Elisa Bertino

Purdue University, USA

The Persistent Problem of Applications Insecurity

Data is a critical resource and as such it is very often the target of cyber-attacks with a variety of goals, including data theft and ransom requests.  Today database systems provide several effective security controls and defenses, such as database encryption, fine- grained content and context-based access control, role-based access control, and logging capabilities for security relevant events. In addition, database systems support a variety of authentication techniques, such as multi-factor authentication. However, there is a major weak point in data security: the applications. Once data is transmitted from a database to applications, the data is exposed to many risks if applications have vulnerabilities. Unfortunately, applications and more in general software systems are still often insecure, despite the fact the “problem of software security” had been known to the industry and research communities for decades.  In the case of database applications,  for example, SQL injection vulnerabilities - known since more than 20 years, are still common; for example, just in 2022, 1162 vulnerabilities with the type “SQL injections” were accepted as a common CVE (common vulnerability exposure). In this talk, I first briefly argue why the software security problem is more complex than ever. I then focus on the problem of SQL injection and other vulnerabilities, often occurring in database applications, and present an initial approach to automatically detect these vulnerabilities and "repair" them. I also cover the case of a more sophisticated attacker, able to tamper with the application code.  I then move on to discuss the problem of software supply-chain attacks and research directions.