Why Does SQL Injection Still Exist?
- 31 July, 2015 23:37
After having spent the last two weeks in Asia I find myself sitting in a hotel room in Tokyo pondering something. I delivered a few talks in Singapore and in Manila and was struck by the fact that we're still talking about SQL injection as a problem.
So, what is SQL injection you might ask. This is a method to attack web applications that have a data repository. The attacker would send a specially crafted SQL, or structured query language, statement that is designed to cause some malicious action. These statements are successful too often as many web applications do not sanitize their inputs.
The OWASP Top Ten is a collection of vulnerabilities that are of particular note. The problem that jumps out at me is that SQL injection has been on this list for the better part of a decade. Why does this continue to be the case? Well, there are contributing factors to be certain. One of which is the time to market issue which will most likely never be dealt with from a security perspective.
When you have a business leader who has their bonus structure tied to the delivery of a particular web application there is the element of fear that is introduced. Fear that security will be ultimately bypassed in an effort to save money and avoid any roadblocks. This is not to say that this is a uniform problem across the board but, it does in fact happen. Far more often than I care to admit. In previous day jobs I ran into this behavior on several occasions.
This needs to be addressed by baking the requirement to have security review as a gateway into business processes as well as the corporate culture. If corners are allowed to be cut and this behavior goes unpunished there is a great deal of blame to be assigned to senior management who permits this to continue. Whether this is being done from a conscious event of inadvertent does not obviate the responsibility of senior management to meet this behavior head on.
When corners are cut, things get missed. A perfect example is SQL injection as a lurking issue. When an application is rushed out the door there is a real chance that problems will be introduced that can lead to a data breach.
The headlines have been littered with stories about data breaches and a not insignificant portion of that is as a result of a SQL injection attack. This is a solvable problem. As security practitioners it is incumbent upon us to do a better job of making sure that this sort of problem does not continue on.
Another point is that security practitioners are very good at talking about security...amongst themselves. We need to do a better job at bringing the security message to a wider audience. We need to be talking to the stakeholders as well as the programmers and so forth. If we cannot successfully articulate the message of security to a wider audience then we are of limited utility.
We need to do a better job go tackling the corner cutters as well as making sure that we are getting the message heard. It serves no one to sit in a darkened room listing to Front 242 and lamenting that no one understands us.