SQL injection placed No. 3 on Verizon's list of the 15 most common attacks in its data breach report. Preventing SQL injections can be the difference between data security and a screaming headline. Here are a few short tips on how to help protect your databases and applications.
On Dec. 6, a researcher posted proof
that he had compromised NASA Websites
via a SQL injection. Fortunately
for NASA, his motive appears to only have been to illustrate weaknesses in its sites.
Other entities, however, have not been so lucky. There were of course the
breaches of Heartland
Payment Systems and Hannaford Brothers,
but also mass
compromises affecting thousands of Websites.
For all the security tools on the market, SQL injection placed No. 3 on
Verizon's list of the 15
most common security attacks
(PDF) in its latest data breach report, issued
"At its most basic level, SQL injection attacks exploit a failure to
properly validate user input," Verizon wrote in the Verizon Business 2009 Supplemental
Data Breach Investigations Report. "This seems especially common with custom-developed
applications and Web front-ends ...On top of this, SQL injection attacks are
growing notably more sophisticated, especially for data compromise scenarios. [The
approach] is often used to gain deeper access into systems and plant malicious
With this in mind, eWEEK has compiled a list of tips for helping enterprises
deal with SQL injection attacks before hackers find their way in and turn a
security hole into a data breach.
According to Jeremiah Grossman, CTO
of WhiteHat Security, developers should use parameterized SQL statements using
ESAPI development frameworks. Developers should also make sure user input is
properly validated. Escaping dangerous characters is another way to deal with
"The key issue is educating Web developers about how to
build secure applications," said Phil Neray, vice president of security
strategy at Guardium, now an IBM company.
3) Use of technology: Many companies are not doing enough code scanning to
identify vulnerabilities. They should also be using tools such as Web
application firewalls and database monitoring technologies. "Proper use of
tools like these will definitely add to the assurance that everything has been
done to detect issues before they become major problems," said Brian
Monkman, firewall program manager for ICSA Labs.
4) Configuration management: Developers should suppress verbose error
messages so attackers have a tougher time getting to the bottom of why they
were thwarted. "Doesn't mean the vulnerability is fixed, but makes it
harder to exploit," Grossman said.
In sum, defending against SQL injection attacks requires a combination of
internal and external security.
"Consider where your critical data resides-
and how hackers and rogue insiders access that data-
said Steve Hurn, CEO of Secerno. "Develop
a strategy that delivers real-time security at both levels."