{"title":"设计回顾:减轻SQL注入攻击的概念","authors":"Ed Pearson, Cindy L. Bethel","doi":"10.1109/ISDFS.2016.7473537","DOIUrl":null,"url":null,"abstract":"Recently, it is not unusual to notice media coverage of some major breach in some large organization's cyber security. A large number of said breaches are due to vulnerabilities in their software or system. Once an in-depth analysis of these vulnerabilities was performed, it came to light that a large number of these vulnerabilities were the result of development issues. To be more specific, either the developers or the design process was the cause of the vulnerabilities. A particular vulnerability initiated by developers or a subpar design process is injection attacks. In particular SQL injection attacks (SQLIA) have been the culprit of most organizational cyber security breaches. This form of attack could have a detrimental impact on a business or organization. These impacts could range from monetary loss, exposure of confidential business information, exposure of customer data, a decrease in company stock value, or some combination of these four. SQL injection attacks are relatively common in interactive web applications. Not only are SQL injection attacks common they are easily detectable and are reasonably simple to mitigate. There is a plethora of literature on defending against SQL injection attacks once a system or software is functional. The goal of this work is to address the issue of SQL injection attacks starting in the design process. The contribution of this paper is a proposed design review methodology that allows designers to examine the user interface (UI) and user experience (UX) in the design phase to expose any attack surfaces that allow for an injection attack to occur. In particular, the method proposed in this work combines human computer interaction concepts along with cyber security principles and software security techniques to design a user interface that is not subject to SQL injection attacks. Because injection attacks occur from malicious user input, this method concentrates on the design of the interface to eliminate all entry points that allow for injection attacks.","PeriodicalId":136977,"journal":{"name":"2016 4th International Symposium on Digital Forensic and Security (ISDFS)","volume":"33 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-04-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"A design review: Concepts for mitigating SQL injection attacks\",\"authors\":\"Ed Pearson, Cindy L. Bethel\",\"doi\":\"10.1109/ISDFS.2016.7473537\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Recently, it is not unusual to notice media coverage of some major breach in some large organization's cyber security. A large number of said breaches are due to vulnerabilities in their software or system. Once an in-depth analysis of these vulnerabilities was performed, it came to light that a large number of these vulnerabilities were the result of development issues. To be more specific, either the developers or the design process was the cause of the vulnerabilities. A particular vulnerability initiated by developers or a subpar design process is injection attacks. In particular SQL injection attacks (SQLIA) have been the culprit of most organizational cyber security breaches. This form of attack could have a detrimental impact on a business or organization. These impacts could range from monetary loss, exposure of confidential business information, exposure of customer data, a decrease in company stock value, or some combination of these four. SQL injection attacks are relatively common in interactive web applications. Not only are SQL injection attacks common they are easily detectable and are reasonably simple to mitigate. There is a plethora of literature on defending against SQL injection attacks once a system or software is functional. The goal of this work is to address the issue of SQL injection attacks starting in the design process. The contribution of this paper is a proposed design review methodology that allows designers to examine the user interface (UI) and user experience (UX) in the design phase to expose any attack surfaces that allow for an injection attack to occur. In particular, the method proposed in this work combines human computer interaction concepts along with cyber security principles and software security techniques to design a user interface that is not subject to SQL injection attacks. Because injection attacks occur from malicious user input, this method concentrates on the design of the interface to eliminate all entry points that allow for injection attacks.\",\"PeriodicalId\":136977,\"journal\":{\"name\":\"2016 4th International Symposium on Digital Forensic and Security (ISDFS)\",\"volume\":\"33 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-04-25\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 4th International Symposium on Digital Forensic and Security (ISDFS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ISDFS.2016.7473537\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 4th International Symposium on Digital Forensic and Security (ISDFS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISDFS.2016.7473537","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A design review: Concepts for mitigating SQL injection attacks
Recently, it is not unusual to notice media coverage of some major breach in some large organization's cyber security. A large number of said breaches are due to vulnerabilities in their software or system. Once an in-depth analysis of these vulnerabilities was performed, it came to light that a large number of these vulnerabilities were the result of development issues. To be more specific, either the developers or the design process was the cause of the vulnerabilities. A particular vulnerability initiated by developers or a subpar design process is injection attacks. In particular SQL injection attacks (SQLIA) have been the culprit of most organizational cyber security breaches. This form of attack could have a detrimental impact on a business or organization. These impacts could range from monetary loss, exposure of confidential business information, exposure of customer data, a decrease in company stock value, or some combination of these four. SQL injection attacks are relatively common in interactive web applications. Not only are SQL injection attacks common they are easily detectable and are reasonably simple to mitigate. There is a plethora of literature on defending against SQL injection attacks once a system or software is functional. The goal of this work is to address the issue of SQL injection attacks starting in the design process. The contribution of this paper is a proposed design review methodology that allows designers to examine the user interface (UI) and user experience (UX) in the design phase to expose any attack surfaces that allow for an injection attack to occur. In particular, the method proposed in this work combines human computer interaction concepts along with cyber security principles and software security techniques to design a user interface that is not subject to SQL injection attacks. Because injection attacks occur from malicious user input, this method concentrates on the design of the interface to eliminate all entry points that allow for injection attacks.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
