Preview Mode Links will not work in preview mode

Oct 22, 2012

Syhopsis

When I caught up with these two gentlemen in Amsterdam over the week of Black Hat 2012, I knew we wouldn't run out of things to talk about!  We ended up chatting for quite some time, and I think you'll find this conversation interesting from hearing of David's recent work with Oracle, and Jim's perspective on "the fix"... I kept the conversation going and am probably at last partially responsible for how long this podcast ended up being.  It's well worth the time, in my opinion, as we cover the following topics:

  • Attacking Oracle (David's talk had to be shelved, but he talks about ways to attack Oracle via putting a string into a numeric query - by manipulating the meta-environment)
  • Jim & David talk about how to do sane SQL Injection protection (bind everything!)
  • David talks about some contrived ways of hacking Oracle databases, that are 'outside the business logic' and explains why validation is still important
  • Jim brings up structural validation of inputs (useful white-listing)
  • David brings up that his exploits from 2007 are STILL working in 2012 - terrifying
  • "Parameterize it, or jeopardize it" - Jim's campaign to rid the world of SQL Injection
  • David talks about unconventional database forensics that identify attacks via weblogs
  • Vendors have upped their game to protect applications, developers are still writing bad code
  • Jim Manico "We are entering the golden age of hackers" ... does this mean better security?!
  • David discusses how if MS had stopped development of NEW features, WinNT4 would be 'secure' by now... but innovation & features will continue to drive forward - security suffers
  • Jim asks "does the [development] framework of the future, consider security as a built-in?"

Guests

  • Jim Manico - One of the people who holds OWASP together, Jim is an enthusiastic espouser of the Web App Security word.  You can find him providing training, practical advice, and code knowledge all over the place, particularly for the OWASP organization.
  • David Litchfield - David has been taking Oracle to task over their claims of database security for years, and continues to be a driving force behind penetration testing, database forensics, and all things Oracle security.