Securing the Oracle Environment

Question :

1. What are the first steps that you would take to test the sites for SQL injection vulnerability?

2. How might you apply the concept of inferential testing?

3. What is your strategy for identifying dangerous source code now and far into the future? 

4. What suggestions would you offer TJRiggings in reference to their Web

Answer :

Answer1.

In order to test the sites for SQL injection vulnerability, the following step should be followed. 

• The security consultant should list information about the existing database. 

• After listing the information about the existing database, the security consultant should list information about tables present in a specific database (McWhirter et al., 2018). 

• After that, a list of columns of that database should be listed down.

• Then, the consultant should dump the data from the columns. 

Answer2.

Inferential testing is a source for the metric collection that is used to describe frequency distribution’s central position for a group of data. It is also used to compare the average performance of two groups to identify the difference between the groups (Van Dessel, 2018). The same situation is applied to the web client in which data is collected randomly from the metrics and compares it.

Answer3.

In order to identify dangerous source code now and far into the future, the organization should go for third-party tools. Apart from this, the organization should also upgrade to the latest patch timely to identify the dangerous source code (Giannopoulos et al., 2019). Every code should go for quality check and if it passes through the quality check, it should be implemented in the production environment.

Answer4.

The organization should configure single sign-on for those users who logged in to the back-end of the webserver. The organization should provide single-socket layers for reliable communication over the network to the web clients. The organization should also place honeypot on the network in order to detect external threats.

References 

Giannopoulos, L., Degkleri, E., Tsanakas, P., & Mitropoulos, D. (2019, March). Pythia: identifying dangerous data-flows in Django-based applications. In Proceedings of the 12th European Workshop on Systems Security (pp. 1-6).

McWhirter, P. R., Kifayat, K., Shi, Q., & Askwith, B. (2018). SQL injection attack classification through the feature extraction of SQL query strings using a gap-weighted string subsequence kernel. Journal of information security and applications, 40, 199-216.

Van Dessel, P. (2018). Testing predictions of a common-coding and inferential account of Approach-avoidance training effects.