Reading Room

Application and Database Security

Featuring 80 Papers as of May 1, 2019

• Runtime Application Self-Protection (RASP), Investigation of the Effectiveness of a RASP Solution in Protecting Known Vulnerable Target Applications STI Graduate Student Research
  by Alexander Fry - April 30, 2019 

  Year after year, attackers target application-level vulnerabilities. To address these vulnerabilities, application security teams have increasingly focused on shifting left - identifying and fixing vulnerabilities earlier in the software development life cycle. However, at the same time, development and operations teams have been accelerating the pace of software release, moving towards continuous delivery. As software is released more frequently, gaps remain in test coverage leading to the introduction of vulnerabilities in production. To prevent these vulnerabilities from being exploited, it is necessary that applications become self-defending. RASP is a means to quickly make both new and legacy applications self-defending. However, because most applications are custom-coded and therefore unique, RASP is not one-size-fits-all - it must be trialed to ensure that it meets performance and attack protection goals. In addition, RASP integrates with critical applications, whose stakeholders typically span the entire organization. To convince these varied stakeholders, it is necessary to both prove the benefits and show that RASP does not adversely affect application performance or stability. This paper helps organizations that may be evaluating a RASP solution by outlining activities that measure the effectiveness and performance of a RASP solution against a given application portfolio.

  •  Overview
  •  Download

• ---

• One-Click Forensic Analysis: A SANS Review of EnCase Forensic Analyst Paper (requires membership in SANS.org community)
  by Jake Williams - June 27, 2018 

  • Associated Webcasts: EnCase Forensic 8: A SANS Analyst Program Review
  • Sponsored By: Open Text Inc.

  When security incidents occur, law enforcement needs forensic information in hours, not days. The new features in EnCase Forensic 8 purport to assist investigators in gathering and analyzing key data in a more efficient manner. Learn more in this product review of EnCase Forensic 8.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Cloud Security: Are You Ready? Analyst Paper (requires membership in SANS.org community)
  by Dave Shackleford - June 18, 2018 

  • Sponsored By: Symantec

  As more midsize organizations move into the cloud, security professionals may wonder why cloud security seems difficult. More than likely, the real security challenge is the perceived loss of control. Numerous security best practices plus improved security products and services now exist. This short paper takes a look at some of the key elements and best practices for midsize enterprises looking to ensure security in their cloud implementations.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Tailoring Intelligence for Automated Response Analyst Paper (requires membership in SANS.org community)
  by Sonny Sarai - May 2, 2018 

  • Associated Webcasts: Tailored Intelligence for Automated Remediation: SANS Review of IntSights\' Enterprise Intelligence and Mitigation Platform
  • Sponsored By: IntSights

  Overworked and understaffed IT security teams are trying to integrate threat intelligence into their detection, response, and protection processes -- but not very successfully. IT teams need fewer intelligence alerts and more visibility into external threats that matter to their enterprises. SANS Analyst Sonny Sarai discusses his experience reviewing IntSights' Enterprise Threat Intelligence and Mitigation Platform under simulated attack, detection, and remediation scenarios.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Adapting AppSec to a DevOps World by Stephen Deck - February 20, 2018 

  DevOps software development presents a fundamental challenge to traditional software security practices. Multi-day static and dynamic analysis run by a small pool of security experts is not a tenable model when the business demands multiple software releases per day. Modern system administration and quality assurance roles have adapted by using automation to empower developers to elevate code safely and as often as possible. By operating within the DevOps culture and tooling, security experts can educate developers and instrument systems in much the same way as other stakeholders in the development process. Proper abuse case development, metrics, unit, and integration testing can minimize risk while still enabling the rapid software development that businesses demand.

  •  Overview
  •  Download

• ---

• Bug Bounty Programs: Enterprise Implementation STI Graduate Student Research
  by Jason Pubal - January 17, 2018 

  Bug bounty programs are incentivized, results-focused programs that encourage security researchers to report security issues to the sponsoring organization. These programs create a cooperative relationship between security researchers and organizations that allow the researchers to receive rewards for identifying application vulnerabilities. Bug bounty programs have gone from obscurity to being embraced as a best practice in just a few years: application security maturity models have added bug bounty programs and there are standards for vulnerability disclosure best practices. Through leveraging a global community of researchers available 24 hours a day, 7 days a week, information security teams can continuously deliver application security assessments keeping pace with agile development and continuous integration deployments complementing existing controls such as penetration testing and source code reviews.

  •  Overview
  •  Download

• ---

• 2017 State of Application Security: Balancing Speed and Risk Analyst Paper (requires membership in SANS.org community)
  by Jim Bird - October 24, 2017 

  • Associated Webcasts: Application Security on the Go! SANS Survey Results, Part 1 Application Breaches and Lifecycle Security: SANS 2017 Application Security Survey, Part 2 Application Security on the Go! SANS Survey Results, Part 1 Application Breaches and Lifecycle Security: SANS 2017 Application Security Survey, Part 2 Application Breaches and Lifecycle Security: SANS 2017 Application Security Survey, Part 2
  • Sponsored By: Tenable WhiteHat Security Rapid7 Inc. Veracode Synopsys

  Agile teams deliver working software every few weeks. High-speed cross-functional DevOps teams push software changes directly to production multiple times each day. Organizations are taking advantage of cloud platforms and on-demand services, containerization, and automated build and continuous delivery pipelines. All of this radically changes how development teams—and their security/risk management teams—think and work. Read on to learn more.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• AppSec: ROI Justifying Your AppSec Program Through Value-Stream Analysis Analyst Paper (requires membership in SANS.org community)
  by Jim Bird - October 4, 2017 

  • Sponsored By: Veracode

  In this paper we focus narrowly on the impact of application security on the end-to-end software development value chain. We also look at ways to identify and balance cost and risk to help you decide which tools and practices are most practical and cost effective for your organization.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Asking the Right Questions: A Buyer's Guide to Dynamic Scanning to Secure Web Applications Analyst Paper (requires membership in SANS.org community)
  by Barbara Filkins - September 12, 2017 

  • Associated Webcasts: Asking the Right Questions about Dynamic Scanning to Secure Web Applications: A Buyer\'s Guide to App Sec Scanning Tools
  • Sponsored By: Veracode

  Securing a web apps across its lifecycle is fundamentally different than securing an app born inside a secure perimeter. The selection of tools designed to scan running applications is more complex and challenging select than are conventional tools as the threat these are designed to counter is also more intensive and more pervasive. This makes the choice of tool critical. We walk you through the various parameters involved in the decision-making process in this paper.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Testing Web Apps with Dynamic Scanning in Development and Operations Analyst Paper (requires membership in SANS.org community)
  by Barbara Filkins - June 15, 2017 

  • Associated Webcasts: Using Dynamic Scanning to Secure Web Apps in Development and After Deployment
  • Sponsored By: Veracode

  Building secure web applications requires more than testing the code to weed out flaws during development and keeping the servers on which it runs up to date. Public-facing web apps remain the primary source of data breaches. To keep web apps secure, IT ops groups are increasingly adopting Dynamic Application Security Testing (DAST) tools. Learn how DAST tools can reduce dev costs and security flaws; how to avoid organizational gaps between dev and ops that can make remediation difficult; and other AppSec/vulnerability scanning issues.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Security by Design: The Role of Vulnerability Scanning in Web App Security Analyst Paper (requires membership in SANS.org community)
  by Barbara Filkins - June 7, 2017 

  • Associated Webcasts: The Role of Vulnerability Scanning in Web App Security
  • Sponsored By: Netsparker

  The growth in custom applications in the cloud has increased organizations' security exposure. Although more organizations want to test and remediate during development, this doesn't address the thousands of existing, potentially vulnerable, apps already online. Modern web scanners can help by highlighting areas of likely vulnerability. Their speed and automation can make them a valuable part of a multilayered scanning and monitoring program.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Using Cloud Deployment to Jump-Start Application Security Analyst Paper (requires membership in SANS.org community)
  by Adam Shostack - May 24, 2017 

  • Associated Webcasts: Choosing the Right Path to Application Security
  • Sponsored By: Veracode

  The cloud has significantly changed corporate application development. Now that releases come every few days rather than once or twice a year, AppSec is now squeezed into tiny windows of time. The speed, repetitiveness and changes in responsibility associated with these changes make it hard for traditional approaches to work. What are the choices and best practices for security within AppSec? How can you leverage the cloud to work for you? Attend this webcast and be among the first to receive access to the associated whitepaper developed by Adam Shostack.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Moving Toward Better Security Testing of Software for Financial Services Analyst Paper (requires membership in SANS.org community)
  by Steve Kosten - February 7, 2017 

  • Associated Webcasts: Enhanced Application Security for the Financial Industry Enhanced Application Security for the Financial Industry
  • Sponsored By: Synopsys

  The financial services industry (FSI) maintains high-value assets and typically operates in a very complex environment. Applications of all types--web applications, mobile applications, internal web services and so forth--are being developed quickly in response to market pressures by developers with limited security training and with relatively immature processes to support secure application development. This combination presents a juicy target for attackers, and data shows that the FSI continues to be a top target. Attempts to introduce security into the application life cycle frequently face challenges such as a lack of available application security expertise, concerns about costs for tooling, and a fear among product owners that security processes might impede the development cycle and slow their response to market conditions. This paper explores why the applications are being targeted, what is motivating the attackers and what some inhibitors of application security are. Most important, this paper specifies some best practices for developing a secure development life cycle to safeguard applications in the FSI.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• 2016 State of Application Security: Skills, Configurations and Components Analyst Paper (requires membership in SANS.org community)
  by Johannes Ullrich, PhD - April 26, 2016 

  • Associated Webcasts: Managing Applications Securely: A SANS Survey
  • Sponsored By: WhiteHat Security Veracode Checkmarx Inc.

  Survey results reveal that it is critical for an overall enterprise security program to coordinate efforts among developers, architects and system administrators—particularly since many software vulnerabilities are rooted in configuration issues or third-party components, not just in code written by the development team. Read on to learn more.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Protection from the Inside: Application Security Methodologies Compared Analyst Paper (requires membership in SANS.org community)
  by Jacob Williams - April 27, 2015 

  • Associated Webcasts: Analyst Webcast: RASP vs. WAF: Comparing Capabilities and Efficiencies
  • Sponsored By: HP

  A SANS Analyst Program review by Jacob Williams. This webcast will explore the relative capabilities and efficiencies of RASP and WAF technologies, and discuss a blind, vendor-anonymous review of a representative product in each category.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Web Application Firewalls STI Graduate Student Research
  by Jason Pubal - March 16, 2015 

  For years, attackers have assailed networks and exploited system level vulnerabilities, fueling demand for products like firewalls and intrusion detection systems.

  •  Overview
  •  Download

• ---

• Protecting Access to Data and Privilege with Oracle Database Vault Analyst Paper (requires membership in SANS.org community)
  by Pete Finnigan - January 29, 2015 

  • Associated Webcasts: Analyst Webcast: Securing Oracle Databases Made Easy
  • Sponsored By: Oracle

  A review of Oracle Database Vault 12c by security expert Pete Finnigan. Oracle Database Vault takes advantage of built-in features of the Oracle ecosystem, and provides a holistic approach to data security management.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Secure Design with Exploit Infusion by Wen Chinn Yew - November 11, 2014 

  In the age of a highly digitally connected world, the ever-increasing security threat has prompted many initiatives to address it. One important area is to build security into software development.

  •  Overview
  •  Download

• ---

• Data Encryption and Redaction: A Review of Oracle Advanced Security Analyst Paper (requires membership in SANS.org community)
  by Dave Shackleford - September 15, 2014 

  • Associated Webcasts: Simplifying Data Encryption and Redaction Without Touching the Code
  • Sponsored By: Oracle

  A review of Oracle Advanced Security for Oracle Database 12c by SANS Analyst and Senior Instructor Dave Shackleford. It explores a number of the product's capabilities, including transparent data encryption (TDE) and effortless redaction of sensitive data, that seamlessly protect data without any developer effort from unauthorized access.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Building an Application Vulnerability Management Program STI Graduate Student Research
  by Jason Pubal - July 28, 2014 

  For years, attackers have assailed network and system level vulnerabilities, fueling demand for products like firewalls and network vulnerability scanners.

  •  Overview
  •  Download

• ---

• Incident Response in a Microsoft SQL Server Environment by Juan Walker - July 3, 2014 

  Incident Response in a Microsoft SQL Server environment starts with planning and requires the Intelligence approach.

  •  Overview
  •  Download

• ---

• How to Win Friends and Remediate Vulnerabilities by Chad Butler - March 20, 2014 

  In today's era of rapid release development projects, finding vulnerabilities is not difficult.

  •  Overview
  •  Download

• ---

• Survey on Application Security Programs and Practices Analyst Paper (requires membership in SANS.org community)
  by Jim Bird, Frank Kim - February 12, 2014 

  • Associated Webcasts: Application Security Programs On the Rise, Skills Lacking: A SANS Survey
  • Sponsored By: Qualys Hewlett Packard Veracode

  Survey shows application security programs on the rise but skill are lacking.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Database Activity Monitoring and Audit: A Review of Oracle Audit Vault and Database Firewall Analyst Paper (requires membership in SANS.org community)
  by Tanya Baccam - January 14, 2014 

  • Sponsored By: Oracle

  Review of Oracle Audit Vault and Database Firewall (AVDF). A platform for organizations looking to increase security with enterprise wide database activity monitoring, auditing and reporting.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Protecting applications against Clickjacking with F5 LTM by Michael Nepomnyashy - November 21, 2013 

  Clickjacking is a web framing attack that uses iframes to hijack a user's web session. It is a powerful hacking technique that poses a threat to many types of web applications. The Information Security Organization of ACC Corporation decided to deploy centralized protection against clickjacking for hosted applications. The implementation of an anti-clickjacking solution can be quite challenging in a large scale hosting organization with over 70 applications that often frame each other. This paper describes a dynamic HTTP headers approach that protects hosted applications without breaking existing web framing relationship between webpages.

  •  Overview
  •  Download

• ---

• A Hands-on XML External Entity Vulnerability Training Module STI Graduate Student Research
  by Carrie Roberts - November 4, 2013 

  Web based attacks are on the rise, and the most exploited vulnerabilities are often not the newest (Symantec Corporation, 2013).

  •  Overview
  •  Download

• ---

• Introduction to the OWASP Mutillidae II Web Pen-Test Training Environment by Jeremy Druin - October 22, 2013 

  Web application security has become increasingly important to organizations.

  •  Overview
  •  Download

• ---

• Securing Web Applications Made Simple and Scalable Analyst Paper (requires membership in SANS.org community)
  by Gregory Leonard - October 10, 2013 

  • Associated Webcasts: Securing Web Applications Made Simple and Scalable
  • Sponsored By: Hewlett Packard

  Evaluation of HP Fortify WebInspect 10.10, an application security testing (DAST) tool.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Application Security: Tools for Getting Management Support and Funding Analyst Paper (requires membership in SANS.org community)
  by John Pescatore - October 4, 2013 

  • Associated Webcasts: John Pescatore Analyst Webcast - Actionable Tools for Convincing Management to Fund Application Security
  • Sponsored By: WhiteHat Security

  This paper provide tools and techniques that demonstrate the need for better application security and the appropriate level of investment.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Web Application Injection Vulnerabilities: A Web App's Security Nemesis? by Erik Couture - June 14, 2013 

  An ever-increasing number of high profile data breaches have plagued organizations over the past decade.

  •  Overview
  •  Download

• ---

• 2013 SANS Mobile Application Security Survey Analyst Paper (requires membership in SANS.org community)
  by Kevin Johnson, James Jardine - June 6, 2013 

  • Sponsored By: SAP Global Marketing Veracode Box

  Survey to assess organizational awareness and the procedures around mobile application risk.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Setting Up a Database Security Logging and Monitoring Program STI Graduate Student Research
  by Jim Horwath - May 10, 2013 

  This paper is about implementing a database security logging and monitoring program to increase the security posture of a corporate infrastructure.

  •  Overview
  •  Download

• ---

• Next-Generation Datacenters = Next-Generation Security Analyst Paper (requires membership in SANS.org community)
  by Dave Shackleford - May 1, 2013 

  • Associated Webcasts: Datacenter Virtualization from a Security Perspective
  • Sponsored By: Mcafee LLC

  Whitepaper breaks down the foundations of a virtual infrastructure, examines pros and cons of security tools and controls available for risk layers, present the pros and cons of different approaches, and looks at new technology to implement protection models in virtual and cloud-based data centers.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Endpoint Security through Application Streaming by Adam Walter - March 15, 2013 

  Throughout the last 30 years technology has undergone a shift in implementation.

  •  Overview
  •  Download

• ---

• SANS Survey on Application Security Programs and Practices Analyst Paper (requires membership in SANS.org community)
  by Jim Bird, Frank Kim - December 6, 2012 

  • Sponsored By: Qualys WhiteHat Security NT Objectives, Inc Veracode

  Application security survey to understanding what works in appsec and why.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Auditing ASP.NET applications for PCI DSS compliance by Christian Moldes - February 7, 2012 

  This paper intends to provide specific guidance on how to audit ASP.NET applications and validate that they meet PCI DSS requirements. It does not intend to provide guidance on how to conduct penetration tests on ASP.NET applications, identify secure coding vulnerabilities, or remediate ASP.NET vulnerabilities.

  •  Overview
  •  Download

• ---

• Oracle Advanced Security Analyst Paper (requires membership in SANS.org community)
  by Tanya Baccam - December 9, 2011 

  • Sponsored By: Oracle

  Review of Oracle Advanced Security encryption covers important product capabilities including network encryption for data in flight and Transparent Data Encryption (TDE) for data at rest.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Securing Blackboard Learn on Linux by David Lyon - December 1, 2011 

  Blackboard Learn (Bb Learn) is an application suite providing educational technology to facilitate online, web based learning. It is typical to see Bb Learn hosting courses and content. Common add-ons include the Community and Content systems which are licensed separately.

  •  Overview
  •  Download

• ---

• Integrating Security into Development, No Pain Required Analyst Paper (requires membership in SANS.org community)
  by Dave Shackleford - September 20, 2011 

  • Sponsored By: IBM

  This paper looks at software development from both the security and development perspectives, and then evaluates what tools and techniques can help integrate security into development cycles without slowing down the process or creating too much overhead.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• SANS Institute Review: Oracle Database Vault Analyst Paper (requires membership in SANS.org community)
  by Tanya Baccam - August 27, 2011 

  • Sponsored By: Oracle

  Review of Oracle Database Vault with Oracle Database Enterprise Edition 11g Release 2demonstrates strong performance, while making it easy to add, change and modify rules and groups. as well as gain visibility into user activity through a variety of audit and compliance reports available through the Oracle Database Vault application.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Security of Applications: It Takes a Village Analyst Paper (requires membership in SANS.org community)
  by Dave Shackleford - June 20, 2011 

  • Sponsored By: Adobe Systems Inc.

  This paper discusses the role of vendors and consumers in protecting against client-side application attacks.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Mass SQL Injection for Malware Distribution by Larry Wichman - April 20, 2011 

  Cybercriminals have made alarming improvements to their infrastructure over the last few years. One reason for this expansion is thousands of websites vulnerable to SQL injection. Malicious code writers have exploited these vulnerabilities to distribute malware.

  •  Overview
  •  Download

• ---

• Four Attacks on OAuth - How to Secure Your OAuth Implementation by Khash Kiani - March 24, 2011 

  A technical study of an emerging open-protocol technology and its security implications.

  •  Overview
  •  Download

• ---

• Protecting Users: The Importance Of Defending Public Sites by Kristen Sullivan - January 18, 2011 

  In the application security industry, one of the hardest elements to communicate to customers is the need for building secure web applications even if those applications transmit minimally sensitive data. The purpose of this document is to provide a valid case for why all applications should follow a minimum standard for secure coding practices. Many assume the only applications requiring protection are those which store sensitive or confidential data, but that is a grievous misjudgment. Additionally, with tight budgets and limited security resources, it is hard to justify reasons for securing public facing sites only offering open record information. The main cause of this is a lack of understanding the risk associated.

  •  Overview
  •  Download

• ---

• Application Whitelisting: Panacea or Propaganda STI Graduate Student Research
  by Jim Beechey - January 18, 2011 

  Every day, organizations of all sizes struggle to protect their endpoints from a constant barrage of malware. The number of threats continues to increase dramatically each year.

  •  Overview
  •  Download

• ---

• Reducing Organizational Risk Through Virtual Patching by Joseph Faust - January 11, 2011 

  Software patching for IT Departments across the organizational landscape has always been an integral part of maintaining functional, usable and stable software. Historically the traditional patch cycle has been focused on fixing or resolving issues which affect functionality. In recent years, with the advancement of more sophisticated and targeted threats which are occurring in quicker cycles, this focus is dramatically changing. (Risk Assessment – Cisco, n.d.; Executive Office of The United States, 2005) . Corporations and Government now have a greater understanding of potential losses and expenses incurred by not maintaining application security and are moving towards an increased focus on patching and security (Epstein, Grow & Tschang, 2008). With organizations’ reputations, consumer confidence and corporate secrets at risk, corporations and government are recognizing the need to shift and address vulnerabilities at a much faster pace than they historically have done so (Chan, 2004). Over roughly the last ten years, the length of time between the documentation of a given vulnerability in a piece of software and the development of an actual exploit that can take advantage of the weakness in the application, has decreased tremendously. According to Andrew Jaquith, senior analyst at Yankee Group, the average time between vulnerability discovery and the release of exploit code is less than one week. (“Shrinking time from,” 2006). It has also been identified that “99% of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available” ("Risk reduction and.," 2010) . Clearly these statistics alone can prove daunting for many businesses trying to keep pace and maintain proper defenses against the bad guys.

  •  Overview
  •  Download

• ---

• Enabling Social Networking Applications for Enterprise Usage Analyst Paper (requires membership in SANS.org community)
  by Eric Cole, PhD - December 1, 2010 

  • Sponsored By: Palo Alto Networks

  Businesses must define a secure social networking policy and educate employees about the risks associated with using social networking sites.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Oracle Database Security: What to Look for and Where to Secure Analyst Paper (requires membership in SANS.org community)
  by Tanya Baccam - April 10, 2010 

  • Sponsored By: Oracle

  This paper discusses four risk management basics that must be addressed to protect databases and their sensitive data.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• Making Database Security an IT Security Priority Analyst Paper (requires membership in SANS.org community)
  by Tanya Baccam - November 11, 2009 

  • Sponsored By: Oracle

  A discussion of security strategy and the key controls that should be considered to database security and protection of an organization’s information assets.

  •  Overview
  •  Login
  •  Join SANS.org

• ---

• AppSec - Cross Site Request Forgery: What Attackers Don't Want You to Know by Jason Lam & Johannes B. Ullrich - May 22, 2009 

  XMLHttpRequest is the backbone of Web 2.0 applications. It is a powerful JavaScript function that allows the flexible creation of HTTP requests. Lately, with Internet Explorer 8, XDomainRequest was released, which extends and refines the creation of HTTP requests in JavaScript. Both functions had a defined impact on the development of Web standards. However, both functions are also frequently cited for their usefulness in attack tools. We will investigate the evolution of these functions and how these functions evolved to mitigate the harm done. We found that security requirements put forward by the standard are not implemented consistently across different browsers. Developers need to be aware of these inconsistencies to protect applications from cross site request forgery.

  •  Overview
  •  Download

• ---

• AppSec - Protecting Your Web Apps: Two Big Mistakes and 12 Practical Tips to Avoid Them by Ed Skoudis and Frank Kim - March 2, 2009 

  Many web application vulnerabilities are a direct result of improper input validation and output filtering, which leads to numerous kinds of attacks, including cross-site scripting (XSS), SQL injection, command injection, buffer overflows and many others. This article describes some of the best defenses against such attacks, which every Web application developer should master.

  •  Overview
  •  Download

• ---

• Web Based Attacks by Justin Crist - January 4, 2008 

  Attacks upon information security infrastructures have continued to evolve steadily overtime; legacy network based attacks have largely been replaced by more sophisticated web application based attacks. This paper will introduce and address web based attacks from attack to detection. Information security professionals new to application layer attacks will be in a better position to understand the underlying application attack vectors and methods of mitigation after reading this paper.

  •  Overview
  •  Download

• ---

• Analyzing Attack Surface Code Coverage by Justin Seitz - November 14, 2007 

  The art of analyzing a software system for security and robustness flaws can be a daunting task, and often begs a question: when is the analysis complete? Commonly a researcher or analyst answers this question by determining whether they have run out of budget, time, or have found bugs. However, these are not empirical pieces of evidence, what is really required is to understand how much of the software that is attackable was exercised.

  •  Overview
  •  Download

• ---

• Forensic Analysis of a SQL Server 2005 Database Server by Kevvie Fowler - September 28, 2007 

  In-depth analysis of a forensic analysis of a SQL Server 2005 Database Server.

  •  Overview
  •  Download

• ---

• Automated Scanning of Oracle 10g Databases by Rory McCune - August 7, 2007 

  This paper analyses the various areas of Oracle security covered by the course and seeks to propose details of which checks could be carried out automatically and how (for example what parameters to check, and what the various resultant values would indicate about the security of the database).

  •  Overview
  •  Download

• ---

• Using Oracle Forensics to determine vulnerability to Zero Day exploits by Paul Wright - February 27, 2007 

  The aim of this paper is to explain the threat of PLSQL injection on Oracle databases and show how principles from the world of computer forensics can be transferred to Oracle in order to deduce vulnerability to past and future exploits with a high level of certainty. This paper will enable the reader to assess the effects of applying an Oracle security patch (CPU), and identify windows of past vulnerability that can be usefully correlated with archived audit logs in order to locate previous attacks.

  •  Overview
  •  Download

• ---

• Security in Sun Java System Application Server Platform Edition 8.0 by Sid Ansari - June 29, 2005 

  In what follows, we will examine the various parts of this definition before turning to an examination of how Enterprise Java Beans can be secured.

  •  Overview
  •  Download

• ---

• Web Browser Insecurity by Paul Asadoorian - June 2, 2005 

  There has been much debate lately between two different browsers, namely Microsoft's Internet Explorer and the Mozilla Project's Firefox web browser. Security is in the center of this debate, accompanied by features and usability.

  •  Overview
  •  Download

• ---

• Application Firewalls: Don't Forget About Layer 7 by Russell Eubanks - May 17, 2005 

  Securing web-based communication is and will remain vital to existing business sustainability and future growth.

  •  Overview
  •  Download

• ---

• Reining in the LAN client by David Monaco - February 25, 2005 

  We'll often see inadequate access control for the local area network (LAN). It is usually considered a "trusted zone" thus unfortunately a frequently neglected zone. While the LAN may well be the most trusted zone, to achieve an appropriate level of layered security, authorizing clients attaching to the LAN is paramount.

  •  Overview
  •  Download

• ---

• Assessing Vendor Application Security A Practical Way to Begin by Barton Hubbs - April 8, 2004 

  Many companies are adopting a preference toward buying vendor software versus building software in-house to meet business needs. Some of the drivers for this preference are integration, scalability, outsourcing, support, speed-to market, process savings, and reducing the cost of information technology (IT).

  •  Overview
  •  Download

• ---

• Securing SQL Connection String by Dmitry Dessiatnikov - April 8, 2004 

  Securing authentication information used to establish connection between two applications is one of the most critical aspects of application security. This paper will focus on protecting connection strings used to authenticate communication between the web server and the back-end database.

  •  Overview
  •  Download

• ---

• SQL Server 2000: Permissions on System Tables Granted to Logins Due to the Public Role by K Kelley - December 13, 2003 

  Microsoft SQL Server 7.0 and 2000 make use of the concept of roles at the server level and within each database which is discussed in this paper, specifically taking a close look at the public role.

  •  Overview
  •  Download

• ---

• Application Development Technology and Tools: Vulnerabilities and threat management with secure programming practices, a defense in-depth approach by Vilas Ankolekar - December 13, 2003 

  This paper addresses the security challenges that exist due to programming flaws, and explains how simple programming practices can reduce the risks.

  •  Overview
  •  Download

• ---

• SQL Server Email - vulnerability issues and prevention strategies by Frank Ress - October 6, 2003 

  This paper will explore some of the ways this feature could be used by both legitimate users and intruders.

  •  Overview
  •  Download

• ---

• Securing End User Active Server Page Applications on an Intranet by Bob Bohn - September 26, 2003 

  This paper discusses the evolution of end user computing as well as the issues involved, and explores a number of techniques which can be used to secure end user applications in a Microsoft IIS 4.0 intranet environment.

  •  Overview
  •  Download

• ---

• J.D. Edwards Security using RBAC by Scott Gordee - September 4, 2003 

  Although OneWorld security is incredibly flexible, it can also become convoluted and difficult to manage if a security model isn't created and enforced in the infancy of its implementation.

  •  Overview
  •  Download

• ---

• Deploying a Secure Web Application: From a Coding Perspective by Jaime Spicciati - August 8, 2003 

  The purpose of this document is to give a developer a very detailed and reproducible guideline for the development of a typical web application, focused on common flaws that recently emerged in popular web applications.

  •  Overview
  •  Download

• ---

• Security for a CRM environment by Jason LaFrance - February 22, 2003 

  This paper is designed to help the security professional determine the considerations that are involved with a secure CRM rollout.

  •  Overview
  •  Download

• ---

• Securing Server Side Java by William Rushmore - December 21, 2002 

  Although Java has many security features, some Java programmers may think these built-in protections are adequate for securing their applications, however, nothing could be further from the truth.

  •  Overview
  •  Download

• ---

• Framework for Secure Application Design and Development by Chris McCown - December 19, 2002 

  This paper presents a framework to assist developers in the practice of secure application design and development.

  •  Overview
  •  Download

• ---

• Security Scenarios in Analysis and Design by Dwight Haworth - September 16, 2002 

  This article addresses the issue of designing security into systems rather than trying to add it to systems after development.

  •  Overview
  •  Download

• ---

• Distributed Systems Security: Java, CORBA, and COM+ by April Moreno - September 14, 2002 

  The purpose of this paper is to examine three popular architectures for distributed systems applications and their security implications.

  •  Overview
  •  Download

• ---

• Web Application Security for Managers by Pierre Brassinne - August 24, 2002 

  Recommendations to managers for securing web applications

  •  Overview
  •  Download

• ---

• Making Your Network Safe for Databases by Duane Winner - July 21, 2002 

  Guidelines for securing a database-driven web site.

  •  Overview
  •  Download

• ---

• Distributed Object Technology: Security Perspective by Subbu Cherukuwada - February 14, 2002 

  An introduction to distributed object technology and an overview of security features available in Microsoft.NET and CORBA.

  •  Overview
  •  Download

• ---

• An Approach to Application Security by Ian Rathie - January 30, 2002 

  This document discusses an approach to assessing application security and developing a simple Security Development Life Cycle to complement an organization's Systems Development Life Cycle.

  •  Overview
  •  Download

• ---

• Database - The Final Firewall by Brian Suddeth - January 28, 2002 

  Multiple layers of security may be set in your database management system, this last line of defense, helping to control access, monitor usage, set tripwires for intrusions, and attempt to maintain evidence needed if intrusions or misuse occur

  •  Overview
  •  Download

• ---

• Source Code Revelation Vulnerabilities by Christopher Short - August 30, 2001 

  Application security cannot be ignored in today's complex and competitive environment.

  •  Overview
  •  Download

• ---

• Service Account Vulnerabilities by Barbara Guhanick - August 15, 2001 

  This paper discusses "powerful" accounts used to run application sofware service, and/or, internally to provide data access as vulnerabilities in application security (Microsoft NT/2000 environment).

  •  Overview
  •  Download

• ---

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.