How This SQL Command Blew Up a Billion Dollar Company
Рет қаралды 625,782
Күн бұрынA story of the Heartland Payment Systems breach from 2007-2009, the world's largest at the time. The specific details of how everything went down is unknown, so this is built on top of the USSS/FBI advisory, and various articles. The FBI advisory (see the third source) covered dozens of breaches that occurred in the late 2000s, all of which had the same attack pattern (Windows, SQL Server, xp_cmdshell, etc). But it's theoretically possible that Heartland was the odd one out, and that everything in this video is wrong ☺️
SQL injection simulator: www.hacksplaining.com/exercis...
Sources:
www.bankinfosecurity.com/hear...
blog.comodo.com/e-commerce/th...
www.researchgate.net/publicat... (***Link to FBI advisory is reference [7]***)
community.fico.com/s/blog-pos...
www.wired.com/images_blogs/th...
www.darkreading.com/attacks-b...
www.forbes.com/sites/davelewi...
www.justice.gov/opa/pr/two-ru...
www.cutimes.com/2015/06/05/he...
kwcsec.gitbook.io/the-red-tea...
www.hypr.com/security-encyclo...
blog.quest.com/ntlm-authentic...
www.crowdstrike.com/cybersecu...
Assumptions:
- In the hackers' conversation at 1:05, I arbitrarily chose Gonzalez as the "boss" since he's the only one with a Wikipedia page and I suppose has the longest resume.
- For 1:38, Amazon does not use a relational database for its product listings, and therefore no SQL queries are used in reality. But this is a relatable and simple example.
- At 2:38, whether or not Heartland used the 2000 version of SQL Server is a guess. The above Research Gate paper "Heartland Data Breach Analysis" says 2000 is likely as the website was developed 8 years prior. I believe xp_cmdshell was also first introduced in SQL Server 2000, so it could not have been a version prior to that one.
- Whether or not the web portal was connected to SQL Server with sysadmin credentials is also a guess (5:03). It is possible that the role was not sysadmin, but was granted permission to execute xp_cmdshell for unknown reasons (sysadmin can grant other roles permission to use xp_cmdshell)
- Heartland's use of NTLM (7:07) is also a guess. Many companies would have not switched over at the time, and the FBI advisory points out the use of fgdump, which is specifically used for NTLM.
- It is alluded to at 9:02 and onward, but credentials and privilege escalation could have also been obtained through other means.
- The whole "privilege escalation + hop through various hosts" illustration at 9:18 could be completely wrong, and is the biggest gap in the story. This is just the simplest way the payment network could have theoretically been reached. For all we know the hackers actually did exploit Microsoft Office to hack into the mainframe.
- Heartland never specifically said what the packets contained (9:34), but they mentioned everything that wasn't leaked, like SSNs, so the assumption here is that packets contained everything that they didn't say wasn't leaked.
- There's a HSM (hardware security module) section in the FBI advisory as well, but I figured that wasn't too important as the primary issue mentioned throughout every article is the unecrypted in-flight data.
Error corrections:
- 3:17 dll files literally contain machine code, usually compiled from C or C++
Chapters:
0:00 Brief introduction of Heartland
0:44 The Beginning
1:34 SQL and SQL injection
2:37 Heartland's use of SQL Server
5:41 Almost Caught?
6:13 Jump to the payment network
9:57 Attack shut down, public disclosure
10:48 The Perpetrators
11:24 Preventive measures
12:54 Conclusion
Music:
Aloft (by LEMMiNO) - • LEMMiNO - Aloft (BGM)
"Film Noir Background Music for Videos I Noir Jazz Playlist I No Copyright Music" - • Film Noir Background M...
@kevinfaang Жыл бұрын
Edit: I've since realized that no one reads the description. Pls read the description for extra notes/corrections. If you reply to this comment with any corrections I will add it to the description. Original comment: Is the audio quality worse in this video than the last one? Didn't notice with my headphones/speakers, just my phone. Feels like there's too much midrange
@ankit2388 Жыл бұрын
Sounds good. Btw great content, you're like @chubbyemu version of tech.This channel will blow up
@flicsmo6838 Жыл бұрын
On my phone it sounds a bit midrange heavy too, and maybe could use some more compression?
@misuwu_ Жыл бұрын
Initially I thought the voiceover was ai generated, I think the audio from your last video sounded better. The video is great, but I found the voice a bit distracting.
@jonny6702 Жыл бұрын
Yes, it was worse imo.
@qwomp Жыл бұрын
htis is my first video from you that i've seen, however from first impressions i do believe some EQ work would benefit greatly! :) otherwise i really enjoyed it, sat here and watched it while i played minecraft!!!!
@DonaldSubert Жыл бұрын
There were a lot of failure points, here, but the fact that they didn't guard against SQL injection is inexcusable. This company that handles credit card data is less secure than my student project that let you report celebrity sightings.
@Teeeh4723 Жыл бұрын
You are missing the fact that nowadays even basic software is protected vs SQL injection, but 2008 were completly different times. Now cybersecurity is lot more important and the software is way more robust. Still there will always be a way, but no so straightforward
@HenryLoenwind Жыл бұрын
@@Teeeh4723 Funnily, if we go back in time another 15 years, we're now looking at a time when protection against SQL injection was the norm.
@DonaldSubert Жыл бұрын
Fair enough. I didn't start programming seriously until 2013. Even today, though, I still see people use raw SQL execs with unsanitized user input, bypassing the built-in protections. Not everybody knows to use prepared statements. Important for senior devs to check what the juniors are doing.
@lautaro1670 Жыл бұрын
@@DonaldSubert I would argue that 99% of SQL injections issues nowadays are due to senior devs ignoring current industry practices and not because of junior devs. Most ORMs nowadays (and I say most because I'm sure there is at least kne popular ORM I've never used that contradicts my point) are extremely cautious towards not allowing SQL injections. Problem is senior devs trying to "bypass" utilizing the ORMs and directly writing SQL, mostly because it may just be quicker to them. Some are also the classical kind of crazy tech guy "I know better than the tooling!!!!". Then, they write complex queries where they miss this one spot which allows insecure inputs or simply leave the code for a junior to go "monkey sees, monkey does". This is especially relevant in the shitty Java environment dominated by abominable dinosaurs that still believe in Oracle BS usage of stored procedures
@Tekner436 Жыл бұрын
@@HenryLoenwind Yet it's still a top 10 vulnerability lol
@FlabbyTabby Жыл бұрын
1990's teaching people how to create web servers: - Create SQL database - Create webpage and give it direct access to said database - Expose CRUD logic directly as UI
@FaySmash 9 ай бұрын
Sadly that's still common today..
@unknownusername9335 6 ай бұрын
"Recommendation: use passwords" had me do a double take
@matthewstandridge225 Жыл бұрын
This video is insanely good and for such a small channel. This channel is going to skyrocket.
@coolmendotdot2 Жыл бұрын
thank you, random user, for predicting the future
@NemanyaIam Жыл бұрын
I just subscribed to this channel and realized that this channel only got 22k subscriber. The content for such a small channel is great.
@zac-1 Жыл бұрын
you jinxed it
@--.-- Жыл бұрын
Nah I fell asleep
@rdspam Жыл бұрын
Hopefully invest in Russian accent training 😂.
@adamdapatsfan Жыл бұрын
As a former T-SQL dev who wrote many stored procs, I can confirm that it is indeed just SQL with a fancy hat.
@KF-zb6gi 11 ай бұрын
lmao
@xBINARYGODx 10 ай бұрын
it really is a nice hat though
@AK-vx4dy 8 ай бұрын
It is just sql but does two good things. 1. Can use specific kind of db and sql to full extent of posibilites and go with maximum efficiency and clearly mantian proper logic state of database and proper use of transactions (in very short time spans) 2. Keeps one source of truth, promoting DRY i and KISS in some sense and creates level of abstraction and sepearation of concerns. Develoler more specialzed in SQL can focus clearly on his job and other developers don't bothered by SQL internals. Drawnacks are that this specialization is needed, also tempting tendency to move bisness logic to SP, when this happen project becomes very hard to move to other database technology.
@D0Samp 7 ай бұрын
Meanwhile on Oracle DB, PL/SQL is basically a dialect of Ada that took some Duolingo courses on SQL.
@nintendu64 6 ай бұрын
@@D0Sampif you don’t like setting money on fire MySQL and Spring Boot can basically be turned into poor man’s oracle with much more 💪
@thekillercow586 Жыл бұрын
Quite hilarious that a company working with sensitive data didn't prepare for the most basic of attacks - SQL injection
@2112jonr Жыл бұрын
Cheap, inexperienced staff to cut costs. Project managers with unrealistic scheduling expectations (guesswork). What could possibly go wrong.
@mustang1912 7 ай бұрын
It wasn't very much of a exploit, they took months to get a admin user and just brute forced the passsord.
@BrunodeSouzaLino 4 ай бұрын
You can find a lot of modern websites which are still vulnerable to SQL Injection.
@OppieT30 2 ай бұрын
Was SQL injection around before then? Was it taught in schools?
@HenryLoenwind Жыл бұрын
Number 0: Don't build your SQL by concatenating data and code. SQL has supported placeholders since...um...forever. (Back in the days before dynamic SQL, statements had to be compiled and installed together with the programs. Building them dynamically wasn't even an option.) Using string operations to form SQL commands is simply inexcusable. (And it also is wasteful. The server can cache the access plans for commands with placeholders, but if you concat in the data, you're sending a completely different command every time.)
@DomskiPlays Жыл бұрын
What I like is not just that the video is great but you provide sources and clarifications in the description. Love to see it!
@devvy8343 Жыл бұрын
"And windows will continue to support it until the heat death of the universe" gotta love microsoft
@breadone_ Жыл бұрын
why progress with technology when you can be stuck thirty years in the past for some shmuck who doesnt want to change instead 😎
@Rain_MG Жыл бұрын
I like how companies show off their fancy security features when some parts of their system rely on software that was written by cavemen on walls in prehistoric times
@jan-lukas Жыл бұрын
Sometimes that cavemen code will be better than modern one though. Really depends on the exact code
@sycration 10 ай бұрын
@@jan-lukas Once I attempted to rewrite the 1986 SML business logic in F#. Once.
@xBINARYGODx 10 ай бұрын
@@sycration LOL!
@Dumb_Killjoy 8 ай бұрын
Kinda like how the IRS still uses (at least in virtualized form) IBM mainframe systems from around the time of the Kennedy Administration. Things like that are why there are still jobs in writing COBOL.
@byronk86 11 ай бұрын
I was relatively new in the payments industry when this occurred. Now over 15 years on this has been a great trip down memory lane with a well articulated story line. You’ve got a new subscriber.
@jmms49 Жыл бұрын
this is super informative and funny at the same time. Absolutely love it
@JetJockey87 Жыл бұрын
I use SQL Sprocs and Shell via Task Scheduler to automate all kinds of stuff. Files land in a network folder, task scheduler behaves like a cron and fires a shell script every x minutes. Shell scans dir for files, finds them, bundles data into JSON, sends via REST to endpoint, etc. It works well in some very specific scenarios, most of the time you get cockblocked by airlocker or solarwinds
@2112jonr Жыл бұрын
And rightly so. Your "cockblocking" is in response to a massive security hole you've just opened up with sloppy coding because you know no better.
@MozenBee Жыл бұрын
I don't usually post comments on youtube. But your video is of extremely high quality. Very comprehensive and well thought out. As soon as a question popped out in my brain you would immediately answer it right after. Good job, sir.
@allak1n 10 ай бұрын
you're such a high value subscription for me, I love your content. you make normally dry technical stuff interesting and comical. never change mate.
@insanitydefined3112 Жыл бұрын
Love your style, rhythm, content -- everything!! Please keep posting videos like these!!
@testengineeringdaily1957 Жыл бұрын
I was watching one of your other videos and the failure analysis presented here is just as good as what the UCSB does on their investigations and recommendations. Great video, and good job!
@probablypablito 11 ай бұрын
These videos are so so good. Super well explained., you're able to keep it simple while still explaining more complicated parts like NTLM authentication
@MisterSiga 8 ай бұрын
love your editing style and the way you break down the complex stuff , awesome video
@zshall48 Жыл бұрын
The easy-to-follow explanations, visualizations and humor in this video are awesome!
@joelhaggis5054 6 ай бұрын
SQL injection is the software equivalent of breaking a lock by hitting it with a hammer. Which is to say, the fact that it works as often as it does (i.e. at all) is extremely alarming.
@Daniel15au 10 ай бұрын
Wow the production quality of this video is so high. Nice work!! Great video.
@yuck871 Жыл бұрын
Your videos are funny and educational both at the same time! I like the insiders too. Very awesome!!
@soroushjavadii Жыл бұрын
Discovered your channel yesterday via the Cloudbleed video. Loving the content!
@rgbmew Жыл бұрын
Discovered your channel like an hour ago and I'm already addicted your videos rule so hard
@SpaceshipOperations 8 ай бұрын
I love the editing of this video, from the explosions to the video game and anime references. Good job. 👍
@jwillisbarrie 10 ай бұрын
Thanks for adding actual captions for the Deaf
@SaulHeno Жыл бұрын
Great explanation of everything, this video deserves a hell of a lot more views
@frwd-le8ge Жыл бұрын
Your channel is super underrated, can't wait to see how you blow up
@tommyanderson201 Жыл бұрын
Please keep doing these videos, they're great!
@mattbuchanan4330 8 ай бұрын
This was an excellent video. Your explanations were succinct and informative. Thanks!
@unusedTV Жыл бұрын
Very cool video and I love all the hidden references. It's been a while since I've seen hunter2, and I wonder how many other ones I've missed.
@lucretius1111 Жыл бұрын
Your vids are fascinating! Amazing work
@rabik_dev Жыл бұрын
wow, I'm really impressed by the quality of this video. Great job! You've earned a sub :)
@onemoreguyonline7878 Жыл бұрын
Absolutely great video. Thanks Kevin!
@Mason11987 Жыл бұрын
This is fantastic video, keep up the good stuff!
@SeaWaves8 Жыл бұрын
what a gem of a channel, cya in a year with over a million subs
@jdrissel 9 ай бұрын
From having read the specs of the payment processing systems back when debit cards were becoming a thing, I discovered that the "end to end" encryption was not really end to end. What happens if that at each hop your data is decrypted, possibly operated on and then re-encrypted. A payment processor would have to be able to decrypt the data in order to do their jobs.
@Noxictyz Жыл бұрын
Holy cow. Love these videos!!! Please more
@xfirecard Жыл бұрын
Such a well-made, executed, and entertaining video! Kudos from me!
@EternalATomik Жыл бұрын
The animation is as good as the information provided! And the information here is 💯
@TheSnero3 Жыл бұрын
man I am loving this channel
@timef5059 Жыл бұрын
That was crazy awesome! Thank you, author!
@BitwiseMobile Жыл бұрын
This doesn't surprise me. I work with HPS and I often scratch my head and wonder why they haven't moved on from the 70s and 80s yet. I've worked at plenty of financial institutions, so I know they are usually resistant to change, but come on. I think being 40 years behind in technology is probably a little bit too far. Their systems and especially their modes of integration are so antiquated. Our company is moving on from them as fast as we can unwind our existing financial agreements, but they are being sunset quickly. We have had nothing but problems with them.
@williamdrum9899 4 ай бұрын
Because the only way to make a computer unhackable is to keep it off the internet. And even that sometimes isn't enough. There's still that one Janet Jackson song that destroys hard drives
@user-cp6tg4iy7k Жыл бұрын
Loving this content!
@raylopez99 Жыл бұрын
Stock for Heartland Payment systems didn't suffer much, and in 2015 they were sold to Global Payments Inc which has almost doubled from the sale price. Proving there's money in payment system software, as Mastercard and Visa can also attest.
@privateness.network 11 ай бұрын
Fantastic content and coverage man. +1 subscriber 😀
@kratosgodofwar777 8 ай бұрын
This video was very well paced
@Shytzedaka Жыл бұрын
Love this Channel!!
@katspa Жыл бұрын
Great video. Keep up the good work
@Prem-qv1ru 10 ай бұрын
Loving these vids
@oOiWaRRioRzOo Жыл бұрын
God this channel is sick, I loved the editing at 9:07 Made me giggle way more than it should have 🤣
@DatBoi_TheGudBIAS 7 ай бұрын
i love this chanel. it has alot of humor, and my favorite, -human suffering- i mean explosions
@actuallynotsteve Жыл бұрын
How are you videos so good, yet you only have 17k subs? This shit is god-tier levels of content, I'm not even a coder but this stuff is gripping.
@ElisArid Жыл бұрын
Holy shit this was 8hrs ago and he had 17k? 19.1k now
@JK-mo2ov Жыл бұрын
Great job on this video
@sinancetinkaya Жыл бұрын
Even today some developers (mostly from frontend background) still use string concatenation in SQL queries
@2112jonr Жыл бұрын
I'd say "most".
@MHX11 Жыл бұрын
I love the editing style
@EstebanGM245 Жыл бұрын
Keep up the good content!
@agranero6 Жыл бұрын
Extended Stored Procedures run (or at least ran) on the database engine memory space. A badly done one could corrupt the database. No responsible company would use them not only because of the hackers, but because there was no need, they were dangerous and much more complex to write. Only by reading the documentation of MS SQL Server you were strongly discouraged to use them. They did that to themselves...
@alexaneals8194 Жыл бұрын
This was a SQL Server 2000 database. Back then, SQL Server did not have many of the admin tools that it has today. XP procs were used to perform many of those tasks. For example to set permissions or change a password.
@agranero6 11 ай бұрын
@@alexaneals8194 Worse yet. But I used SQL server before 2000 when it was yet based on Sybase and both had he grant command. It was inexcusable then as it is inexcusable now. If I earned 2 bucks every time someone said "It can't be done without a cursor" or "It can't be done without an XP" I would be rich now.
@MyMfDominoes Жыл бұрын
The Nuke API graphic had me rolling lmfaoo redis into k8s then to a nuclear missile
@thekingofallblogs Жыл бұрын
All you need to do to prevent sql injection is to bind your input variables and not build the query by appending strings. The developers are really ignorant if they allow this.
@notapplicable7292 Жыл бұрын
This was great! Dangerously close to being a cyber security beat poem.
@halofreak644 Жыл бұрын
I subbed haha made me laugh many times and was very informative and interesting
@stubstunner Жыл бұрын
I work in cyber security and have for over 10 years. This was a great video! I worked in the PCI for a huge portion of my career and dealt with quite a few of these types of attacks.
@WolfrostWasTaken Жыл бұрын
I wish the example you gave for SQL was THAT simple. Amazon uses hundreds of microservices to process their requests and rely mostly on DynamoDB
@zeluski Жыл бұрын
great detailed video
@AveryDelMiller Жыл бұрын
Great video!
@corvus8638 Жыл бұрын
I only know a little SQL but I feel like I learned so much from this video!
@Not_Even_Wrong 10 ай бұрын
Unbelievably good and funny!
@iTzStick 25 күн бұрын
Bro your videos are freaking hilarious
@wiserdivisor Жыл бұрын
I never thought that I could understand such a complex attack. Video so good it gave me hope that I too can learn Cyber-Security. Thanks Kevin! And of course, liked+subbed :)
@BudgiePanic Жыл бұрын
The more I learn while studying computer science degree, the funnier these videos become
@masonallermann1275 4 ай бұрын
2:48 i was distracted while this was playing on my headphones and i thought something happened when i heard you read off the list
@kharmachaos667 3 ай бұрын
I understood almost none of this, but for some reason the first step strikes me as similar to what happens to when you can get infinite items of choice from stardew valley by renaming your character a special line
@amaarquadri Жыл бұрын
Great video! I felt like I was watching a spy movie the whole time!
@kreuner11 Жыл бұрын
Dlls don't contain c++ code, they contain native assembly
@2112jonr Жыл бұрын
Correct. makes you question what else he doesn't understand.
@williamdrum9899 Жыл бұрын
I think he meant native code written using C++
@kreuner11 Жыл бұрын
@@williamdrum9899 yeah maybe, seems he could've just added "machine code which was usually written in c++"
@rushbnostopp Жыл бұрын
This is 100% quality content
@sanderdejong66 8 ай бұрын
6:31 One thing that could have happened during the development of this system: project manager: “What’s taking you so long?” Dev: “Christ, this pyramid of privileges, it’s so complicated.” Project manager: “Just use the sysadmin account for everything and move on!”
@deamon6681 Жыл бұрын
A sequel is a continuation in a series, not a database querying language, the later would be pronounced "S-Q-L". This a my cozy hill and I will die on it.
@pcdispatch 8 ай бұрын
People who call it sequel never read a good book about SQL. Usually the first chapter is about this topic and the origin of SEQUEL. Which is not SQL.
@JohnSmith-qy1wm 4 ай бұрын
It's pronounced "SQUEEL"
@Donnerjkks 3 ай бұрын
Much like the SQL star wars movies
@kxuydhj 4 ай бұрын
okay, but the one recommendation i don't see is "don't run ancient garbage, especially if it's developed by microsoft". also known as "properly maintain your systems".
@mariobisignani4477 Жыл бұрын
Cool video, but the initial description about how Amazon works is most probably wrong. You don't usually implement search (especially not Amazon) as a full text search over a table in a relational database. What companies usually do is to use technologies like Apache Solr, Lucene or Elasticsearch, for instance they could use a cronjob to periodically update an Elasticsearch index using data taken from the actual database.
@therealjib Жыл бұрын
It was just an example using a well-known website, not meant to be taken seriously
@mariobisignani4477 Жыл бұрын
@@therealjib yeah I know, I just wanted to point that out because some people might get the wrong ideas on how complex search functionalities work.
@BadPixelArtist. 11 ай бұрын
Good video!
@puucca Жыл бұрын
Great video
@SIMULATAN Жыл бұрын
The amount of explosions in this video is impressive
@Ruboka 11 ай бұрын
i am having trouble how to realize e2e encryption if your app relies on querying data stored in a nosql database. mongodb has a public beta for achieving this but how are you supposed to secure your app with other nosqls ?
@MarioS271 Ай бұрын
The eXPlosions were just perfect 😂
@RamanSharma-zk1bj Жыл бұрын
Amazing video
@jaden6781 Жыл бұрын
This is such a good video
@goldenglish8721 Жыл бұрын
Big fan of your work. Don’t stop! (Definitely not a bot)
@JimMilton-ej6zi 10 ай бұрын
It's crazy how places that are allowed to store your data at all, let alone do it badly. Companies that store any amount of data beyond what is required should just be shut down entirely at this point, either that or the owner of the company should be forced to give every single bit of their personal information (including passwords) up to everyone affected, seeing how they love to store other peoples sensitive information and all :p
@miguelito3056 Жыл бұрын
Dude love the video, can you do ronin network breech
@gFamWeb Жыл бұрын
What I learned from this: hack someone big, go to jail for a bit, and then you'll get a job at a cybersecurity company! (joking)
@deliriumsd142 Жыл бұрын
Amazon uses DynamoDB for its product catalog which is a NoSQL database, however, you may be able to query it like that. I'm not super familiar with DynamoDB queries compared to SQL.
@nikolaygruychev2504 11 ай бұрын
nah
@vani_maki Жыл бұрын
Great vid
@uniqueprogressive9908 Жыл бұрын
Preventative measure 1: Update your shit and use Unix/BSD/Linux Preventative measure 2: Update your shit and use Unix/BSD/Linux Preventative measure 3: Update your shit and use Unix/BSD/Linux
@OppieT30 2 ай бұрын
Why BSD?
@uniqueprogressive9908 2 ай бұрын
@@OppieT30Because it adopts the UNIX philosophy and has the Unix file structure which what makes it more secure with read/write/execute permission flags.
@OppieT30 2 ай бұрын
@@uniqueprogressive9908 I have seen flavors of BSD getting hacked. FreeBSD, NetBSD, OpenBSD.
@Chris-gh5yw Жыл бұрын
LMAO ur videos r fires n love the references esp the one at 10:04 LFMAOAO
@AnimeGIFfy Жыл бұрын
I wonder how many such hacks go unnoticed right now at this moment. We only hear about the ones that get caught.
@2112jonr Жыл бұрын
There's hundreds out there, mostly from crap software vendors who hire cheap, inexperienced low knowledge developers.
@mrpetervideo Жыл бұрын
Using NoSQL or SQL frameworks that prevent SQL injections is not just a trend, but a highly recommended practice in modern web development. These frameworks provide an extra layer of security and help safeguard sensitive data from malicious attacks. It's crucial for developers to prioritize implementing these frameworks to ensure the integrity and safety of their websites. Stay secure, everyone!. 😁
@FascistTrex 9 ай бұрын
Lmao how does Nosql prevent an sqli attack? Do you realize sql os still used to interrogate an sql db? An what the fuck even is a SQL framework lmao, i think you are referring to something like JPA that handles sql queries for you.
@WolkenDesigns 8 ай бұрын
I think you are refering to a part of a larger dev. Framework which prevents SQL Injections. These exist and are highly recomended.
@realpillboxer Жыл бұрын
There's so much in this fantastic 13 minute video to comment on (MORE EXPLOSIONS PLZ), but let's focus on a few things people haven't mentioned yet. First, nice Doug DeMuro reference at 2:37. Second, I think there's a whole video worth devoting to the grey area that companies like Trustwave (5:40) operate in. While independent auditors like Trustwave exist, who audits the auditors? How can we, the people, create an authentication or certification course/levels/tree that gives people and businesses confidence that the proclaimed proficiency is met? And what happens when these auditors give a passing grade to organizations whose current setup is woefully insecure by vague industry standards?
freeCodeCamp.org
Рет қаралды 433 М.
RIHAN ARMY YT
Рет қаралды 12 МЛН
Home Gadgets Haven
Рет қаралды 8 МЛН
Royal Computers
Рет қаралды 689 М.