On Dec. 6, a researcher posted proof that he had compromised NASA Websites via a SQL injection. Fortunately for NASA, his motive appears to only have been to illustrate weaknesses in its sites.
Other entities, however, have not been so lucky. There were of course the breaches of Heartland Payment Systems and Hannaford Brothers, but also mass compromises affecting thousands of Websites.
For all the security tools on the market, SQL injection placed No. 3 on Verizon’s list of the 15 most common security attacks (PDF) in its latest data breach report, issued Dec. 9.
“At its most basic level, SQL injection attacks exploit a failure to properly validate user input,” Verizon wrote in the Verizon Business 2009 Supplemental Data Breach Investigations Report. “This seems especially common with custom-developed applications and Web front-ends …On top of this, SQL injection attacks are growing notably more sophisticated, especially for data compromise scenarios. [The approach] is often used to gain deeper access into systems and plant malicious software.”
With this in mind, eWEEK has compiled a list of tips for helping enterprises deal with SQL injection attacks before hackers find their way in and turn a security hole into a data breach.
1) Fixing the code: According to Jeremiah Grossman, CTO of WhiteHat Security, developers should use parameterized SQL statements using ESAPI development frameworks. Developers should also make sure user input is properly validated. Escaping dangerous characters is another way to deal with SQL injection.
2) Developer education: “The key issue is educating Web developers about how to build secure applications,” said Phil Neray, vice president of security strategy at Guardium, now an IBM company.
3) Use of technology: Many companies are not doing enough code scanning to identify vulnerabilities. They should also be using tools such as Web application firewalls and database monitoring technologies. “Proper use of tools like these will definitely add to the assurance that everything has been done to detect issues before they become major problems,” said Brian Monkman, firewall program manager for ICSA Labs.
4) Configuration management: Developers should suppress verbose error messages so attackers have a tougher time getting to the bottom of why they were thwarted. “Doesn’t mean the vulnerability is fixed, but makes it harder to exploit,” Grossman said.
In sum, defending against SQL injection attacks requires a combination of internal and external security.
“Consider where your critical data resides–the database–and how hackers and rogue insiders access that data–applications,” said Steve Hurn, CEO of Secerno. “Develop a strategy that delivers real-time security at both levels.”