Microsoft tools won't be quick fix for SQL injection attacks

By Robert Westervelt, News Editor 25 Jun 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Attackers will continue to find websites vulnerable to SQL injection vulnerabilities despite Microsoft's recent advisory identifying tools to help companies check if their websites are vulnerable and coding is secure.

The irony is that average SQL injections scanners released by malicious parties have more advanced scanning and injection capabilities than the free ones released by Microsoft. Dancho Danchev, independent security researcher

A major shift in secure software development is needed to bolster code and defend against Web-based attacks, said Billy Hoffman, lead security researcher for the Web Security Research Group at HP. Hoffman called Microsoft's advisory a wake up call for people involved in the software development lifecycle, but stopped short of calling it a stop gap measure.

"No security solution will work unless you have executive buy-in," Hoffman said. "Security is something that executives, vice presidents of development and directors of engineering need to be aware of and pushing throughout the lifetime of development. Right now that's not happening."

So far as many as 600,000 websites have been successfully attacked using automated toolkits designed to allow novice hackers to easily target vulnerable sites. Microsoft identified several tools available for free, that could be used to defend against the recent massive SQL injection attacks. UrlScan, which blocks HTTP requests; Microsoft Source Code Analyzer for SQL Injection, which detects ASP code susceptible to SQL injection attacks; and Scrawlr, a vulnerability scanner which identifies faulty code in websites.

Hoffman, who was on the original SPI Dynamics team that designed the Scrawlr vulnerability scanner, said the tool is essentially a scaled down version of HP WebInspect, Web application security testing software. Despite not being even remotely as robust as WebInspect, the Scrawlr tool still has the ability to help detect if a website is vulnerable, he said. Ultimately, Microsoft has a huge developer audience and putting the tools in their hands could help bolster the secure coding movement, Hoffman said.

Other researchers are not as optimistic about Microsoft's approach. Dancho Danchev, an independent security consultant and researcher who has been following the SQL injection attacks called the Microsoft advisory a standard public relations practice. Still, it's good that Microsoft is raising awareness about the issue, he said.

"Releasing free self-auditing tools with limited capabilities can cause more harm than actually doing something good, since people wouldn't bother using more sophisticated self-auditing tools, and will enjoy a false feeling of safety," Danchev said. "The irony is that average SQL injections scanners released by malicious parties have more advanced scanning and injection capabilities than the free ones released by Microsoft."

The SQL injection attacks have been carried out using the Asprox Trojan, which installs itself on victim's machines and then spreads itself by using Google to search for websites vulnerable to SQL injection attacks.

Nick Chapman, a security researcher with managed security services firm SecureWorks, said it will take an entirely new mindset to get security engrained in the development lifecycle. Time is money and many businesses push faster development times over more secure code, he said.

"There's been a lack of knowledge and concern within the enterprise," he said. "It's cheaper if you develop more quickly and less quality code so that's what happens all the time."

Chapman called the free tools a good start, but said developers should be using more robust tools to look at source code and discover areas that could be exploited. Security pros should be using black box tools to review Web applications from the outside. But companies need more of a compelling argument to use more robust tools, he said.

"The damage is divorced from the application," Chapman said. "You probably won't notice right away damage is not done to you, it's done to your customers."

Tags: Software Development Methodology,  Web Application Security,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology Quiz: How to build secure applications How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Web Application Security Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary