Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why Does SQL Injection Still Exist?

Dave Lewis | Aug. 3, 2015
After having spent the last two weeks in Asia I find myself sitting in a hotel room in Tokyo pondering something. I delivered a few talks in Singapore and in Manila and was struck by the fact that we're still talking about SQL injection as a problem.

data breach map intro leak bucket water

After having spent the last two weeks in Asia I find myself sitting in a hotel room in Tokyo pondering something. I delivered a few talks in Singapore and in Manila and was struck by the fact that we're still talking about SQL injection as a problem.

So, what is SQL injection you might ask. This is a method to attack web applications that have a data repository. The attacker would send a specially crafted SQL, or structured query language, statement that is designed to cause some malicious action. These statements are successful too often as many web applications do not sanitize their inputs.

The OWASP Top Ten is a collection of vulnerabilities that are of particular note. The problem that jumps out at me is that SQL injection has been on this list for the better part of a decade. Why does this continue to be the case? Well, there are contributing factors to be certain. One of which is the time to market issue which will most likely never be dealt with from a security perspective.

When you have a business leader who has their bonus structure tied to the delivery of a particular web application there is the element of fear that is introduced. Fear that security will be ultimately bypassed in an effort to save money and avoid any roadblocks. This is not to say that this is a uniform problem across the board but, it does in fact happen. Far more often than I care to admit. In previous day jobs I ran into this behavior on several occasions.

This needs to be addressed by baking the requirement to have security review as a gateway into business processes as well as the corporate culture. If corners are allowed to be cut and this behavior goes unpunished there is a great deal of blame to be assigned to senior management who permits this to continue. Whether this is being done from a conscious event of inadvertent does not obviate the responsibility of senior management to meet this behavior head on.

When corners are cut, things get missed. A perfect example is SQL injection as a lurking issue. When an application is rushed out the door there is a real chance that problems will be introduced that can lead to a data breach.

The headlines have been littered with stories about data breaches and a not insignificant portion of that is as a result of a SQL injection attack. This is a solvable problem. As security practitioners it is incumbent upon us to do a better job of making sure that this sort of problem does not continue on.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.