SQLMap tech demo & DevOps security challenges

Hello all,

For this iteration of the meetup, we will have 2 talks/demo:

• Omar Benjumea (Kudelski Security) will go through the main security challenges that the DevOPS paradigm bring to the corporations sharing his view on how DevSecOps should be implemented in order to effectively mitigate those new risks.

• Jérémy Matos (SecuringApps) will take us through a technical demo of SQLMap, detailing classical injection cases, as well as shedding some lights on some of his personal experiences against REST APIs. A abstract below:

Title: Finally getting rid of SQL injections by integrating sqlmap in your DevOps pipeline

Abstract: According to Akamai's State of Internet Security report, SQL injection accounted for more than 51% of the observed web application attacks in Q4 2016.Solutions have been known for many years, but massive dumps are still being published.

With source code examples inspired from real-world reviews, we will run the sqlmap tool to see how easily it can break into our sample Java REST API.

1. Pathetic database usage following google 1st result/stackoverflow copy-paste methodology

2. Prepared statement (via Spring JDBC) but with a rather complex query

3. ORM (Hibernate) but with a rather complex query.

We will then discuss how to integrate sqlmap in your DevOps pipeline to build a sql injection safety net, and also on how to make sure developers don't code vulnerable sql queries anymore.

NB: The sample Java project and corresponding sqlmap parameter files will be provided in a github project.