OK...it has been awhile since I've posted...been busy! One good thing out of this time away is my passing the GSSP-.NET certification earlier this week. Yay me! Honestly, though, if you are a .NET developer for Windows or Web you need to take this exam. 100 questions that cover everything from SQLi (SQL Injection) and other web attacks to how to put appropriate Code Access Security (CAS) on your DLLs and EXEs to how .NET security policies are set up for proper permissions to be granted on your apps.
Since I am in test-taker mode, I decided the best things to post right now are some questions based on what you should know. If you get the questions wrong, don't worry but instead dig in a little and learn why. Find out what the hackers already know!
So, quiz #1 will be on SQLi. Feel free to post your answers and I will let you know what the answers are in a few days or so. I will not post your answers until I have enough there to post them. No fair having some smarty pants get the right answer before you've even read the question, and then you see her/his answer in the comments, right?
Q1. Parameterized queries are 100% effective against SQL Injection. True or False. (Nothing like starting off with a holy war sort of question, huh?)
Q2. If you can't do parameterized queries, then you can do stored procedures in the database. They offer you the same level of protection. True or False. (hee, another holy war sort of question)
Q3. Neither is perfect, but which is better for validation: black-listing or white-listing? (Black-listing is looking for malicious characters/strings and removing them. White-listing is telling the app what you expect and denying everything else.)
Q4. If you thoroughly validate your input then you should be fine. True or False.
Q5. Removing single-quotes from input data is an effective means of preventing SQLi. True or False.
and last one:
Q6. SQLi defense is like chasing a wind: by the time you figure out what to do it shifts and you have to do something else to protect your apps. True or False.
Good luck! I am very interested in your answers! Those that answer all six correctly will win a free round of applause from me.