Final Project – SQL Injection Attack
CS674 Spring Session 2 2015
For: Prof. Shawn Carroll & Facil. Vijay Rachamadugu
Author: Orest Pochodaj
Date: April 28th, 2015
This paper has been compiled as the final project for the course: Boston University, MET CS 674 – DatabaseSecurity. This paper contains all relevant material which aligns with the mission of this course – to teach students the tools and techniques required to secure and audit a database system in the information technology era.
Abstract As discussed in her book - Introduction to Private Security – author Karen M. Hess states that “security is something which people have sought since the beginning of recorded time.” For instance, people used…show more content… Introduction Computer Information Systems (CIS) have forever altered the way in which organizations conduct business. No longer is commerce managed through clunky and expensive paper-based transactions. The advantage of this archaic process, though, was that it allowed corporations to store their documents in secure locations under tight lock & key. Today however, these cabinets have been replaced with database systems. Database systems are the modern version of filing cabinets, which house the vast data transacted by corporations. Although databases have eliminated the need for paper-based transactions, they have exposed themselves to a different problem altogether. As SANS (2015) puts it, “most of an organization’s information [today] is maintained in a small, central location, compared to the large file rooms associated with the pre-information technology era, therefore those desiring to cause harm to a large amount of information in a short time span now have a convenient means to do so.” Because of this paradigm shift, IT professionals should enforce modern database security & auditing policies in order to protect data. But are organizations under attack? Well a shocking statistic by Gartner shows that, 75% attacks come from web applications and 2/3rd of web applications are vulnerable. And as per OWASP, 2013, SQL Injection based attacks are in the top 10 since the past few years. These numbers are startling, and demonstrate