS (Juniper and GFI LANGuard &
> SNORT) and Firewall (Juniper Netscreen) and always thought that would be
> enough, but SQL injection has always been a concern. Since we are not able
> to actively defend it - its in our TOS/SLA that we do NOT defend against
> SQL Injections.
>
> Thanks to all who pitched in an answer/suggestion.
>
> Faisal
>
>
>
> At 09:35 PM 6/9/2005, Richard Barrell wrote:
> >Hi Faisal,
> >
> >There are dedicated devices that are designed to prevent attacks of
> >this sort - web application firewalls. Here are a list of
> >manufacturers that you should look into:
> >
> >(in alphabetical order)
> >
> >Imperva - www.imperva.com/
> >Kavado - www.imperva.com/
> >Netcontinuum - www.netcontinuum.com/
> >Teros - www.teros.com/
> >Watchfire (Sanctum) - www.watchfire.com
> >
> >AND, if you'll forgive the plug,
> >
> >Sentryware: www.sentryware.com
> >
> >Good luck in your search,
> >
> >Rich
> >
> >-----------------
> >FK> Pardon the ignorance, but is there any hardware/software based device that
> >FK> can outright prevent/mitigate (detect?) SQL injections? Would an IDS be
> >FK> able to prevent this?
> >
> >---------------------
> >Richard Barrell, CCNP, CCDP
> >International Pre-Sales Manager
> >
> >www.sentryware.com
> >Parque Empresarial Zuatzu
> >Edificio Urgull, 2ª local 10
> >20018 Donostia-San Sebastián
> >Spain
> >
> >Tel: +34 943 31 73 30
> >Mvl: +34 646 97 10 18
> >Skype: mr_barrell
>
>
>
> Faisal Khan
> CEO
> Net Access Communication
> Systems (Private) Limited
> _____________________________
> 1107 Park Avenue, 24-A, Block 6,
> PECHS, Main Shahrah-e-Faisal,
> Karachi 74500 (Pakistan)
> Board: +92 (21) 111 222 377
> Direct: +92 (21) 454-346
> Fax: +92 (21) 454-4347
> Cell: +92 (333) 216-1291
> Email: faisal@netxs.com.pk
> Web: <http://www.netxs.com.pk/>www.netxs.com.pk
>
>
>
>

• Next message: Ofer Shezaf: "RE: SQL injection"
• Previous message: Tomasz Piotr Palarz: "Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services"
• In reply to: Faisal Khan: "Re: SQL injection"
• Next in thread: Aric Perminter: "RE: SQL injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:24 EDT