Security Think Tank: SQLi is basically a process problem

Why does SQL injection remain a successful way of attacking web applications?

Attack data from IBM's X-Force Labs, Symantec Labs and others continues to show that SQL Injection remains one of the most common forms of attacks on web-enabled applications. This isn't a new problem, so why does SQL injection remain an ongoing threat?

At one level, the answer to SQL Injection is straightforward: ensure that developers sanitise (whitelist) all input – not only user keyboard input into fields on a web application, but also input from data files, configuration files as well as input to network-based application interfaces. If this straightforward advice were followed, SQL injection (and cross-site scripting for that matter) would be virtually eliminated. The good news is that there is a robust set of tools and services to help organisations identify security vulnerabilities in web applications.

So why do SQL injection vulnerabilities remain? This is the more complex level to the problem and it comes down to this: technology alone cannot solve what fundamentally is a process problem. To stop web application vulnerabilities, developers and development processes much change. However, changing developers and developer behaviour is more difficult.

Developers need to be trained. Standard input sanitisation libraries need to be adopted. Software development processes need to be changed to incorporate security testing. Testing tools can help to automate the security testing and make it more consistent across development teams, but people and development process changes must come first.

Finally, if you don't have the resources to test web applications internally, testing-as-a-service (TaaS) providers are available to deliver this as a predictable, repeatable subscription service.


Neil MacDonald is VP and fellow at Gartner Information Security, Privacy and Risk Research

This was last published in September 2012

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

  • Passive Python Network Mapping

    In this excerpt from chapter two of Passive Python Network Mapping, author Chet Hosmer discusses securing your devices against ...

  • Protecting Patient Information

    In this excerpt from chapter two of Protecting Patient Information, author Paul Cerrato discusses the consequences of data ...

  • Mobile Security and Privacy

    In this excerpt from chapter 11 of Mobile Security and Privacy, authors Raymond Choo and Man Ho Au discuss privacy and anonymity ...

SearchNetworking

SearchDataCenter

SearchDataManagement

Close