Bio: Alexander Polyakov is CTO at Digital Security company. His expertise covers enterprise applications and database security. He has found a lot of vulnerabilities in products of such vendors like SAP and Oracle, and has made a lot of projects focused on applications security in oil and gas, retail and banking sphere. He is author of a book named Oracle Security from the Eye of the Auditor.
He is also the head of Digital Security Research Group, Expert Council member of PCIDSS.RU association, QSA and PA-QSA Auditor and one of the contributors of Oracle with Metasploit project. Speaker in conferences: HITB, Troopers10, T2.fi and many Russian conferences.
Topic of Presentation: Stupid mistakes. Architecture and business logic vulnerabilities.
Abstract: Vulnerabilities in architecture and business logic of software are very popular according to different researches (trustwave report – logical flows 2nd place) and they cannot be easily found by program methods. So logical vulnerabilities it is still state of art and there are still very stupid mistakes in business logic that can be used to gain full access to vulnerable application. We will show a real history of one popular industrial RDBMS and some their vulnerabilities that was found doing our enterprise application security assessment.
The vulnerability is pretty funny and it is still cannot be patched so the talk will describe all history from founding, reverse engineering, exploit development, communication with vendor (of cause very funny). Finally we will show that this RDBMS is using in many specialized Health and Retail program complexes in companies for Fortune Global 500.