Thanks much Mark and Rob for the information.
These documents are great.. I will share them with the Development teams.
What I am also looking at from monitoring perspective, if there is a way to
monitor/identify poorly written queries (candidates for SQL injection).. anyone
using any specific way (processes/scripts/manual) to capture the candidate
queries?
Thanks
-Upendra
________________________________
From: Mark W. Farnham <mwf@xxxxxxxx>
Sent: Tuesday, March 21, 2017 8:42 AM
To: nupendra@xxxxxxxxxxx; 'Oracle-L'
Subject: RE: SQL Injection monitoring/protection tools
Protection protocol:
Read Bryn Llewellyn’s paper on writing PL/SQL correctly to prevent injection.
Follow Bryn’s rules for things that are allowed to attach to your database.
Overly simple: perhaps. Effective? Definitely.
Allow folks to bend Bryn’s rules? Then you have entered the np incomplete
problem space of intrusion detection. Good luck.
mwf
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On ;
Behalf Of Upendra nerilla
Sent: Monday, March 20, 2017 11:06 PM
To: Oracle-L
Subject: SQL Injection monitoring/protection tools
Hello everyone -
I am interested in finding what kind of tools folks are using to defend against
SQL injection type attacks?
I have seen the capabilities of Database Firewall from various documents, seems
to have nice features.
Have seen the following page listing a few other options:
https://en.wikipedia.org/wiki/Web_application_firewall
Could you please share any feedback on any tools/strategy anyone is using..
Much appreciated
-Upendra