Attackers will continue to find websites vulnerable to SQL injection vulnerabilities despite Microsoft's recent advisory identifying tools to help companies check if their websites are vulnerable and coding is secure.
A major shift in secure software development is needed to bolster code and defend against Web-based attacks, said Billy Hoffman, lead security researcher for the Web Security Research Group at HP. Hoffman called Microsoft's advisory a wake up call for people involved in the software development lifecycle, but stopped short of calling it a stop gap measure.
"No security solution will work unless you have executive buy-in," Hoffman said. "Security is something that executives, vice presidents of development and directors of engineering need to be aware of and pushing throughout the lifetime of development. Right now that's not happening."
So far as many as 600,000 websites have been successfully attacked using automated toolkits designed to allow novice hackers to easily target vulnerable sites. Microsoft identified several tools available for free, that could be used to defend against the recent massive SQL injection attacks. UrlScan, which blocks HTTP requests; Microsoft Source Code Analyzer for SQL Injection, which detects ASP code susceptible to SQL injection attacks; and Scrawlr, a vulnerability scanner which identifies faulty code in websites.
Hoffman, who was on the original SPI Dynamics team that designed the Scrawlr vulnerability scanner, said the tool is essentially a scaled down version of HP WebInspect, Web application security testing software. Despite not being even remotely as robust as WebInspect, the Scrawlr tool still has the ability to help detect if a website is vulnerable, he said. Ultimately, Microsoft has a huge developer audience and putting the tools in their hands could help bolster the secure coding movement, Hoffman said.
Other researchers are not as optimistic about Microsoft's approach. Dancho Danchev, an independent security consultant and researcher who has been following the SQL injection attacks called the Microsoft advisory a standard public relations practice. Still, it's good that Microsoft is raising awareness about the issue, he said.
"Releasing free self-auditing tools with limited capabilities can cause more harm than actually doing something good, since people wouldn't bother using more sophisticated self-auditing tools, and will enjoy a false feeling of safety," Danchev said. "The irony is that average SQL injections scanners released by malicious parties have more advanced scanning and injection capabilities than the free ones released by Microsoft."
The SQL injection attacks have been carried out using the Asprox Trojan, which installs itself on victim's machines and then spreads itself by using Google to search for websites vulnerable to SQL injection attacks.
Nick Chapman, a security researcher with managed security services firm SecureWorks, said it will take an entirely new mindset to get security engrained in the development lifecycle. Time is money and many businesses push faster development times over more secure code, he said.
"There's been a lack of knowledge and concern within the enterprise," he said. "It's cheaper if you develop more quickly and less quality code so that's what happens all the time."
Chapman called the free tools a good start, but said developers should be using more robust tools to look at source code and discover areas that could be exploited. Security pros should be using black box tools to review Web applications from the outside. But companies need more of a compelling argument to use more robust tools, he said.
"The damage is divorced from the application," Chapman said. "You probably won't notice right away damage is not done to you, it's done to your customers."