SQL injection scanning processes for corporate SDLC methodology

SQL injection vulnerabilities are some of the most exploited flaws. In this expert response, Nick Lewis explains how to eradicate such flaws from your Web apps.

Even though they've been around forever, SQL injection attacks are still one of attackers' most common hacks (including a recent successful attack on Barracuda Networks). What are some best practices for eradicating SQL injection vulnerabilities? Is there some sort of monthly scan process we can put in place to detect and prevent them?

SQL injection attacks are still one of the most successful and commonly used attacks for compromising Web applications. One best practice for eradicating SQL injection vulnerabilities is following the recommendations from OWASP. OWASP lists three primary defenses and two additional defenses: using prepared statements, storing procedures and escaping all user-supplied input, and then using least privilege and white list input validation, respectively. Corporate Web app developers should be trained on these techniques to help ensure their code is secure and integrated into the organization's software development life cycle (SDLC).

Following the OWASP recommendations will help eliminate SQL injection vulnerabilities, but there are other tools that can be used to detect and prevent them. You can use an existing IDS to detect SQL injection attacks, but there are dedicated tools, like Web application firewalls (WAF), that can detect and block the attacks. WAFs are typically deployed in front of a Web application so they can inspect all of the Web traffic to the server and block the malicious traffic.  

There are also Web application security scanners that can be used for SQL injection scanning , as well as for scanning other vulnerabilities. Also, use the Web application security scanner to scan Web apps on a regular basis, and include a scan in the company's SDLC methodology to examine applications prior to their going into production. There are also companies that provide Web app scanning services that could be used on high-value Web apps, where security is of the utmost importance.

This was last published in September 2011

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.