Microsoft tools won't be quick fix for SQL injection attacks

By Robert Westervelt, News Editor 25 Jun 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Attackers will continue to find websites vulnerable to SQL injection vulnerabilities despite Microsoft's recent advisory identifying tools to help companies check if their websites are vulnerable and coding is secure.

The irony is that average SQL injections scanners released by malicious parties have more advanced scanning and injection capabilities than the free ones released by Microsoft. Dancho Danchev, independent security researcher

A major shift in secure software development is needed to bolster code and defend against Web-based attacks, said Billy Hoffman, lead security researcher for the Web Security Research Group at HP. Hoffman called Microsoft's advisory a wake up call for people involved in the software development lifecycle, but stopped short of calling it a stop gap measure.

"No security solution will work unless you have executive buy-in," Hoffman said. "Security is something that executives, vice presidents of development and directors of engineering need to be aware of and pushing throughout the lifetime of development. Right now that's not happening."

So far as many as 600,000 websites have been successfully attacked using automated toolkits designed to allow novice hackers to easily target vulnerable sites. Microsoft identified several tools available for free, that could be used to defend against the recent massive SQL injection attacks. UrlScan, which blocks HTTP requests; Microsoft Source Code Analyzer for SQL Injection, which detects ASP code susceptible to SQL injection attacks; and Scrawlr, a vulnerability scanner which identifies faulty code in websites.

Hoffman, who was on the original SPI Dynamics team that designed the Scrawlr vulnerability scanner, said the tool is essentially a scaled down version of HP WebInspect, Web application security testing software. Despite not being even remotely as robust as WebInspect, the Scrawlr tool still has the ability to help detect if a website is vulnerable, he said. Ultimately, Microsoft has a huge developer audience and putting the tools in their hands could help bolster the secure coding movement, Hoffman said.

Other researchers are not as optimistic about Microsoft's approach. Dancho Danchev, an independent security consultant and researcher who has been following the SQL injection attacks called the Microsoft advisory a standard public relations practice. Still, it's good that Microsoft is raising awareness about the issue, he said.

"Releasing free self-auditing tools with limited capabilities can cause more harm than actually doing something good, since people wouldn't bother using more sophisticated self-auditing tools, and will enjoy a false feeling of safety," Danchev said. "The irony is that average SQL injections scanners released by malicious parties have more advanced scanning and injection capabilities than the free ones released by Microsoft."

The SQL injection attacks have been carried out using the Asprox Trojan, which installs itself on victim's machines and then spreads itself by using Google to search for websites vulnerable to SQL injection attacks.

Nick Chapman, a security researcher with managed security services firm SecureWorks, said it will take an entirely new mindset to get security engrained in the development lifecycle. Time is money and many businesses push faster development times over more secure code, he said.

"There's been a lack of knowledge and concern within the enterprise," he said. "It's cheaper if you develop more quickly and less quality code so that's what happens all the time."

Chapman called the free tools a good start, but said developers should be using more robust tools to look at source code and discover areas that could be exploited. Security pros should be using black box tools to review Web applications from the outside. But companies need more of a compelling argument to use more robust tools, he said.

"The damage is divorced from the application," Chapman said. "You probably won't notice right away damage is not done to you, it's done to your customers."

Tags: Software Development Methodology,  Web Application Security,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology V.i Labs integrates Google maps to track software piracy Software Piracy pandemic needs government role, better vendor antipiracy plans Software piracy losses total $53 billion, study finds Google study backs browser silent auto update feature Secure software development starts before coding begins Security budget issues to resonate at RSA Conference Twitter worm attack highlights social network flaws New model supports secure software coding Firms improve secure coding practices, OWASP survey finds More companies seek third-party Web app code review, survey finds Web Application Security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert IT managers under pressure to weaken Web security policy US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities How to find and stop automated SQL injection attacks More companies seek third-party Web app code review, survey finds Application Attacks (Buffer Overflows, Cross-Site Scripting) Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw How to detect input validation errors and vulnerabilities Vulnerability test methods for application security assessments Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary