Even though they've been around forever, SQL injection attacks are still one of attackers' most common hacks (including a recent successful attack on Barracuda Networks). What are some best practices for eradicating SQL injection vulnerabilities? Is there some sort of monthly scan process we can put in place to detect and prevent them?
SQL injection attacks are still one of the most successful and commonly used attacks for compromising Web applications. One best practice for eradicating SQL injection vulnerabilities is following the recommendations from OWASP. OWASP lists three primary defenses and two additional defenses: using prepared statements, storing procedures and escaping all user-supplied input, and then using least privilege and white list input validation, respectively. Corporate Web app developers should be trained on these techniques to help ensure their code is secure and integrated into the organization's software development life cycle (SDLC).
Following the OWASP recommendations will help eliminate SQL injection vulnerabilities, but there are other tools that can be used to detect and prevent them. You can use an existing IDS to detect SQL injection attacks, but there are dedicated tools, like Web application firewalls (WAF), that can detect and block the attacks. WAFs are typically deployed in front of a Web application so they can inspect all of the Web traffic to the server and block the malicious traffic.
There are also Web application security scanners that can be used for SQL injection scanning , as well as for scanning other vulnerabilities. Also, use the Web application security scanner to scan Web apps on a regular basis, and include a scan in the company's SDLC methodology to examine applications prior to their going into production. There are also companies that provide Web app scanning services that could be used on high-value Web apps, where security is of the utmost importance.
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Related Q&A from Nick Lewis
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading
Cloud security providers need to play catch-up with the evolving advancements in cloud technology. Find out what the top CSPs offer today and which ... Continue Reading
Cloud security certifications serve to bolster security professionals' resumes and boost value to employers. Learn about the top certifications ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.