Basic Sql Commands

DHS Unveils Security Scoring System for Software Flaws, Attack Vectors

The United States Department of Homeland Security unveiled a detailed guide to help software developers and vendors avoid common security errors in their applications.

Homeland Security's Cyber-Security Division worked with the security training and research organization SANS Institute and the non-profit technology research company Mitre to create a list of common software vulnerabilities along with a scoring system to prioritize flaws, a risk analysis framework to evaluate the seriousness of the flaws and a list of top 25 dangerous software errors. The guide was released June 27 and is intended to help organizations hold their developers and vendors accountable for problems in the application.

The CWE (Common Weakness Enumeration ) list contains high-level overviews and examples of widespread software vulnerabilities as well as consequences, likely attack vectors and potential ways to mitigate attacks. Unlike other lists of common vulnerabilities, CWE 2.0 provides detailed explanations of the exact programming errors to avoid.

"This will allow agencies and organizations to take a tactical approach to addressing vulnerabilities," Will Pelgrin, director of the Multi-State Information Sharing and Analysis Center, a collaborative cybersecurity effort that includes state and local governments, said on a conference call.

The CWSS (Common Weakness Scoring System) version 0.8 will assign a standard score to the software, giving organizations a clear understanding of its security. From a vendor standpoint, the company will be motivated to address the common issues to bring up the score, or customers won't be willing to buy the software.

From a customer standpoint, they can look at the scores and prioritize which software vulnerabilities need to be addressed. The scoring system considers potential technical and business impacts of the weakness when it is exploited, the operational layer the attacker may access, the effectiveness of available defenses, the privilege level needed to access the vulnerability, and the likelihood an exploit.

Basic vulnerabilities such as SQL injection and cross-site scripting still account for a majority of security flaws in Web applications, Rafal Los, a security evangelist at HP, recently told eWEEK. Organizations are finally realizing how important it is to regularly check their code for programming errors, and investing in technology to help them find those flaws, Los said.

Time Piece » Blog Archive » SQL commands can be

SQL commands can be keyed into a database client like the MySQL Query Browser or the SQL Server Enterprise Manager and executed to either return a result or modify records in the database. SQL can also be used in conjunction with programming language or scripting language like Microsoft Visual Basic or PHP to communicate with the database.

Although SQL is a world standard, it is unfortunate that most database vendors have come up with different dialects and variations. This is because every database vendor wants to differentiate their database products from the crowd. One good example is Microsoft SQL Server’s TRANSACT-SQL. TRANSACT-SQL is a superset of SQL and is designed for use only with Microsoft SQL Server. Although it does make programming much easier for software developers, it is not compliant with other databases like Oracle or MySQL – making TRANSACT-SQL programs non database-portable. As such, although many of these features are powerful and robust, it is good practice to exercise caution and limit your SQL use to be compliant with the ANSI/ISO SQL standards and ODBC-Compliant.

Courtesty of

SQLPrimer.com

.

SQL for Dummies

Visual Basic 2005 With .Net 3.0 Framework In Simple Steps

Mastering System Center Configuration Manager 2007 R2

Comdex .Net Programming: Course Kit (With Cd)

Visual Basic programmer's guide to the .NET framework class library