Page 106 - index
P. 106
driving new business. Sometimes, there just isn't enough security domain expertise available in the
developer pool, even if the application source code is available for fixing.
Web Application Firewalls
But why can't we rely on web application firewalls (WAFs) to detect SQL injection? Because they just
don't do a good job at detecting this particular form of attack. The problem, says Dave Rosenberg, chief
developer for DB Networks: the ubiquitous, ever-open port 443. If your enterprise has an important
database fronting web applications, port 443 is wide open, because it has to be. All HTTPS URLs use port
443 by default. That's just normal. SQL flows through that open, expected port, most often via a web
form nowadays, chugging along at its work of building various statements that access a SQL database,
passing them back to apps that need the data to do their jobs.
That makes for a web app that has to constantly build SQL queries from an input statement on a web
form. If that web form wasn't built with scrupulous care, it's quite possible for attackers to inject SQL
statements that misbehave, though they'll get interpreted as SQL right alongside polite, well-behaved
SQL statements.
When that happens, anybody out in web land who has ample SQL skills and persistence can get right into
the database, Rosenberg says. "It's a horrible problem," he says. "What are you going to do? [A
successful SQL injection attack] can read anything. It can change anything. You'd think it's a problem that
would have been solved long ago." And that's where behavior analysis comes in, this time targeted at
advanced SQL injection attacks, this time specifically designed to protect the crown jewels that are the
database.
Many companies attempt to address the SQL injection problem by using WAFs. The problem is, WAFs
speak web input. They try to decipher web traffic to figure out if it's SQL injection, but SQL is in English.
Here's an example of how that language mismatch can get hairy: The first customer with which DB
Networks deployed their behavioral analysis technology had previously placed a WAF in front of a very
large database. The customer operates lots of large, public-facing stuff, Rosenberg says, but in the mix,
they also have a small operation: an antiques business.
The minute they turned on the WAF, all antiques customers looking to buy a drop-leaf table found
themselves blocked. Why? There's a rule set up pertaining to the word "table," and there's a word in
that SQL query pertaining to the word "drop."
"Drop table" just doesn't seem like an innocent request to a WAF, Rosenberg says, given that the DROP
statement enables all indexes, tables, and databases to easily be deleted or removed. And that,
Rosenberg says, is why the web app firewall approach hasn't worked well: The technology just doesn't
have enough context to understand what's actually going on in SQL language.
SQL Behavioral Analysis
Contrast that with what DB Networks is doing with behavioral analysis: the technology looks at the traffic
between the web app and the database. It's interested because vulnerable apps may submit query
statements, and somewhere in those statements there can be problems. Behavioral analysis technology
106 Cyber Warnings E-Magazine – August 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
