Security Think Tank: Several factors feed SQLi attacks

Why does SQL injection remain a successful way of attacking web applications?

Despite being the most common form of vulnerability in web applications for years, and many thousands of articles being written on the subject, SQL injection (SQLi) remains a viable, and profitable, way to attack web applications.

The reason that it remains viable, despite all the published material on how to avoid it, lies with a group of problems.

A lack of security awareness from some development teams means that the code for the applications is commonly not secured against the threat. 

This undermines the whole application, and when fixes come to be implemented later they are often patched over just one area, leaving other areas of the application vulnerable.

More ingenious methods of avoiding counter-measures are always being developed, because the prize is so great.

Without an immediate tangible benefit from security training and testing, some corporations have been cutting budgets. However, the much-publicised recent attacks have highlighted the risks that come from a lack of IT security spending.

The ways to prevent SQLi have not changed – they just need to be implemented.

An investment in security training and testing will provide developers with the skills to code applications without the technical errors that lead to SQL injection vulnerabilities, and the reassurance that the application has been rigorously tested.

Peter Wood is a member of the London Chapter ISACA Security Advisory Group and CEO of First Base Technologies.

Read more on Hackers and cybercrime prevention