Resources: Whitepapers

Resources:

Most of these computer security white papers have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS Software Security attempts to ensure the accuracy of information, but papers are published "as is".

Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.


Application and Database Security
Building an Application Vulnerability Management Program Jason Pubal Jul 28, 2014
Incident Response in a Microsoft SQL Server Environment Juan Walker Jul 9, 2014
SANS Survey on Application Security Programs and Practices Jun 17, 2014
Oracle Advanced Security Tanya Baccam Jun 17, 2014
Next-Generation Datacenters = Next-Generation Security Dave Shackleford Jun 17, 2014
SANS Institute Review: Oracle Database Vault Tanya Baccam Jun 17, 2014
2013 SANS Mobile Application Security Survey Jun 17, 2014
Integrating Security into Development, No Pain Required Dave Shackleford Jun 17, 2014
Security of Applications: It Takes a Village Dave Shackleford Jun 17, 2014
Application Security: Tools for Getting Management Support and Funding John Pescatore Jun 17, 2014
Securing Web Applications Made Simple and Scalable Gregory Leonard Jun 17, 2014
Enabling Social Networking Applications for Enterprise Usage Eric Cole, PhD Jun 17, 2014
Oracle Database Security: What to Look for and Where to Secure Tanya Baccam Jun 17, 2014
Making Database Security an IT Security Priority Tanya Baccam Jun 17, 2014
Database Activity Monitoring and Audit: A Review of Oracle Audit Vault and Database Firewall Tanya Baccam Jun 17, 2014
Survey on Application Security Programs and Practices Jun 17, 2014
How to Win Friends and Remediate Vulnerabilities Chad Butler Mar 27, 2014
Introduction to the OWASP Mutillidae II Web Pen-Test Training Environment Jeremy Druin Dec 4, 2013
Protecting applications against Clickjacking with F5 LTM Michael Nepomnyashy Dec 4, 2013
A Hands-on XML External Entity Vulnerability Training Module Carrie Roberts Dec 4, 2013
Web Application Injection Vulnerabilities: A Web App's Security Nemesis? Erik Couture Jun 14, 2013
Setting Up a Database Security Logging and Monitoring Program Jim Horwath May 10, 2013
Endpoint Security through Application Streaming Adam Walter Mar 25, 2013
Auditing ASP.NET applications for PCI DSS compliance Christian Moldes Feb 7, 2012
Securing Blackboard Learn on Linux David Lyon Dec 1, 2011
Mass SQL Injection for Malware Distribution Larry Wichman Apr 28, 2011
Four Attacks on OAuth - How to Secure Your OAuth Implementation Khash Kiani Mar 24, 2011
Protecting Users: The Importance Of Defending Public Sites Kristen Sullivan Jan 18, 2011
Reducing Organizational Risk Through Virtual Patching Joseph Faust Jan 11, 2011
AppSec - Cross Site Request Forgery: What Attackers Don't Want You to Know Jason Lam & Johannes B. Ullrich May 22, 2009
AppSec - Protecting Your Web Apps: Two Big Mistakes and 12 Practical Tips to Avoid Them Ed Skoudis and Frank Kim Mar 3, 2009
Web Based Attacks Justin Crist Jan 4, 2008
Analyzing Attack Surface Code Coverage Justin Seitz Nov 14, 2007
Forensic Analysis of a SQL Server 2005 Database Server Kevvie Fowler Sep 28, 2007
Automated Scanning of Oracle 10g Databases Rory McCune Aug 7, 2007
Using Oracle Forensics to determine vulnerability to Zero Day exploits Paul Wright Feb 28, 2007
Security in Sun Java System Application Server Platform Edition 8.0 Sid Ansari Jun 29, 2005
Web Browser Insecurity Paul Asadoorian Jun 2, 2005
Application Firewalls: Don't Forget About Layer 7 Russell Eubanks May 17, 2005
Reining in the LAN client David Monaco Feb 25, 2005
Papers taken from SANS Reading Room.
Authentication
SANS Institute Product Review: Demystifying External Authorization: Oracle Entitlements Server Product Review Tanya Baccam Jun 17, 2014
SANS Institute Product Review: Self-Service Provisioning Made Simple: A Review of Oracle Identity Manager 11g R2 Dave Shackleford Jun 17, 2014
Adding Enterprise Access Management to Identity Management J. Michael Butler Jun 17, 2014
Extending Role Based Access Control J. Michael Butler Jun 17, 2014
Smart Strategies for Securing Extranet Access Dave Shackleford Jun 17, 2014
An Architecture for Implementing Enterprise Multifactor Authentication with Open Source Tools Tom Webb Mar 27, 2014
Implementing IEEE 802.1x for Wired Networks Johan Loos Mar 14, 2014
The Dangers of Weak Hashes Kelly Brown Dec 4, 2013
Daisy Chain Authentication Courtney Imbert Sep 18, 2013
SSL/TLS: What's Under the Hood Sally Vandeven Aug 22, 2013
Two-Factor Authentication: Can You Choose the Right One? Emilio Valente Oct 15, 2009
OS and Application Fingerprinting Techniques Jon Mark Allen Oct 22, 2008
Simple Formula for Strong Passwords (SFSP) Tutorial Bernie Thomas May 17, 2005
Installing a Secure Network DHCP Registration System Pam Fournier May 5, 2005
Secure implementation of Enterprise single sign-on product in an organization Ravikanth Ponnapalli Jan 18, 2005
Papers taken from SANS Reading Room.
Securing Code
Application Security: Tools for Getting Management Support and Funding John Pescatore Jun 17, 2014
Survey on Application Security Programs and Practices Jun 17, 2014
PowerBroker vs. Sudo Jun 17, 2014
Web Application Injection Vulnerabilities: A Web App's Security Nemesis? Erik Couture Jun 14, 2013
Which Disney© Princess are YOU? Joshua Brower Mar 18, 2010
Secure Authentication on the Internet Roger Meyer Feb 1, 2008
Software Engineering - Security as a Process in the SDLC Nithin Haridas Aug 7, 2007
How to Avoid Information Disclosure when Managing Windows with WMI Alex Timkov Jul 17, 2007
Threat Modeling: A Process To Ensure Application Security Steven Burns Oct 5, 2005
Papers taken from SANS Reading Room.
Applications and Systems Development Security
Paper Author Date
Building Security into the System Development Life Cycle (SDLC): A Case Study James Purcell Aug 9, 2007
Application Security Dan McGinn-Combs Apr 9, 2007
Defining and Understanding Security in the Software Development Life Cycle James Purcell Apr 6, 2007
Outsourcing Daniel Accioly Rosa Mar 30, 2007
Comparing Software Development Life Cycles Jim Hurst Mar 23, 2007
Comparison of Java Applets and ActiveX Controls Jim Hurst Mar 23, 2007
Employee Management Security Controls James E. Purcell Mar 23, 2007
The Capability Maturity Model and Its Applications Jim Hurst Mar 20, 2007
Overview and Tutorial on Artificial Intelligence Systems Jim Hurst Mar 20, 2007
Comparison of Software Development Lifecycle Methodologies James Purcell Feb 12, 2007
Papers taken from the CISSP® certification prep domain.