Research from IBM's X-Force team reports that 26% of the breaches in the first half of 2013 can be attributed to...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
SQL injection attacks. What are the easiest ways to prevent SQL injection attacks without convincing the operations team to conduct an expensive full Web application and database code review?
The IBM X-Force Trend and Risk report and the Verizon Data Breach Investigations Report (DBIR) have both listed SQL injection (SQLi) attacks as one of the most common exploits for the past several years. Unfortunately, updating an enterprise software development lifecycle and all of the software to prevent these attacks is costly, and it can take years to achieve a return on investment. The best mitigating controls (Web application and database code reviews) are relatively expensive and only produce findings to remediate attacks, not to directly stop them. In these controls, developers need to take the findings and prioritize those that are high priority, and then spend the necessary time to make the changes and remove the insecure section of code. Until the findings are fixed, the software will remain vulnerable. Such an automated review or assessment might also have an operational impact and cause a denial of service or create problems with the Web application if performed in a production environment.
While updating enterprise software development lifecycles, organizations can use a source code-scanning tool to find vulnerabilities in the source code and remediate any known vulnerabilities as coding flaws are found.
Alternately, enterprises could use a Web application-based firewall to block SQLi attacks. This may be the easiest and quickest option. The Web application firewall could run on a Web server, on the database server (a database firewall) or on the network in front of the Web applications. All three types of Web-application firewalls can block many types of SQLi attacks along with other types of attacks, and none of them necessarily require updates to the Web application itself. They could all block the SQLi before the vulnerable Web application or database is compromised.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email! (All questions are anonymous.)
Dig Deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.