[Owasp-leaders] Stop blaming developers on Sql Injection

Calderon, Juan Carlos (GE, Corporate, consultant) juan.calderon at ge.com
Thu Jan 8 14:43:05 EST 2009


No need to apologize, as I mention I had no hard feelings :)

Yes automation is hard as there hundreds of different ways to call a
query function, using literals, using variables, some use temporary
"placeholders" to then replace that placeholder string with the actual
value string, etc. but at least the most common cases could be covered.

OK, I am it and have a new small mission, thanks for the discussion and
sorry to the list for clogging your inbox.

Regards,
Juan Carlos Calderon

PS I like heat discussion when they lead to new ideas, solutions and
action

-----Original Message-----
From: Jeff Williams [mailto:jeff.williams at owasp.org] 
Sent: Jueves, 08 de Enero de 2009 12:56 p.m.
To: Calderon, Juan Carlos (GE, Corporate, consultant);
owasp-leaders at lists.owasp.org; 'Erlend Oftedal'
Subject: RE: [Owasp-leaders] Stop blaming developers on Sql Injection

> Would calling a escaping function (blacklisting approach) is better 
> than changing one line for another and fix the issue completely? 
> (application side only)

Well, escaping isn't really a blacklist approach. Done right it can
totally protect against injection.  And it's possible to apply it very
quickly to existing code - maybe even automating this refactoring.  I've
thought some about writing a tool to automatically convert queries to
use PreparedStatement, and although I think many queries could be done
automatically, I'm sure there are many that would break.  I don't think
the issue is the number of lines, but whether the change can be done
automatically.

> PS To the list, I felt I was treated a little like a rookie with some 
> comments, no hard feeling, just a clarification :), I just want to let

> you know...

Please accept my apologies - absolutely no insult intended. We've talked
about all this stuff at conferences. I'm trying to bring everyone into
the discussion and so sometimes I try to fill in the background
material.

--Jeff


-----Original Message-----
From: Jeff Williams [mailto:jeff.williams at owasp.org]
Sent: Jueves, 08 de Enero de 2009 09:52 a.m.
To: Calderon, Juan Carlos (GE, Corporate, consultant);
owasp-leaders at lists.owasp.org; 'Erlend Oftedal'
Subject: RE: [Owasp-leaders] Stop blaming developers on Sql Injection

I disagree with the premise that writing secure code is necessarily more
time consuming or costly. Particularly when you arm developers with
powerful security libraries like ESAPI, the savings across the entire
SDLC (including training, requirements, design, testing, and deployment)
are enormous.
That's not even considering the reduction in risk.

So in your example I would fire both developers and find someone who
agrees to write secure code by default (i.e. their standard price is for
code that doesn't contain the OWASP Top Ten). I suggest looking at the
OWASP Secure Software Contract Annex for guidance on including security
in agreements with developers.

Also, a legacy application with lots of dynamic SQL might benefit from
using escaping rather than parameterized queries. The only change to the
code is to wrap any user data with a call to escapeForOracle(). ESAPI
supports these wrappers for Oracle and MySQL currently, and it's fairly
easy to add new Codecs to support other databases.
http://code.google.com/p/owasp-esapi-java/source/browse#svn/trunk/src/ma
in/j
ava/org/owasp/esapi/codecs.  Contact me anyone who wants to volunteer!

--Jeff



More information about the OWASP-Leaders mailing list