SQL injection attacks are becoming more prevalent and are at the top of the list of risks to database security. At one time, many considered a certain amount of SQL injection to be an expected tradeoff in order for the application to work. As each vulnerability was identified, it would be addressed, whether in the form of fixes or completely rewriting code—but this practice then presents a new batch of problems. By this time, however, the application would already be in production.
Identified Target: Microsoft SQL Server
In a race to get their product to market ahead of the competition, application developers often overlook best practices in coding and testing. Taking shortcuts and ignoring the possibility that vulnerabilities could exist suggests a growing trend of apathy among developers and testers that results in sloppy code. Applications are then deployed without security and privacy flaws being identified and fixed. Akamai has identified that Internet attacks stemming from China accounted for one third of all attacks occurring during 2012’s third quarter. The primary focus of these attacks? Microsoft SQL Server.
1 Threat: Web Forms
SQL injection is the most common of all website attacks. Any website features that provide dynamic content are vulnerable to SQL injection attacks. The threat of attack through web forms is increased by the simple fact that in order for legitimate visitors to provide or access information to or from your site, a certain level of access to the database is necessary to facilitate the interaction.
Being these forms and their code often come from different sources, various vulnerabilities may escape detection without proper testing. In particular, if these forms are not coded correctly, an attacker may simply enter SQL commands into the fields of these forms and gain access to your data. Attackers can gain access to not only data that is stored on the webserver, but also on other servers on your network.
The risk for a SQL injection attack increases depending upon:
- Frequency of updates and patches made to applications and equipment
- The age of your applications and equipment
- How many servers, applications, and website access points are in use
- If you are outsourcing your IT resources or if your in-house IT department is over-tasked
Therefore, according to Fergal Glynn of Veracode.com, “it is important to address these issues and perform frequent vulnerability scans to identify possible SQL injection issues, as your best line of defense.” A review performed by a third-party source should also be performed on a regular basis. Granted vulnerability and penetration testing is an added expense, but when comparing the expense associated with the damage that attackers could cause to your data and your company’s credibility, it is a worthwhile investment.
Need for Awareness and Increased Testing
Valuable time, resources, and most importantly, money will be saved by focusing on and testing for SQL injection vulnerabilities before applications move into the production phase. A major part of this is scanning for vulnerabilities and performing penetration testing along the way. Yes, this may take more time and add to the cost of development. However, this will help ensure that the final product will be secure as possible against all known threats before it is put into production and will circumvent potentially serious financial loss to enterprises and end users.
Fergal Glynn is the Director of Product Marketing at Veracode, an award-winning application security company specializing in secure software supply chain and other security breaches with effective risk assessment tools like secure software supply chain toolkit.