Home > Research_library > Application Security Whitepapers

Application Security Whitepapers

Most of the computer security white papers in the Research Library have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS SSI attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Quick Links

General Papers

Software Security FAQ

Authors: Tanya Baccam, Ralf Durkee, Barbara L. Filkins,
Kevin Fuller, Leo McCavana, Mark Williams, Lenny Zeltser

Added: February 13, 2008

top^

Research Library

Application/Database Sec

Featuring 9 papers as of Sep 7, 2010

Implementing Data-at-Rest Encryption within the Oracle RDBMS

RDC, Inc. - November 2009

Data-at-rest encryption within a relational database presupposes two things: 1) A lower-level encryption is not being used below the database level.

Best Practices in Data Protection: Encryption, Key Management and Tokenization

nuBridges, Inc. - September 2009

Best practices in encryption, key management and tokenization and how an integrated, multi-level solution can effectively meet these best practices.

AppSec - Cross Site Request Forgery: What Attackers Don't Want You to Know: Jason Lam & Johannes B. Ullrich - May 22, 2009; The new and upcoming cross domain request ability in Level 2 XHR and in XDR generates very interesting opportunities for both AJAX technologies and hacking communities. This new generation of technologies has security built into them from the start, and the access control component is built by industry consensus. There are no doubts that the security research community and hackers will leverage this newly gained cross domain function in their future arsenal, but they will first have to get past the various controls put in place by the W3C standard. Web developers need to understand these technologies to protect their applications from the ill side effects.
AppSec - Protecting Your Web Apps: Two Big Mistakes and 12 Practical Tips to Avoid Them: Ed Skoudis and Frank Kim - March 3, 2009
Web Based Attacks: Justin Crist - January 4, 2008
Analyzing Attack Surface Code Coverage: Justin Seitz - November 14, 2007
Forensic Analysis of a SQL Server 2005 Database Server: Kevvie Fowler - September 28, 2007
Automated Scanning of Oracle 10g Databases: Rory McCune - August 7, 2007
Using Oracle Forensics to determine vulnerability to Zero Day exploits: Paul Wright - February 28, 2007; This paper has shown the reader what PLSQL injection is and how it can be exploited to gain DBA whilst bypassing current IDS technology. We then explored how to find PLSQL injection vulnerabilities in order to identify potential new zerodays. Then by comparing DBstates before and after January 2007 CPU installation both silently fixed bugs and mistakenly omitted fixes were identified in the CPU installation process. A differentiation was made between potential vectors of SQL injection such as triggers and the actual underlying source of vulnerability in dependency code. The process of tracing back the dependencies to join the vector to the source of the vulnerability were shown. The best verification of vulnerability was then used i.e. reading the code itself. The change made at code level by the CPU installation was inspected thus identifying the use of prepared statements by Oracle, in the patched code in order to secure against SQL injection.