»Building SQL firewall: insights from developers«
2019-02-02, 16:30–17:10, Main
How SQL firewalls can help to protect databases from SQL injections: the main difference from WAFs, common usage scenarios, pros, and cons. Developing SQL firewall is a hard task – we will share insights about parsing SQL protocols, matching rules, hidden dangers of logging, best of configuration and usage patterns.
Our general plan for talk: 1. SQL injections: what's that and how to protect against them. 2. Typical scenarios of fighting with injections: OWASP guide, WAF, SQL firewall. 3. WAF: pros, cons, why WAF is not enough. 4. SQL firewall: what is this, what are the main features of it. 5. How we built SQL firewall: - configuration and rules (allow, deny, ignore); - parsing SQL protocols; - pattern matching (WHERE, EQUAL, VALUE etc); - logging and masking requests; 6. SQL Firewall vs WAF. 7. Best use cases for SQL firewall. 8. Future improvements of SQL firewalls. 9. Outro.