Archive for the security violations Category

ABSTRACT by Gary Wassermann

| July 30th, 2009

s2avatarsetting

standards

by
Gary Wassermann

SENCAW | AUTHOR
ABSTRACT by Gary Wassermann
Department of Computer Science
University of California, Davis
Software systems interact with outside environments (e.g., by taking inputs from a user) and usually have particular assumptions about these environments. Unchecked or im- properly checked assumptions can affect security and reli- ability of the systems. A major class of such problems is the improper validation of user inputs. In this paper, we present the design of a static analysis framework to address these input related problems in the context of web applica- tions. In particular, we study how to prevent the class of SQL command injection attacks. In our framework, we use an abstract model of a source program that takes user in- puts and dynamically constructs SQL queries. In particular, we conservatively approximate the set of SQL queries that a program may generate as a finite state automaton. Our framework then applies some novel checking algorithms on this automaton to indicate or verify the absence of security violations in the original application program. Work is in progress to build a prototype of our analysis. Mor
Department of Computer Science
University of California, Davis
Gary Wasserman
Software systems interact with outside environments (e.g., by taking inputs from a user) and usually have particular assumptions about these environments. Unchecked or im- properly checked assumptions can affect security and reli- ability of the systems. A major class of such problems is the improper validation of user inputs. In this paper, we present the design of a static analysis framework to address these input related problems in the context of web applica- tions. In particular, we study how to prevent the class of SQL command injection attacks.
In our framework, we use an abstract model of a source program that takes user in- puts and dynamically constructs SQL queries. In particular, we conservatively approximate the set of SQL queries that a program may generate as a finite state automaton. Our framework then applies some novel checking algorithms on this automaton to indicate or verify the absence of security violations in the original application program. Work is in progress to build a prototype of our analysis.
More

Posted in SQL command injectio attacks, SQL queries, Uncategorized, queries, security violations | No Comments »

Federal Information Security Management Act (FISMA)

| July 30th, 2009
NIST

NIST

The National Institute of Standards and Technology (NIST) developed this document in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347.

NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), “Securing Agency Information Systems”, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III.
This guideline has been prepared for use by Federal agencies. It may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright, though attribution is desired. Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority, nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other Federal official. More

Posted in NIST, Uncategorized, access, apache, security violations | No Comments »