OWASP Monthly Meeting - February 25, 2015

Join OWASP today and become a member of our community. (https://myowasp.force.com/MemberAppstep1?region=North+America)

Speaker: David Maman

Mr. Maman is co-founder and CTO at GreenSQL, a leader in unified database security solutions. He is a recognized international expert in computer security advising companies on threat management, real-time network protection, advanced network design, and security architecture. David has founded a number of high-tech start-up companies, including Vanadium-Soft, Preacos, and Moksai. As a senior technology director for Fortinet, a leading international IT security firm, Mr. Maman provided consulting services to global businesses and opened new international regions. He was the information security manager for Bezeq, a national telecommunications company, and the chief scientist at Ofek, a leading Israeli IT and security consulting firm.

MAIN Topic: WAF Isn't Enough. The Multi-Faceted Approach to Defend against SQL Injection Attacks

WAFs are essential security mechanisms used on almost all commercial websites today. Despite the excellent protection they offer against many types of attacks, WAFs are inadequate to protect against today’s sophisticated SQL Injection (SQLi) attacks. This is because, fundamentally, a WAF does not understand database commands or database structure. Its protection is limited to a black list of blocked signatures. Even if a WAF did provide complete protection from web access, it still would be inadequate for database protection, because databases are accessed from many sources, not just from web-based applications. Attendees will learn best practices for defending against SQLi attacks using a comprehensive approach of:
Database firewalls
Pattern learning processes
Separation of duties
Risk-based policies
Masking of sensitive information

Thanks to our Sponsor: GreenSQL (http://www.greenSQL.com)

GreenSQL (http://www.greenSQL.com) is a powerful database firewall and compliance solution that adds important security and auditing functionality to cloud-hosted and on-premises databases.