Page 107 - index
P. 107
is able to identify these rogue statements.
Again, it boils down to heuristics. Imagine a bunch of experts voting on whether a SQL statement should
be accepted into the clan or not. The experts may have drastically differing opinions, but perhaps a
majority of the experts vote to shun this particular statement each for their own reasons based on what
they've learned as proper behavior.
Here a couple of the many SQL--behaviors DB Networks technology models:
Modeling what the app does at a fundamental level. Web apps build statements to talk to relational
databases in SQL. That language has a number of rules. DB Networks has found it "incredibly helpful" to
look at those little building blocks of SQL language. Just like English breaks down into words, so too does
SQL break down into little semantic statements. That enables DB Networks to notice, for example, when
an attacker has managed to get a rogue SQL fragment inserted within a proper SQL statement created by
the web application.
Is X variation the kind of variation this app has shown before? This requires an understanding of the
rules of language --- the syntax, if you will. It requires understanding how all statements hang together in
a tree-like pattern. That, again, is the behavioral model. At some point the technology says, Hey, is this
SQL statement likely to have been actually created by the web app, or not? If not, it just might be flag-it
time.
DB Networks initial customers came from the financial sector, Rosenberg says: businesses that need to
check off the regulatory compliance boxes, of course, but primarily, the company's seeing uptake from
those businesses who've been burned by putting their trust into old-school security technologies.
Will we see other vendors move toward grafting behavioral analysis onto their threat detection
technologies? It's looking like that's the direction many are taking. Threat detection behavioral analysis is
obviously a new and evolving technology. Look for the evolution to move our databases toward the day
when, finally, SQL injection drops off the OWASP Top 10 list.
About The Author
Lisa Vaas has been writing about technology, careers,
science and health since 1995. She rose to the lofty heights
of Executive Editor for eWEEK, popped out with the 2008
crash, joined the freelancer economy, and now writes mostly
for Sophos's Naked Security blog, as well as IT World, Forbes,
CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software
Quality Connection, Time, and the US and British editions of
HP's Input/Output. She started too many eggplant seedlings
this spring. She'd vote for Louis C.K. in a presidential
election. Make her offers she can't refuse, which typically
involve writing about interesting things for wads of cash.
107 Cyber Warnings E-Magazine – August 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
