Manage Learn to apply best practices and optimize your operations.

How to prevent SQL injection attacks (without a costly code review)

Enterprise threats expert Nick Lewis reveals two key ways to prevent SQL injection attacks without breaking the bank on an expensive code review.

Research from IBM's X-Force team reports that 26% of the breaches in the first half of 2013 can be attributed to SQL injection attacks. What are the easiest ways to prevent SQL injection attacks without convincing the operations team to conduct an expensive full Web application and database code review?

The IBM X-Force Trend and Risk report and the Verizon Data Breach Investigations Report (DBIR) have both listed SQL injection (SQLi) attacks as one of the most common exploits for the past several years. Unfortunately, updating an enterprise software development lifecycle and all of the software to prevent these attacks is costly, and it can take years to achieve a return on investment. The best mitigating controls (Web application and database code reviews) are relatively expensive and only produce findings to remediate attacks, not to directly stop them. In these controls, developers need to take the findings and prioritize those that are high priority, and then spend the necessary time to make the changes and remove the insecure section of code. Until the findings are fixed, the software will remain vulnerable. Such an automated review or assessment might also have an operational impact and cause a denial of service or create problems with the Web application if performed in a production environment.

While updating enterprise software development lifecycles, organizations can use a source code-scanning tool to find vulnerabilities in the source code and remediate any known vulnerabilities as coding flaws are found.

Alternately, enterprises could use a Web application-based firewall to block SQLi attacks. This may be the easiest and quickest option. The Web application firewall could run on a Web server, on the database server (a database firewall) or on the network in front of the Web applications. All three types of Web-application firewalls can block many types of SQLi attacks along with other types of attacks, and none of them necessarily require updates to the Web application itself. They could all block the SQLi before the vulnerable Web application or database is compromised.

Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email! (All questions are anonymous.)

This was last published in May 2014

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.