Connect with us

Hi, what are you looking for?



SQL Injection Breaches Take Months to Uncover and Fix: Survey

SQL injection attacks have been at the center of many data breaches big in small during the past. Yet it continues to plague organizations even today.

SQL injection attacks have been at the center of many data breaches big in small during the past. Yet it continues to plague organizations even today.

According to a new report from Ponemon Institute, 65 percent of the 595 IT practicioners surveyed said they had experienced at least one SQL injection attack that successfully evaded their perimeter defense in the past 12 months. In addition, each SQL injection attack took an average of roughly 140 days to discover and required an average of 68 days to contain.

Almost half said the SQL injection threat facing their organization is very significant. On average, respondents believe 42 percent of all breaches are due at least in part to SQL injections. Still many companies appear to be knowledgeable of the tactics many attackers use. Less than half (46 percent) said they were even aware of the term Web Application Firewall bypass.

“It is commonly accepted that organizations believe they struggle with SQL injection vulnerabilities, and almost half of the respondents said the SQL injection threat facing their organization is very significant, but this study examines much deeper issues,” said Dr. Larry Ponemon, founder and chairman of the Ponemon Institute, in a statement. “For example, only a third of those surveyed (34 percent) agreed or strongly agreed that their organization presently had the technology or tools to quickly detect SQL injection attacks.  And more than half (52 percent) of respondents indicated that they don’t test or validate any third party software to ensure it’s not vulnerable to SQL injection.”

The bring-your-own-device trend may be further complicating the issue. Fifty-six percent of respondents say determining the root causes of SQL injection is becoming more difficult because of the trend for employees to use their personally owned mobile devices (BYOD) in the workplace.

“A couple major risks with BYOD are the loss of the physical device and not disabling specific corporate applications on the device when an employee resigns from the organization,” said Michael Sabo, vice president of marketing at DB Networks, which sponsored the study. “The majority of SQL injection countermeasures are designed for the external threat originating typically through a web interface. However BYOD is an insider threat. So there may not be security mechanisms in place in the organization to identify the root cause if an…attacker operating a compromised BYOD dispatches a SQL injection attack.”

In many cases, measures to prevent SQL injection attacks appear to be lacking. Some 52 percent said they do not scan third-party applications to make sure they are not vulnerable for SQL injection, and 47 percent either do not scan for active databases regularly (25 percent) or do not scan at all (22 percent). Any forgotten databases may contain sensitive financial, proprietary or customer information, Sabo said.

Advertisement. Scroll to continue reading.

“Undocumented databases that no one is managing aren’t going to be secure,” Sabo said. “Because many of them were brought up for a quick and dirty test, they’ll likely have default passwords and thus are easily exploited. Also they’ll be unpatched and their vulnerabilities will be well known to the hackers.”

A copy of the report can be downloaded here.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.