Even though they've been around forever, SQL injection attacks are still one of attackers' most common hacks (including a recent successful attack on Barracuda Networks). What are some best practices for eradicating SQL injection vulnerabilities? Is there some sort of monthly scan process we can put in place to detect and prevent them?
SQL injection attacks are still one of the most successful and commonly used attacks for compromising Web applications. One best practice for eradicating SQL injection vulnerabilities is following the recommendations from OWASP. OWASP lists three primary defenses and two additional defenses: using prepared statements, storing procedures and escaping all user-supplied input, and then using least privilege and white list input validation, respectively. Corporate Web app developers should be trained on these techniques to help ensure their code is secure and integrated into the organization's software development life cycle (SDLC).
Following the OWASP recommendations will help eliminate SQL injection vulnerabilities, but there are other tools that can be used to detect and prevent them. You can use an existing IDS to detect SQL injection attacks, but there are dedicated tools, like Web application firewalls (WAF), that can detect and block the attacks. WAFs are typically deployed in front of a Web application so they can inspect all of the Web traffic to the server and block the malicious traffic.
There are also Web application security scanners that can be used for SQL injection scanning , as well as for scanning other vulnerabilities. Also, use the Web application security scanner to scan Web apps on a regular basis, and include a scan in the company's SDLC methodology to examine applications prior to their going into production. There are also companies that provide Web app scanning services that could be used on high-value Web apps, where security is of the utmost importance.
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Island hopping attacks create enterprise risk by threatening their business affiliates. Here's how to create an incident response plan to mitigate ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.