RISK ANALYSIS OF DATABASE PRIVELEGE IMPLEMENTATION IN SQL INJECTION CASE

Authors

  • Prajna Deshanta Ibnugraha Department of Electrical Engineering and Information Technology, Universitas Gadjah Mada, Yogyakarta, Indonesia
  • Lukito Edi Nugroho School of Applied Science, Telkom University, Bandung, Indonesia
  • Widyawan Widyawan School of Applied Science, Telkom University, Bandung, Indonesia
  • Paulus Insap Santosa School of Applied Science, Telkom University, Bandung, Indonesia

DOI:

https://doi.org/10.11113/jt.v78.8724

Keywords:

Database privilege, risk analysis, DREAD

Abstract

Software is important thing that needed by enterprises to support business. When developers build software, security must be concerned as important element. In bad condition, security incidents can make financial loss to organizaion so it need mitigation actions to minimize risk. Security testing and risk analysis become base process to choose good mitigation method. Implementation of database privilege become one of mitigation methods that can be used in SQL injection attack case. Based on DREAD analysis, it can decrease risk of SQL injection attack from high to medium ranking.  

References

Albakri, S.H., Shanmugam, B., Samy, G.N., Idris, N.B., Ahmed, A. 2015. Traditional Security Risk Assessment Methods in Cloud Computing Environment: Usability Analysis. Jurnal Teknologi (Sciences & Engineering) 73(2): 85–89.

Mickelberg, K., Pollard, N., Schive, L. 2014. US cybercrime: Rising risks, reduced readiness Key findings from the 2014 US State of Cybercrime Survey. PWC.

Howard, M., LeBlanc, D. 2003. Writing Secure Code. Microsoft Press.

Ibnugraha, P.D., Ferdiana, R., Suharyanto, Santosa, P.I. 2015. Evaluation of Security in Software Architecture Using Combination of ATAM and STRIDE. Journal of Theoretical and Applied Information Technology. 75. 112-119.

Dewi, L.P., Gunawan, I., Winoto, C. 2014. Risk Assessment in Securing Radio Frequency Identification (RFID) Systems: A Case Study on Petra Christian University Library. Jurnal Teknologi (Sciences & Engineering). 68(3): 89–95.

OWASP. 2013. Top 10 2013 – Top 10. [Online]. From: https://www.owasp.org/index.php/Top_10_2013-Top_10. [Accesed on 01 October 2015].

Imperva. 2014. Web Application Attack Report #5. Imperva.

Djuric, Z. 2013. A Black-box Testing Tool for Detecting SQL Injection Vulnerabilities. Second Interntional Conference on Informatics and Applications (ICIA). 216-221.

Dukes, L., Yuan, X., Akowuah, F. 2013. A Case Study on Web Application Security Testing with Tools and Manual Testing. Proceedings of IEEE Southeastcon, April 2013.

Sushila, M., Supriya, M. 2010. Bulwark Against SQL Injection Attack– An Unified Approach. International Journal of Computer Science and Network Security (IJCSNS). 10(5): 305-313.

Rao, K. R. M., Pant, D. 2010. A threat risk modeling framework for Geospatial Weather Information System (GWIS): a DREAD based study. International Journal of Advanced Computer Science and Applications (IJACSA). 1(3): 20-28.

Sonia, Singhal, A., Banati, H. 2011. Fuzzy Logic Approach for Threat Prioritization in Agile Security Framework using DREAD Model. International Journal of Computer Science Issues. 8(4): 182-190.

Qian, L., Wan, J., Chen, L., Chen, X. 2013. Complete Web Security Testing Methods and Recommendations. International Conference on Computer Sciences and Applications. IEEE Computer Society. 86-89

Antunes, N., Vieira, M. 2009. Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services. 15th IEEE Pacific Rim International Symposium on Dependable Computing.

Shahriar, H., Zulkernine, M. 2009. Automatic Testing of Program Security Vulnerabilities. 33rd Annual IEEE International Computer Software and Applications Conference.

Meier, J.D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., Murukan. A. 2003. Improving Web Application Security Threats and Countermeasures. Microsoft Corporation. 5(6): 63-65.

ITsecTeam. 2012. Havij Advanced SQL Injection. [Online]. From: http://itsecteam.com/products/havij-advanced-sql-injection/. [Accesed on 01 October 2015].

McCalliste, E., Grance, T., Scarfone, K. 2010. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). NIST Special Publication 800-122.

Downloads

Published

2016-05-19

Issue

Section

Science and Engineering

How to Cite

RISK ANALYSIS OF DATABASE PRIVELEGE IMPLEMENTATION IN SQL INJECTION CASE. (2016). Jurnal Teknologi (Sciences & Engineering), 78(5-7). https://doi.org/10.11113/jt.v78.8724