Security Think Tank: SQLi is basically a process problem

Why does SQL injection remain a successful way of attacking web applications?

Attack data from IBM's X-Force Labs, Symantec Labs and others continues to show that SQL Injection remains one of the most common forms of attacks on web-enabled applications. This isn't a new problem, so why does SQL injection remain an ongoing threat?

At one level, the answer to SQL Injection is straightforward: ensure that developers sanitise (whitelist) all input – not only user keyboard input into fields on a web application, but also input from data files, configuration files as well as input to network-based application interfaces. If this straightforward advice were followed, SQL injection (and cross-site scripting for that matter) would be virtually eliminated. The good news is that there is a robust set of tools and services to help organisations identify security vulnerabilities in web applications.

So why do SQL injection vulnerabilities remain? This is the more complex level to the problem and it comes down to this: technology alone cannot solve what fundamentally is a process problem. To stop web application vulnerabilities, developers and development processes much change. However, changing developers and developer behaviour is more difficult.

Developers need to be trained. Standard input sanitisation libraries need to be adopted. Software development processes need to be changed to incorporate security testing. Testing tools can help to automate the security testing and make it more consistent across development teams, but people and development process changes must come first.

Finally, if you don't have the resources to test web applications internally, testing-as-a-service (TaaS) providers are available to deliver this as a predictable, repeatable subscription service.

Neil MacDonald is VP and fellow at Gartner Information Security, Privacy and Risk Research

Read more on Hackers and cybercrime prevention