Gain insights into effective security techniques including patching, cryptography, and phishing prevention. Explore practices to make systems resistant and vulnerabilities more detectable, enhancing defense against attacks.

docker.tar.gz

network-commands

node

It seems like hardly a week goes by without a high-profile computer breach. Why do these happen? How can you prevent them? This course doesn’t have all the answers, but it does outline practices that make life harder for attackers and that will help tide you over until you get a full-time security team in place.

In this course, you will learn 5 simple, yet effective, techniques for preventing attackers from getting into your system. These techniques are related to: patching, software vulnerabilities, cryptography, windows security, and phishing. Within each chapter you will learn the best practices for preventing vulnerabilities and how to make them more detectable. 

This course is based on the Pragmatic Programmers’ book, Practical Security, and is aimed at developers, admins, team leads, architects, technology generalists, and all others who stand guard against the things that disrupt the network.

Practical Security: Simple Practices for Defending Your Systems

Our code works under ideal inputs, but does it stand up to malicious use? The wildcard parameter to `generateWildcardSQLForJournalEntrySearch` is controlled by the attacker. 

How much influence can the attacker have over the generated SQL by just controlling the wildcard parameter? Just like the knock-knock joke from the beginning of this chapter, this SQL statement was written with a mental model of a template where user input fits into one part and stays in its place to create a full statement. Can the attacker-controlled input break out of that template and alter the structure of the overall statement? What keeps the attacker-controlled wild card in its part of the statement? The answer is the percent signs. What would happen if the attacker-controlled wildcard contained a percent sign?

Calling this:
```java
generateWildcardSQLForJournalEntrySearch(1, "lindy hop%");
```
will generate this response:

SELECT CreatedTimestamp, Body
FROM journal_entries
WHERE PersonId = 1 AND Body LIKE '%lindy hop%%';

query_sqli_tables.sql

This is valid SQL, but it looks kind of odd. That double % at the end looks funny. More importantly for the themes of this course, it shows us how the attacker can start to break out of the template. What if the attacker searched for something weird like this?
```text
can't use a contraction
```
This would result in the server calling our helper function:
```java
generateWildcardSQLForJournalEntrySearch(1, "can't use a contraction");
```
This will generate the following SQL:

Let's get a deeper understanding of how SQL works with some examples.

Introduction

Patching

Vulnerabilities

Cryptography

Windows

Phishing

How SQL Injection Works