The Open Web Application Security Project (OWASP) is a nonprofit foundation focused on improving the security of software. They have all sorts of projects, presentations, and educational content, but one of the things they are most known for is the OWASP Top Ten. This is an annual report on the top ten most critical security risks, specifically for web apps.
The current top 10 list is as follows:
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting XSS
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
Now, Redgate software can’t help with all of the OWASP Top Ten (XML External Entities is just outside our area of operation, sorry), but we can help you make your systems more secure through several of our tools.
Top Ten Items
The following are six of the top ten that Redgate tools can directly help with.
None of the Redgate tools can help you prevent Injection. That’s all about your developers using properly parameterized queries and escaping input along with several other things, neatly summarized here. However, SQL Monitor can be used to specifically monitor for the signs of a SQL Injection attack. An excellent article by Phil Factor lays out exactly how this works. You can access the custom metrics needed right here. Using SQL Monitor, you can help to ensure that you are monitoring for the number one risk on the OWASP Top 10.
Sensitive Data Exposure
The Redgate tool most focused on ensuring that your sensitive data is protected in non-production environments is Data Masker. Data Masker gives you the ability to automate the replacement of your sensitive information with realistic data. Putting this tool to work within your environment will help you address the third risk in the OWASP Top 10.
You’ll also want to take a look at SQL Data Catalog. This tool helps you to identify and mark the columns and tables within your databases that contain sensitive information. You can use this in combination with Data Masker to help ensure that nothing gets exposed in non-production environments.
Another tool that does help here is SQL Clone. You’re going to want to mark and then mask your data in order to protect it. But, you’ll still need to be able to use that data in a bunch of non-production systems. SQL Clone addresses this issue directly and works well with Data Masker as part of the process of protecting your systems.
Broken Access Control and Security Misconfiguration
Once more, SQL Monitor is a great tool to keep an eye on your systems. Not only will SQL Monitor track the queries running on your system, so you can look at them historically, but you can expand it’s functionality specifically to keep an eye on the types of security problems outlined by OWASP. Through these two different custom metrics, you can watch for changes to users permissions or changes to the server settings themselves.
Using Components with Known Vulnerabilities
Using SQL Monitor, the Estate Monitoring tools can show you what version of SQL Server you have installed. Further, it shows you the service packs and cumulative updates that have been applied to your servers. You can very quickly identify exactly which servers in your estate are vulnerable due to being out of date on patching.
Insufficient Logging and Monitoring
Here again, SQL Monitor is going to be the go-to tool to ensure that you have the detailed monitoring metrics you need to protect your systems. SQL Monitor is one of the most thorough monitoring tools available for SQL Server. Putting into place adequate monitoring is a fundamental protection for your systems, yet, it’s one of the most common vulnerabilities as defined by OWASP.
In addition to the tools mentioned above, I would also add the DevOps tools and processes can help you ensure that you deliver better code, more safely, to all your systems. While we’re not specifically building tools for security management, as you can see, several of our tools help your systems in these areas.
Was this article helpful?