WebApp Sec mailing list archives
Re: good database testing tools to guard against SQL injection for Microsoft, Oracle?
From: "Jeff Williams" <jeff.williams () aspectsecurity com>
Date: Mon, 10 May 2004 21:35:56 -0400
Earl, Have you considered looking at the source code for the applications you're evaluating? Don't give up your biggest advantage over the attackers. The problem with external testing is that you never know if you've found all the possible SQL injection points. And for the ones you do find, it's often very difficult and time consuming to determine if it is actually vulnerable. I believe that checking the code is far more cost-effective in terms of completeness and accuracy for the dollar. The new OWASP Testing Guide will contain a detailed discussion of how to find these kinds of problems in your code as well as how to test for them. Stay tuned. --Jeff Jeff Williams Aspect Security, Inc. http://www.aspectsecurity.com ----- Original Message ----- From: <Earl.Perkins () metagroup com> To: <webappsec () securityfocus com> Sent: Monday, May 10, 2004 12:54 PM Subject: good database testing tools to guard against SQL injection for Microsoft, Oracle?
does anyone have recommendations for good database testing tools to spot and correct potential exploitation opportunities for SQL injection attacks in Microsoft and Oracle database environments? thanks. Earl L. Perkins Vice President, Security & Risk Strategies Technology Research Services META Group, Inc. http://www.metagroup.com earl.perkins () metagroup com Voice: 504-362-0291 Fax: 925-889-2523 META Group --- Return On Intelligence* ========================= *A service mark of META Group, Inc. ----------------------------------------------------------------- METAmorphosis 2004 META Group's 15th Annual Forum for Meeting Business and IT Change "The Adaptive Organization: Building Value by Remodeling for IT Flexibility" http://www.metagroup.com/mm2004 March-May 2004 San Diego - Chicago - Barcelona - Sydney - Johannesburg -----------------------------------------------------------------
Current thread:
- good database testing tools to guard against SQL injection for Microsoft, Oracle? Earl . Perkins (May 10)
- RE: good database testing tools to guard against SQL injection for Microsoft, Oracle? Mark Curphey (May 10)
- Re: good database testing tools to guard against SQL injection for Microsoft, Oracle? Jeff Williams (May 11)
- <Possible follow-ups>
- RE: good database testing tools to guard against SQL injection for Microsoft, Oracle? Haim Chibotero (May 11)
- RE: good database testing tools to guard against SQL injection for Microsoft, Oracle? Pitts, Christopher C. (May 11)