Down The Security Rabbithole

Syhopsis When I caught up with these two gentlemen in Amsterdam over the week of Black Hat 2012, I knew we wouldn't run out of things to talk about!  We ended up chatting for quite some time, and I think you'll find this conversation interesting from hearing of David's recent work with Oracle, and Jim's perspective on "the fix"... I kept the conversation going and am probably at last partially responsible for how long this podcast ended up being.  It's well worth the time, in my opinion, as we cover the following topics: Attacking Oracle (David's talk had to be shelved, but he talks about ways to attack Oracle via putting a string into a numeric query - by manipulating the meta-environment) Jim & David talk about how to do sane SQL Injection protection (bind everything!) David talks about some contrived ways of hacking Oracle databases, that are 'outside the business logic' and explains why validation is still important Jim brings up structural validation of inputs (useful white-listing) David brings up