SQL injection has been the most common attack method among hackers recently and users can expect attacks against...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
newer programming languages such as Flash and Java to increase over time, experts say.
"The 'bad guy' might replace your client with a different client," West said. "The problems aren't new, it's just more of the same problems and harder to solve."
With Flash coding, the biggest problem is that the person coding the Flash application is potentially writing the vulnerabilities into it, allowing the code to be vulnerable to exploitation, West said.
"People who are building these codes need to build from the ground up and have a mature software security assurance program to avoid vulnerabilities," West said.
SQL injection is commonly known as an "old school attack," and has been consistently used by hackers. Last summer researchers detected a larger wave of SQL injection attacks against websites globally.SQL injection attacks remain popular because it is a relatively easy method and many websites are vulnerable to the attack. It is a malicious code injection technique in which the attacker adds SQL code to a Web form input box to gain access to resources or make changes to data.
The latest high-profile SQL injection attack was against a U.S.-based website owned by antivirus vendor Kaspersky Lab. Kaspersky acknowledged a coding error in its customer support website, which was exploited by an anonymous white-hat hacker exposing thousands of customer email addresses and software activation codes.
Many experts, such as Fortify's West, are advising developers to think more about security when they're coding to prevent these attacks. Although the number of SQL injection attacks has declined since last summer, about 14-16% of all websites characterized as important are vulnerable, said Jeremiah Grossman, founder and chief technology officer of WhiteHat Security.
The emergence of a method to pull off wide-scale SQL injection attacks has made the technique even more popular, said Grossman.
"Before SQL injections, an attacker had to exploit one site at a time, but now they found a generic way to insert data in the database, creating a widespread vulnerability," Grossman said.
The type of technology a hacker attacks does not matter to the hacker as long as they are able to exploit vulnerabilities, Grossman said.
"SQL injection, cross-site scripting (XSS) and a bunch of other attacks will occur [in the future], and it won't matter whether you're using 1.0 or 2.0 technology -- it's all the same," Grossman said.
Gary McGraw, chief technology officer of Citigal Inc., a software security and quality consulting firm with headquarters in Washington D.C., said as long as vulnerabilities are present within a technology, no attacker will stop attempting to exploit it, and the attacker will use whatever technology is available to him, McGraw said.
In the past, there was a "coolness" factor among attackers associated with new attacks versus old attacks, McGraw said.
However, "as the attacker profile has shifted from disgruntled adolescents to professional criminals, the coolness factor is no longer a big deal," McGraw said. "[Attackers] no longer care about how advanced their attack is."
West said that while SQL injection attacks are high, it is also so common that many IT professionals know it, making it easier to eliminate the possibility of successful SQL injection attacks against a database than cross-site scripting (XSS). West predicts cross-site scripting will continue to increase because it is very difficult to fix, while SQL injection attacks will become less and less common.
Researchers have been trying to figure out ways to get developers to think more about security when they develop programs. Last month, dozens of security experts released the CWE/SANS Top 25 dangerous programming errors list. Companies can protect themselves from SQL injection and Flash-based attacks by developing a software-assurance security program, having the right code vulnerability scanning software, and the right processes to make sure you have a secure development lifestyle, West said.
WhiteHat Security's Grossman advised users and companies to know what websites they own and value them accordingly.
"Find the vulnerabilities in the sites before the 'bad guys' do and fix the sites," Grossman said. "These are solutions that have been around for a long time."
Dig Deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)