Despite being the most common form of vulnerability in web applications for years, and many thousands of articles being written on the subject, SQL injection (SQLi) remains a viable, and profitable, way to attack web applications.
The reason that it remains viable, despite all the published material on how to avoid it, lies with a group of problems.
A lack of security awareness from some development teams means that the code for the applications is commonly not secured against the threat.
This undermines the whole application, and when fixes come to be implemented later they are often patched over just one area, leaving other areas of the application vulnerable.
More ingenious methods of avoiding counter-measures are always being developed, because the prize is so great.
Read more about SQL injection attacks
- Security Think Tank: Development and testing key to reducing SQLi attacks
- Security Think Tank: Quick time to market to blame for many SQLi attacks
- Security Think Tank: SQLi attacks fly under security testing radar
- Security Think Tank: SQLi is basically a process problem
- Security Think Tank: No quick fix to SQLi attacks
- Security Think Tank: Best practice to target SQLi
Without an immediate tangible benefit from security training and testing, some corporations have been cutting budgets. However, the much-publicised recent attacks have highlighted the risks that come from a lack of IT security spending.
The ways to prevent SQLi have not changed – they just need to be implemented.
An investment in security training and testing will provide developers with the skills to code applications without the technical errors that lead to SQL injection vulnerabilities, and the reassurance that the application has been rigorously tested.
Peter Wood is a member of the London Chapter ISACA Security Advisory Group and CEO of First Base Technologies.
This was first published in September 2012