WebApp Sec mailing list archives

Re: good database testing tools to guard against SQL injection for Microsoft, Oracle?

From: "Jeff Williams" <jeff.williams () aspectsecurity com>
Date: Mon, 10 May 2004 21:35:56 -0400

Earl,

Have you considered looking at the source code for the applications you're
evaluating? Don't give up your biggest advantage over the attackers.  The
problem with external testing is that you never know if you've found all the
possible SQL injection points.  And for the ones you do find, it's often
very difficult and time consuming to determine if it is actually vulnerable.
I believe that checking the code is far more cost-effective in terms of
completeness and accuracy for the dollar.

The new OWASP Testing Guide will contain a detailed discussion of how to
find these kinds of problems in your code as well as how to test for them.
Stay tuned.

--Jeff

Jeff Williams
Aspect Security, Inc.
http://www.aspectsecurity.com

----- Original Message ----- 
From: <Earl.Perkins () metagroup com>
To: <webappsec () securityfocus com>
Sent: Monday, May 10, 2004 12:54 PM
Subject: good database testing tools to guard against SQL injection for
Microsoft, Oracle?

does anyone have recommendations for good database testing tools
to spot and correct potential exploitation opportunities for SQL
injection attacks in Microsoft and Oracle database environments?
thanks.

Earl L. Perkins
Vice President, Security & Risk Strategies
Technology Research Services
META Group, Inc.     http://www.metagroup.com
earl.perkins () metagroup com
Voice: 504-362-0291   Fax: 925-889-2523

META Group --- Return On Intelligence*
=========================
*A service mark of META Group, Inc.





-----------------------------------------------------------------
                       METAmorphosis 2004
META Group's 15th Annual Forum for Meeting Business and IT Change

 "The Adaptive Organization: Building Value by Remodeling for IT
                          Flexibility"
                 http://www.metagroup.com/mm2004

                         March-May 2004
     San Diego - Chicago - Barcelona - Sydney - Johannesburg
-----------------------------------------------------------------

Current thread:

good database testing tools to guard against SQL injection for Microsoft, Oracle? Earl . Perkins (May 10)
- RE: good database testing tools to guard against SQL injection for Microsoft, Oracle? Mark Curphey (May 10)
- Re: good database testing tools to guard against SQL injection for Microsoft, Oracle? Jeff Williams (May 11)
- <Possible follow-ups>
- RE: good database testing tools to guard against SQL injection for Microsoft, Oracle? Haim Chibotero (May 11)
- RE: good database testing tools to guard against SQL injection for Microsoft, Oracle? Pitts, Christopher C. (May 11)