Product Group Tests
Application securityJanuary 01, 2014
The accesses were exacerbated by the use of malware and that too should be no surprise. What should also not have been a surprise, given the findings of Verizon's recent breach report, was that the attacks were not particularly sophisticated, consistent with the Verizon reports for two years now.
These were attacks against low-hanging fruit. This issue's products are quite capable of moving that fruit nearly to the top of the tree and providing significant protection for web applications and databases. This month, we look at web application and database security tools and, while the crop is small, there are some powerful contenders in it.
Unfortunately, web applications as front-ends for databases provide the way into an enterprise through simple attacks, such as SQL injection. A year ago, I was called on to test a website for vulnerability to SQL injection. The premise under which I was asked was that it was a sophisticated attack that, basically, could not be prevented or protected against. My approach was simple. I became a script kiddy.
Rather than use tools and accepted manual penetration-testing techniques, I went to the internet, found an information site on SQL injection attacks, and duplicated - keystroke-for-keystroke - what I found. I was in the database in under five minutes, including finding the information site. In just a little more time, I had extracted credit card data and posed as the administrator for the database. These are not sophisticated attacks, but that does not mean that the protection against them should not be sophisticated.
Why? The simple answer is that SQL injection, like many other types of attacks, is a class of attack targeting a class of vulnerability. Just as there can be dozens, or even hundreds, of variations in malware, there can be many variations of the same exploit attack. Attack signatures just are not enough. Tough protection is needed and that is what you'll find this issue in our product pages.
We looked at both web application security and database security. Our tools included security management applications and firewalls, both separately and in combination. We had appliances, software and one virtual appliance available from our vendors - a who's-who of the industry.
Also, for this report we have enlisted the talents of the information security students at US military college, Norwich University. A team of five exceptional students took on these products and under the leadership of Cadet Rebecca Weaver, a senior who graduated in December, ran them through their paces in our cyber war room using the Center for Advanced Computing and Digital Forensics' virtual environment and a multi-workstation test bed. They're named in the individual reviews they provided. I trust you will find their ministrations satisfactory, I know that I did. So, on with the show!
Please note, all reviews in this section have been conducted in the USA, thus pricing, conversion rates and support options may vary outside the USA.
All products in this group test
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
SOC Analyst, Aldershot, £47-56k + package
Infosec People - Hampshire, England, Aldershot
Senior Security Engineer
Loveworklife Recruitment - United Kingdom
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Microsoft update left Azure Linux virtual machines open to hacking
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- ICYMI: CEO Sacked; MS Zero-day; Passwords dropped; Ransomware wild, charging hack
- 9.2 million medical records for sale on darkweb
- ICYMI: Tesco warned; IP Bill threatens economy; German routers offline; Azure trojan; Gooligan fraud
- Data centres are on the move - where will they end up?
- 90% of ITDMs believe IAM is crucial to digital transformation success
- Research: Hacked companies could see customer exodus if breached
- Misconfigured drive exposes locations of explosives used by oil industry