[nsp-sec] Questions about Prevention, Detection and Education surrounding the ASP SQL injections

Zot O'Connor zoto at microsoft.com
Wed May 28 03:07:38 EDT 2008 

Howdy!

We are currently working on providing guidance to customers who are dealing with the SQL injections that are attacking ASP pages.

As you are probably already aware, the injections do not attack via a vulnerability, but attack via weaknesses in configurations and software running on the servers.

We are trying to compile a list of suggestions, ideas, tools, and experiences for dealing with the SQL injections.

If you could please take a few moments and answer the following questions, it would greatly help us, and our mutual customers.  Even if you have not dealt with the attacks, if you have prior experience or thoughts on this, it could greatly assist us.

The following outline reflects our thoughts.  We are looking for ideas on Detection, Prevention, Education, and future requests.


1.       Detection

a.       Have you detected attacks?

                                                               i.      Was the attack successful?

                                                             ii.      What was the impact?

                                                            iii.      What was the cause of the weakness?

1.       Was is home grown configurations or software?

2.       Was it part of a package or SOP?

b.      How are you doing detections?

                                                               i.      Are you watching logs?

                                                             ii.      Are you monitoring your web sites?

                                                            iii.      Are you using search engines?

                                                           iv.      Are you looking at incoming or outgoing requests?

c.       Did you have packet traces or logs you can share?

d.      Tools

                                                               i.      Which tools are effective?

                                                             ii.      Which are ineffective (that you might think would have worked).

2.       Prevention

a.       Have you deployed defenses for the attacks?

                                                               i.      Are you using any tools?

1.       Filters

2.       Firewalls/IPS

3.       Host based programs

4.       Do you scan for weak systems?

5.       Do you scan for weak code?

                                                             ii.      Configuration Changes

                                                            iii.      What do you use for guidance for going this?

b.      Did previously deployed defenses help you?

c.       Have any SOPs helped?

3.       Education

a.       Are customers aware of the problem?

b.      Are they taking action?

c.       Are they successful in detection or prevention?

d.      Where are they going for their information?

e.      What information helps them the most

4.       Requests for Microsoft

a.       Are there specific tools or features you think Microsoft could create or change that would help?

b.      What form of advice would help your customers?

Thanks for your time!

Zot O'Connor
MSRC Ecosystem Strategy Team
Partner Outreach
(425) 722-7575

More information about the nsp-security mailing list