Research from IBM's X-Force team reports that 26% of the breaches in the first half of 2013 can be attributed to SQL injection attacks. What are the easiest ways to prevent SQL injection attacks without convincing the operations team to conduct an expensive full Web application and database code review?
The IBM X-Force Trend and Risk report and the Verizon Data Breach Investigations Report (DBIR) have both listed SQL injection (SQLi) attacks as one of the most common exploits for the past several years. Unfortunately, updating an enterprise software development lifecycle and all of the software to prevent these attacks is costly, and it can take years to achieve a return on investment. The best mitigating controls (Web application and database code reviews) are relatively expensive and only produce findings to remediate attacks, not to directly stop them. In these controls, developers need to take the findings and prioritize those that are high priority, and then spend the necessary time to make the changes and remove the insecure section of code. Until the findings are fixed, the software will remain vulnerable. Such an automated review or assessment might also have an operational impact and cause a denial of service or create problems with the Web application if performed in a production environment.
While updating enterprise software development lifecycles, organizations can use a source code-scanning tool to find vulnerabilities in the source code and remediate any known vulnerabilities as coding flaws are found.
Alternately, enterprises could use a Web application-based firewall to block SQLi attacks. This may be the easiest and quickest option. The Web application firewall could run on a Web server, on the database server (a database firewall) or on the network in front of the Web applications. All three types of Web-application firewalls can block many types of SQLi attacks along with other types of attacks, and none of them necessarily require updates to the Web application itself. They could all block the SQLi before the vulnerable Web application or database is compromised.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email! (All questions are anonymous.)
Related Q&A from Nick Lewis, Enterprise Threats
Chameleon malware targets insecure wireless access points. Enterprise threats expert Nick Lewis explains how to defend against the malware.continue reading
The Zeus malware is threatening RTF security by embedding itself in the file, which is commonly seen as safer than other file formats such as PDFs. ...continue reading
Enterprise threats expert Nick Lewis explains how to detect and avoid one of the most advanced malware threats: The Mask.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.