RSS
 

Archive for June, 2014

Security Testing

17 Jun

Blog by U Buddhini – UNICOM thought Leader

SQL Injection
SQL Injection vulnerabilites are quite common and very dangerous. An SQL injection vulnerability can only occur with a software application that fronts a database. Which just happens to be a very common occurance. SQL Injection attacks deal with the same problem of input not being validated. With a bit of understanding of the web application and a sniffer trace, a malicious user could create an SQL statement that was not intended and “trick” the web application to return or perform some other SQL command rather than the intended command.

The first thing that will need to be done is to understand how the web application interfaces with the backend database. Either you will have the design documents to work with or you can use a sniffer utility to determine what is occuring.
See the Tools sniffer applications for more information on types of sniffer applications.
If a site is vulnerable to SQL injection a large number of other problems could occur. This is a simple and easy vulnerability to exploit. All an attacker needs to know is SQL and have some understanding about how the information is passed.
Example of an SQL injection vulnerability
To understand how a SQL injection vulnerability could occur, imagine the following situation. For example say your website has a method to search for users. A usersearch page is created which could include something like the following.
<form method=”post” action=”searchuser.php”>
<input type=”text” name=”username”>
<input type=”submit” value=”Search” name=”search”>
</form>

This html snippet passes in the username to the dynamic page searchuser.php. The searchuser.php will take the username and add it to an SQL statement. Take for example the following php code snippet.

sqlResult = statement.executeQuery(“SELECT * FROM users WHERE username = ‘” + $username + “‘;”);
Think about this statement and see if you can figure out what is the problem. You might say the $username should be validated before it is added to the SQL statement. That is exactly what should be done. A malicious user could attach additional SQL statements to the username. This could be done by passing is something like.

admin’ OR 1=1 —
Think about what the SQL statement would look like.

SELECT * FROM users WHERE username = ‘admin’ OR 1=1 –‘;
Notice this will either select the admin account or it will before 1=1 which will result in true. Which in SQL terms this will return the entire users table. Which the users table could contain all sorts of other additional sensitive information. This is just one example of what type of attack could be performed with SQL injection.
How to protect against SQL injection vulnerabilities
SQL injection vulnerabilities can occur anytime there is some type of input provided. They do not need to occur when output is sent. Any input should be validated, checked, and sanitized against a white list before being used.

Reference : http://qablog-buddhini.blogspot.in/

 

Computer System Validation – It’s More Than Just Testing for Medical Devices evaluation

17 Jun

Blog by UNICOM Thought Leader Rohini R

What is Computer System Validation and Why is it Important?

Establishing documented evidence which provides a high degree of assurance that a computer System will consistently produce results that meet its predetermined specification and quality attributes.

There are two key reasons why Computer System Validation is extremely important in the Life
Science sector:

1. Systematic Computer System Validation helps prevent software problems from reaching production environments. As previously mentioned, a problem in a Life Science software application that affects the production environment can result in serious adverse consequences. Besides the obvious humanistic reasons that the Life Science sector strives to prevent such harm to people, the business consequences of a software failure affecting people adversely can include lawsuits, financial penalties and manufacturing
facilities getting shut down. The ultimate result could be officers getting indicted, the company suffering economic instabilities, staff downsizing, and possibly eventual bankruptcy.

2. FDA regulations mandate the need to perform Computer System Validation and these regulations have the impact of law. Failing an FDA audit can result in FDA inspectional observations (“483s”) and warning letters. Failure to take corrective action in a timely manner can result in shutting down manufacturing facilities, consent decrees, and stiff financial penalties. Again, the ultimate result could be loss of jobs, indictment of responsible parties (usually the officers of a company), and companies suffering economic instabilities resulting in downsizing and possibly eventual bankruptcy.

Relationship Between Computer System Validation and 21 CFR Part 11

The FDA added rule 21 CFR Part 11 to the Code of Federal Regulations .This regulation introduces specific controls on the use of electronic records and includes strict administrative controls on electronic signatures. These controls deal with:

1. Making electronic records suitable for supplanting paper records.
2. Making an electronic signature as secure and legally binding as a handwritten signature.

Regardless of whether or not a company uses electronic signatures, 21 CFR Part 11 impacts all
companies that use computer systems that create records in electronic form associated with the GxP environment .All computer systems in this category must have technical and administrative controls to ensure:

1. The ability to generate accurate and complete copies of records
2. The availability of time-stamped audit trails
3. The protection of records to enable accurate and ready retrieval

4. Appropriate system access and authority checks are enforced

Reference : http://valdiation.blogspot.in/2014/06/what-is-computer-systemvalidation-and.html