From: Faisal Khan (faisal@netxs.com.pk)
Date: Sun Jun 12 2005 - 11:06:28 EDT
Folks,
Thank you for your recommendations. Needless to say I now have my hands
full in reading up and learning about all the possible solutions out there.
Whilst I agree with the notion that bad coding is the main thing to avoid
as afar as SQL Injections are concerned (or any other vulnerability for
that matter), there is a question that begs to be answered. For "Service
Providers" (emphasis supplied), providing secure hosting infrastructure,
can only be in my opinion on the Layer 2/3 front. On the Application Layer
(Layers 4-7) it is very hard for a service provider to provide secure
solutions to code for which we have no "a priori" knowledge.
I just think by investing in such security gear (IPS, IDS, Firewalls, etc.)
we are hopefully adding a layer of protection for our clients, knowing well
that this protective layer could very well be breached.
But then I guess to sum in up in the crudest of terms, something is better
than nothing.
Regards,
Faisal
At 01:43 PM 6/10/2005, Leandro Reox wrote:
>Good Point Todd, I think everybody here agree that the first countermeasure
>for SqlInjections attack is "Secure Programming". Badcoding will be your
>worst enemy at the time when "that kid insert a ' in your login form".
>There's no perfect appliance for this kind of attack and maybe hours of
>customizing sigs don't worth it. Most of SqlI attackers will give up after
>tipyng a fews " ' 'OR 1=1-- , I say most of them, because theres a lot of
>good SqlI practicioners out there.
>Like Todd says "nothing is 100% secure" so wellcoded web apps + good sigs
>based detections + good db diagramming + a lot of conscience makes a nice
>combo.
>
>Cheers !
>
>
>
>-----Original Message-----
>From: Todd Towles [mailto:toddtowles@brookshires.com]
>Sent: Friday, June 10, 2005 3:16 AM
>To: James Riden; Tim
>Cc: pen-test@securityfocus.com
>Subject: RE: SQL injection
>
>Well, Sig based detection is that that sig based. So I am sure that new
>attacks or old attacks may be able to bypass most IDS/IPS with various
>techinques. But no IDS or IPS system is perfect. No firewall or AV is
>perfect. We are talking about protection - nothing is 100% secure.
>Blocking the basic SQL injection attack is better than nothing at all.
>
> > -----Original Message-----
> > From: jriden@it029205.massey.ac.nz
> > [mailto:jriden@it029205.massey.ac.nz] On Behalf Of James Riden
> > Sent: Thursday, June 09, 2005 10:01 PM
> > To: Tim
> > Cc: pen-test@securityfocus.com
> > Subject: Re: SQL injection
> >
> > Tim <tim-pentest@sentinelchicken.org> writes:
> >
> > > I am sure many IPS/IDSes are great for stopping a lot of
> > attacks. I
> > > find it incredibly hard to believe that they stop all. It is far
> > > better to write good code in the first place.
> >
> > Definitely true.
> >
> > > To those people out there who recommended this or that IPS/IDS:
> > > Have you tested these against real attacks?
> >
> > Yes, I've caught real attacks using snort with the bleeding
> > rules. As you say, perhaps only the obvious ones though
> > ("xp_cmdshell").
> >
> > --
> > James Riden / j.riden@massey.ac.nz / Systems Security
> > Engineer GPG public key available at:
> > http://www.massey.ac.nz/~jriden/ This post does not
> > necessarily represent the views of my employer.
> >
> >
Faisal Khan
CEO
Net Access Communication
Systems (Private) Limited
_____________________________
1107 Park Avenue, 24-A, Block 6,
PECHS, Main Shahrah-e-Faisal,
Karachi 74500 (Pakistan)
Board: +92 (21) 111 222 377
Direct: +92 (21) 454-346
Fax: +92 (21) 454-4347
Cell: +92 (333) 216-1291
Email: faisal@netxs.com.pk
Web: <http://www.netxs.com.pk/>www.netxs.com.pk
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:24 EDT