|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: ISA Server and SQL Injection
From: Darren Bounds (lists
intrusense.com)
Date: Wed Feb 16 2005 - 09:40:18 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Not over SSL.
No signature-based system can be viewed as a reliable means of
detecting and/or preventing SQL injection. SQL injection
vulnerabilities need to be addressed through education of software
development staff, secure software development standards and by
integrating application security testing into all phases the software
development life cycle.
Thanks,
Darren Bounds
Intrusense, LLC.
On Feb 15, 2005, at 1:04 PM, Hofmeyr, Michael (ZA - Johannesburg) wrote:
> "I'm not sure any firewall would stop a SQL Injection attack"
>
> Checkpoint's Firewall-1 has a module called "Application Intelligence"
> which can do pattern matching. I guess you could use this to stop
> packets containing known sql injection strings, but as John mentioned
> it
> should really be dealt with at the application level.
>
> Rgds
>
> Michael Hofmeyr
> Deloitte.
> Direct: +27 11 209 6249
> Main: +27 11 806 5000
> Fax: +27 11 806 5871
> Mobile: +27 803 300 3586
> email: mhofmeyr at deloitte dot co dot za
> www.deloitte.com
>
> Important Notice: This email is subject to important restrictions,
> qualifications and disclaimers ("the Disclaimer") that must be
> accessed and read by visiting our website and viewing the webpage at
> the following address: http://www.deloitte.com/za/disclaimer. The
> Disclaimer is deemed to form part of the content of this email in
> terms of Section 11 of the Electronic Communications and Transactions
> Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a
> copy thereof from us by sending an email to
> ClientServiceCentreDeloitte.co.za.
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]