A recent Ponemon Institute report claims that while 65% of survey respondents have experienced an SQL injection...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
attack in the past year, few organizations make a concerted effort to prevent them. We outsource a lot of development and struggle to get developers to consistently perform audit code validation during quality assurance (QA). With that in mind, is there anything we can do with limited resources to prevent these attacks?
There are widely available tools that script kiddies use to perform mass scanning for SQL injections (SQLi), so it seems if only 65% of survey respondents experienced a SQLi attack, then 35% of the respondents had ineffective monitoring in their environments to identify the attacks. In other words, virtually every organization is indiscriminatingly targeted by SQLi attacks.
There are a number of questions to ask when you outsource development. First off, are there security requirements in the contract with the outsourced developers? Are there standards these outsourced developers need to follow for secure development lifecycle? Have they been trained on the systems development lifecycle and on how to securely code? Can the outsourced developers be held accountable on flaws in their code? If the answer is "no" to any of these questions, the clauses should be added to future contracts, and existing contracts should be amended to include them.
Regardless of the outsourcers and the answers to these questions, enterprises can still add an SQLi scanner or attack tool to identify SQLi vulnerabilities in the software development process quality assurance cycle and to improve security.
The Open Web Application Security Project has a SQLi prevention cheat sheet to help enterprises and developers thwart attacks. Organizations could even just use the same tools that script kiddies use in their attacks to find potentially vulnerable code or applications. A static code analysis could even be done to audit the code for any SQLi attacks. Once the code has gone to production, a Web application firewall could be used to block potential SQLi attacks or, alternately, there may be functionality in an intrusion prevention system or firewall that could block the attack.
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Related Q&A from Nick Lewis
A keylogging flaw found its way into dozens of Hewlett Packard laptops. Nick Lewis explains how the HP keylogger works and what can be done about it.continue reading
Can Structured Threat Information eXpression improve threat intelligence sharing? Nick Lewis breaks down the evolution of the STIX security framework.continue reading
A new type of WordPress malware, WP-Base-SEO, disguises itself as an SEO plug-in that opens backdoors. Nick Lewis explains how it works and how to ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.