igor - Fotolia
A recent Ponemon Institute report claims that while 65% of survey respondents have experienced an SQL injection attack in the past year, few organizations make a concerted effort to prevent them. We outsource a lot of development and struggle to get developers to consistently perform audit code validation during quality assurance (QA). With that in mind, is there anything we can do with limited resources to prevent these attacks?
There are widely available tools that script kiddies use to perform mass scanning for SQL injections (SQLi), so it seems if only 65% of survey respondents experienced a SQLi attack, then 35% of the respondents had ineffective monitoring in their environments to identify the attacks. In other words, virtually every organization is indiscriminatingly targeted by SQLi attacks.
There are a number of questions to ask when you outsource development. First off, are there security requirements in the contract with the outsourced developers? Are there standards these outsourced developers need to follow for secure development lifecycle? Have they been trained on the systems development lifecycle and on how to securely code? Can the outsourced developers be held accountable on flaws in their code? If the answer is "no" to any of these questions, the clauses should be added to future contracts, and existing contracts should be amended to include them.
Regardless of the outsourcers and the answers to these questions, enterprises can still add an SQLi scanner or attack tool to identify SQLi vulnerabilities in the software development process quality assurance cycle and to improve security.
The Open Web Application Security Project has a SQLi prevention cheat sheet to help enterprises and developers thwart attacks. Organizations could even just use the same tools that script kiddies use in their attacks to find potentially vulnerable code or applications. A static code analysis could even be done to audit the code for any SQLi attacks. Once the code has gone to production, a Web application firewall could be used to block potential SQLi attacks or, alternately, there may be functionality in an intrusion prevention system or firewall that could block the attack.
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Island hopping attacks create enterprise risk by threatening their business affiliates. Here's how to create an incident response plan to mitigate ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.