Research from IBM's X-Force team reports that 26% of the breaches in the first half of 2013 can be attributed to...
SQL injection attacks. What are the easiest ways to prevent SQL injection attacks without convincing the operations team to conduct an expensive full Web application and database code review?
The IBM X-Force Trend and Risk report and the Verizon Data Breach Investigations Report (DBIR) have both listed SQL injection (SQLi) attacks as one of the most common exploits for the past several years. Unfortunately, updating an enterprise software development lifecycle and all of the software to prevent these attacks is costly, and it can take years to achieve a return on investment. The best mitigating controls (Web application and database code reviews) are relatively expensive and only produce findings to remediate attacks, not to directly stop them. In these controls, developers need to take the findings and prioritize those that are high priority, and then spend the necessary time to make the changes and remove the insecure section of code. Until the findings are fixed, the software will remain vulnerable. Such an automated review or assessment might also have an operational impact and cause a denial of service or create problems with the Web application if performed in a production environment.
While updating enterprise software development lifecycles, organizations can use a source code-scanning tool to find vulnerabilities in the source code and remediate any known vulnerabilities as coding flaws are found.
Alternately, enterprises could use a Web application-based firewall to block SQLi attacks. This may be the easiest and quickest option. The Web application firewall could run on a Web server, on the database server (a database firewall) or on the network in front of the Web applications. All three types of Web-application firewalls can block many types of SQLi attacks along with other types of attacks, and none of them necessarily require updates to the Web application itself. They could all block the SQLi before the vulnerable Web application or database is compromised.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email! (All questions are anonymous.)
Dig Deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)
Related Q&A from Nick Lewis
The new Trochilus RAT can avoid detection in cyberespionage attacks. Expert Nick Lewis explains how it works, and if enterprises need to adapt their ...continue reading
The Asacub Trojan has new banking malware features. Expert Nick Lewis explains how it made this transition and what enterprises should be watching ...continue reading
BlackEnergy malware may have been part of the attacks on Ukrainian utility and media companies. Expert Nick Lewis explains how this malware works and...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.