What makes a good programmer?
August 18th, 2011
Archive
Archive for the ‘Software Process’ Category
Road to Destination 3 – First time leading a team
August 18th, 2011
Team Leader (TL) is an interim position from which people will promisingly move up to the position of project manager and farther. So, it is a very good opportunity for people who want to move to the path of project management. However, there will be some challenges when you’re first time doing something which you’ve never done before. From a person whom most of people love to work with, you can make them love you much more or you can become a stress maker for them.
Read more…
Making project commitments – Setting the realistic timeline at a very early stage
August 17th, 2011
Have you ever had a fear of making commitments for things which can only been seen after months or years? Have you ever fallen in the situation that you and your team have to work hard for weeks or months to meet the deadlines? Have you ever been failed in meeting the deadlines?
These questions are actually something happening daily to the Project Manager (PM) and without the right method a lot of the answers “YES” could be found for these questions.
Service-Based Leadership of Project Managers
August 17th, 2011
Security SQL -SQL Injection Vulnerabilities
February 28th, 2011
Let’s assume that we have an application that implements password management in a user-level table (you should never store passwords in clear text, but I’ve simplified this for illustrative purposes) and supports changing passwords using a stored procedure sp_setPassword (see Figure 3).
SQL Injection Vulnerabilities
February 28th, 2011
Let’s assume that we have an application that implements password management in a user-level table (you should never store passwords in clear text, but I’ve simplified this for illustrative purposes) and supports changing passwords using a stored procedure sp_setPassword (see Figure 3).
T-SQL Functions
February 28th, 2011
As you can see, the rules for handling identifiers and strings are relatively simple, and you can delimit them manually if you know the strings beforehand. But what if you are constructing dynamic T-SQL statements based on user input? You will need automatic ways to do this. Two T-SQL functions that can help you prepare delimited strings are QUOTENAME and REPLACE.
SQL Security -Delimiting Identifiers and Strings
February 28th, 2011
Exploits using SQL injection have drawn a lot of attention for their ability to get through firewalls and intrusion detection systems to compromise your data layers. Whether it’s a first-order or second-order injection, if you look at the basic code pattern, it is similar to any other injection issue where you use untrusted data in the construction of a statement. Most developers have started mitigating these vulnerabilities in Web front ends by using parameterized SQL queries in conjunction with stored procedures at the back end, but there are some instances where developers still use dynamically constructed SQL, like in the construction of Data Definition Language (DDL) statements based on user input or for apps written in C/C++.
Tools for Web Security Testing or checking hackers’ techniques
February 28th, 2011
| IEHttpHeaders tool, which help uncover what is being sent between pages. Also on the CD that comes with the book, How To Break Web Software, by Mike Andrews and James Whittaker. |
| the Paros tool helps uncover what is being sent between pages. Also on the CD that comes with the book, How To Break Web Software, by Mike Andrews and James Whittaker. |
| SPIKE Proxy ” tests parameter manipulation and CGI buffer overflow. Also on the CD that comes with the book, How To Break Web Software, by Mike Andrews and James Whittaker. |
| SSLDigger is available on the Foundstone website : go to resources, then free tools. It allows you to test an SSL-enabled web server to determine which encryption algorithms it supports. Also on the CD that comes with the book, How To Break Web Software, by Mike Andrews and James Whittaker. |
| Wget is included with most Linux and BSD distributions. It’s a simple yet powerful command-line tool for accessing, downloading, or mirroring Web server content. Also libraries. |
| cURL is a command line tool that is also a pen tester. It has similar functionality to Wget. |
| Blackwidow - a web spider or crawler tool. 30-day free trial is available, tool costs 39.95 after that. |
| Cygwin , which is a Unix environment for Windows. Provides, for example, the grep utility on a Windows system. Also on the CD that comes with the book, How To Break Web Software, by Mike Andrews and James Whittaker. |
| The Regulator - helps create search expressions for grep. Also on the CD that comes with the book, How To Break Web Software, by Mike Andrews and James Whittaker. |
| FITScanner is available on the CD that comes with the book How To Break Software Security, by James Whittaker and Herbert Thompson. |
| Nikto, helps to find known vulnerabilities in a web server. |
| Wikto adds to Nikto the Google Hacking Database and using the Google search engine to case your client. |
| GHDB, a database of hacks. |
| Stunnel allows you to set up a tunnel to a machine using Secure Sockets Layer. Stunnel is the “Universal SSL Wrapper” : it can be both a server and a client. |
| IISLockdown , a tool for locking down servers. Also on the CD that comes with the book, How To Break Web Software, by Mike Andrews and James Whittaker. |
| TextPad A useful text editor which can display and edit almost any file, and you can get free syntax definition files, so that TextPad appropriately highlights and indents documents (like Perl programs). – basic product isn’t free, add ons are free. |
| Cookie Pal - allows users more fine grained control over what cookies they will accept or reject. |
| Cookie Crusher - allows users more fine grained control over what cookies they will accept or reject. |
| lang=NO-BOK http://www.securityspace.com/s_survey/data/man.200507/cookieReport.html |
| link to FAQ pages on cookies |
| paper on session fixation |
| BBCode |
| Examples of things to filter for . |
| For more information on SQL injection techniques. |
| chroot command for Apache servers. |
| RainForrestPuppy, a pioneer of Web application security testing. |
| checklist for locking down an application and Microsoft SQL Server. |
| Ethereal (a network monitoring tool) . |
| J0hnny (of Google hacking fame ). |
| HTTPrint identifies web server and version by differences in responses to requests. |
| SiteDigger from Foundstone executes Google searches to see if your site is vulnerable to known Web server bugs. |
| BugTraq site that lists security vulnerabilites of web servers. |
| CERT site that lists security vulnerabilites of web servers. |
| Brutus a tool for brute force hacking of authentication. |
| Information on Cross-Site Tracing. |
SQL Delta
February 28th, 2011
1. Can SQL Delta do a Data Compare only?
No. Before performing a data comparison SQL Delta needs to load the schema (structure) of every database and then, needs to compare each table to see if the columns (fields) match.
Recent Videos
Recent Comments