Opinion

Security Think Tank: SQLi is basically a process problem

Attack data from IBM's X-Force Labs, Symantec Labs and others continues to show that SQL Injection remains one of the most common forms of attacks on web-enabled applications. This isn't a new problem, so why does SQL injection remain an ongoing threat?

At one level, the answer to SQL Injection is straightforward: ensure that developers sanitise (whitelist) all input – not only user keyboard input into fields on a web application, but also input from data files, configuration files as well as input to network-based application interfaces. If this straightforward advice were followed, SQL injection (and cross-site scripting for that matter) would be virtually eliminated. The good news is that there is a robust set of tools and services to help organisations identify security vulnerabilities in web applications.

40199_Security-think-tank.jpg

So why do SQL injection vulnerabilities remain? This is the more complex level to the problem and it comes down to this: technology alone cannot solve what fundamentally is a process problem. To stop web application vulnerabilities, developers and development processes much change. However, changing developers and developer behaviour is more difficult.

Developers need to be trained. Standard input sanitisation libraries need to be adopted. Software development processes need to be changed to incorporate security testing. Testing tools can help to automate the security testing and make it more consistent across development teams, but people and development process changes must come first.

Finally, if you don't have the resources to test web applications internally, testing-as-a-service (TaaS) providers are available to deliver this as a predictable, repeatable subscription service.


Neil MacDonald is VP and fellow at Gartner Information Security, Privacy and Risk Research

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in September 2012

 

COMMENTS powered by Disqus  //  Commenting policy