Published: 08 Oct 2009
Development errors that leave a custom Web application prone to a SQL injection attack are still not being addressed, and that's a problem because of rampant attacks against Web-facing applications. Custom Web apps are attractive because they're relatively simple to deploy. But coders often fail to address security, nor do they test apps for vulnerabilities prior to production.
A recent SANS Institute report on the top cyber security risks of 2009 was harsh on the continued problem of SQL injection flaws and called for a renewed focus on technology solutions to prevent SQL injection, and education of developers about the problem.
"It's going to be impossible to do security without some kind of augmentation to improve both our ability to see things as they happen and to figure out problems as they come along," says Jim Molini, a Microsoft security professional and an architect of the new Certified Secure Software Lifecycle Professional (CSSLP) certification. "The innovations that I expect to see at some point in the area of software security are going to involve that, whether it's some kind of automated cognition or automated intelligent response to these things."
By targeting SQL injection errors, attackers are going for the lowest hanging fruit. Automated scripts and free penetration tools have caused a set-it-and-forget-it mentality among attackers. And it's working. Web application vulnerability flaws in open source and custom-built applications account for more than 80% of the vulnerabilities being discovered, the SANS Institute report says. The report recommends IT organizations to focus on patching Web-facing client-side applications, and detect and repair website vulnerabilities.
Rohit Dhamankar, director of security research at TippingPoint's DVLabs says awareness and education are important, but organizations also seem to be dropping the ball when it comes to security testing of applications internally or through third parties before the application is deployed in production. By doing so, major flaws are slipping through because of inadvertently insecure programming practices. For example, some coders use SQL injection as a development shortcut by embedding arbitrary SQL queries in a URL, rather than coding them into the application on the back end. Attackers could manipulate the URL by injecting a malicious SQL query and reach backend databases, experts say.
"If the development organizations ensure that their employees have gone through secure programming practices and courses, it would lead to a decrease of such incidents," Dhamankar says. "From a security technology perspective, the companies could use intrusion prevention systems or Web application firewalls (WAFs) to stop such attacks."
A large number of outsourced applications forced Chad Lorenc to take a look at the security of Web-facing and internal applications. Lorenc, information security and risk management specialist at scientific instruments and analysis equipment maker Agilent Technologies, turned to a WAF from Imperva to boost security among internal developers and understand the basics of data flow within the company environment.
Lorenc said the analysis provided by the WAF helped the company realize the different ways applications were being accessed by internal and remote employees, contractors, customers and partners. Programmers were happy to see peaks and calls of their applications, and were able to tweak them to improve performance. Penetration testers were able to identify weaknesses in applications and fix them without rebuilding the flawed application from scratch.
"As we monitored and allowed all these transactions to go, it allowed us to build profiles that helped us define the behavior of these applications," Lorenc said. "Very quickly without our interaction we found a consistent behavior of an application. We could find anomaly behaviors and red flags that signaled abuse."
Whether it is technology provided by a WAF or increased education and awareness provided to software coders and end users, the SANS Institute report makes it clear that once hackers find a hole, the risk of passing SQL instructions directly into a backend database rises precipitously, especially for financial institutions and retailers.
Digital investigations expert and SANS Institute instructor, Rob Lee of Mandiant, says attackers go in through the public facing websites in order to gain access to the credit card data on the backend side, he says.
"The attackers themselves, from the nation-state actors to the organized criminals who are involved here, are extremely organized in their methodology," Lee says. "They know what they're doing. There's a big payoff as a result of this and they're quite good."