Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>It's hard finding someone who is really good at this stuff (the company I work for retain the services of a leading UK Security Company - and I've not only found stuff they've missed - I've had to explain to them why it's a problem).</p> <p>To answer your questions, by far the most important thing you can do is ask him to prove that your code is vulnerable by demonstrating an attack. </p> <p>He's got a much easier job than anyone attacking your site - since you've already provided him with the source code (I'm not suggesting that's a bad idea - it saves a lot of expensive messing about). I would recommend you set up a copy of your live system as a target for his attacks - in addition to protecting your system if he is successful, it should allow you to test out the security monitoring you've already got in place to detect attacks.</p> <p>The fact that he describes use of eval(), fopen() as input vulnerability issues is extremely odd. If it were me I'd have provided a set of classification criteria (XSS, CSRF, SQL injection, code injection MITM, data leaks, network/OS vulnerabilities) along with scoping of the testing well in advance of agreeing a contract - and would have classified these as potential code injection attacks.</p> <p>If you've already run automated checks against your system then presumably you've already investigated and dismissed the potential issues - so why are you paying someone to tell you about this? I'd have provided a list with the areas you've already looked at.</p> <p>I'd also want him to provide details of the stuff he has examined which did not show a vulnerability.</p> <p>He should also be appraising your code for the likely impact should the system be compromised (and by what means). e.g. storing credit cards / passwords in a recoverable form - even if your website is currently 100% secure now (which CANNOT be proven) what will happen when an attacker manages to brute-force an SSH session? Is there a host-based IDS in place and a deployment process which reconciles changes?</p> <p>If you've already contracted him to provide the checks then its a bit late now to change the terms of the contract, but you've learnt a lot before you go through the process again.</p>
    singulars
    1. This table or related slice is empty.
    1. POGetting a manual security code review done - What to watch out for?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. This table or related slice is empty.
    1. USsymcbean
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POGetting a manual security code review done - What to watch out for?
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    1. COHi @symcbean - I'm not sure I understand this - "the most important thing you can do is ask him to prove that your code is vulnerable by demonstrating an attack.". You're suggesting that that I (the application owner) ask the security consultant to demonstrate the attack? Can you help me understand what that would prove? If he is able to - he knows his stuff. If he's not, then it could be either the application is relatively secure, or he's talking through his hat... but how do I distinguish the two?
      singulars
      1. PO
      1. USsiliconpi
    2. COHow do you discrimite? Because if there is an explotable vulnerability, either he has modified data he shouldn't be able to or can retrieve data he should not have access to.
      singulars
      1. PO
      1. USsymcbean
    3. COHowever, note that when doing a code review (as opposed to a pentest), not all relevant vulns are exploitable, or easily so.
      singulars
      1. PO
      1. USAviD
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload