Security Experts:

SQL Injection Attacks: The Menacing Maven of Internet Security is on the Rise

While SQL Injection Attacks are Growing in Frequency, Savvy Application Developers Can Find Enough Available Tools to Combat Them

SQL injection attacks are a very well known threat to Internet security, but the nitty-gritty behind the process is often a bit hazy to everyone except the most proficient Web connoisseurs. The recently successful Yahoo Voices and LinkedIn hacks have served to put SQL injection attacks squarely back on the map of public notoriety and rightfully so. While this form of security compromise has been lurking on the scene for years, it’s striking to see that it’s actually growing in prevalence. The ease of spawning these attacks, paired with the surplus of vulnerable websites and applications available to go after, make this type of data breach a prime choice for hackers. Here’s a look at some common mistakes to watch out for and simple saves that can help protect your important data from this type of attack.

SQL Injection AttacksComplacency equals vulnerability

'It’s simply not okay to be stagnant. Organizations need to constantly audit and test their applications for vulnerabilities. As of May of this year, SQL injection attacks constituted a full 31 percent of attacks reported – the majority of chosen techniques for the month. These attacks are a favorite of serial data thieves and are often automated, which only augments the extent to which they can be deployed. The staler your rules get, the greater the chances of someone inserting malicious commands into text fields or URLS. If protected by many layers, a website can be sheltered against these potentially catastrophic security breaches, and even then, new protocols needs to be written frequently.

Web app firewalls need to start flexing their muscles

Some SQL injection attacks can get past Web application firewalls (WAFs), unfortunately. Implementing WAFs absolutely has merit and can be a solid protective layer, but recent instances have shown that many WAFs are severely lacking. The key for hackers in getting past WAFs is persistence and time. Data thieves who are resilient in their attempts on site databases will almost surely prevail if the information is not securely safeguarded. It takes a relatively knowledgeable attacker to pull off WAF evasion, but with the proliferation of automated tools, it is becoming increasingly easy. If the goal is to protect data thoroughly – which it should be – the careful monitoring and detection of attacks can be handled via WAF technology, alerting the SOC to actionable correlated events. Remember to demand full disclosure of the quality of a WAF provider and do your own inspection before integrating one into your site’s security plan.

Test constantly

Knowing these types of threats are on the rise, it’s a great idea to test applications for potential threats on a regular basis, and stay on top of free, collaborative tools and news to stay current. One great resource is sqlmap, an open source resource that is Python-based and automates the process of exposing SQL injections. After tests and analysis of your own applications, if SQL injection vulnerabilities are indeed found, the best way to correct the problems is by escalating them through service channels and thoroughly documenting any findings you’ve uncovered, which can help a developer fix the problem. If you don’t take the time to do the testing, you are accepting a potentially serious risk – a mistake you don’t want to make.

Even though SQL injection attacks are growing in frequency, savvy application developers can find enough available tools to combat them. Avoid becoming complacent with your security measures, don’t trust commonly touted layers of protection without digging for more substantiation, and test your applications as much as possible to ascertain the truth of what is going on under the surface. Attentiveness is your ammo in the fight against data compromise.

Related Reading: The Most Prevalent Attack Techniques Used By Today's Hackers

Subscribe to the SecurityWeek Email Briefing
view counter
Chris Hinkley is a Senior Security Engineer at FireHost where he maintains and configures network security devices, and develops policies and procedures to secure customer servers and websites. Hinkley has been with FireHost since the company’s inception. In his various roles within the organization, he’s serviced hundreds of customer servers, including Windows and Linux, and overseen the security of hosting environments to meet PCI, HIPAA and other compliance guidelines.
view counter