Opinion

Security Think Tank: Several factors feed SQLi attacks

Despite being the most common form of vulnerability in web applications for years, and many thousands of articles being written on the subject, SQL injection (SQLi) remains a viable, and profitable, way to attack web applications.

The reason that it remains viable, despite all the published material on how to avoid it, lies with a group of problems.

A lack of security awareness from some development teams means that the code for the applications is commonly not secured against the threat. 

This undermines the whole application, and when fixes come to be implemented later they are often patched over just one area, leaving other areas of the application vulnerable.

More ingenious methods of avoiding counter-measures are always being developed, because the prize is so great.

Without an immediate tangible benefit from security training and testing, some corporations have been cutting budgets. However, the much-publicised recent attacks have highlighted the risks that come from a lack of IT security spending.

The ways to prevent SQLi have not changed – they just need to be implemented.

An investment in security training and testing will provide developers with the skills to code applications without the technical errors that lead to SQL injection vulnerabilities, and the reassurance that the application has been rigorously tested.


Peter Wood is a member of the London Chapter ISACA Security Advisory Group and CEO of First Base Technologies.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in September 2012

 

COMMENTS powered by Disqus  //  Commenting policy