Organizations suffer SQL Injection attacks, but do little to prevent them

On Wednesday, the Ponemon Institute released the results of a new study conducted for DB Networks. In it, 65 percent of the respondents said that they've experienced one or more SQL Injection attacks in the last 12 months. In addition, each incident took an average of 140 days to discover, and 68 days to fix the issue.

"It is commonly accepted that organizations believe they struggle with SQL injection vulnerabilities, and almost half of the respondents said the SQL injection threat facing their organization is very significant, but this study examines much deeper issues," commented Dr. Larry Ponemon.

But there's a problem.

When it comes to preventing SQL Injection, those who took part in the study said that protective measures are lacking, and 52 percent of the respondents said they don't take any precautions, such as code audits and validation checks.

Yet, as mentioned, nearly half of the respondents said that SQL Injection attacks are a significant threat. Moreover, 42 percent said that they believed that SQL Injection is a contributing factor in most breaches.

The lacking prevention can be explained in part because only 31 percent of the respondents say their organization's security / IT teams possess the skills, knowledge, and expertise to detect an SQL Injection attack.

The sample size for this study was small, only 595 respondents across 16 verticals. However, the problem of SQL Injection isn't so small; in fact, this problem has existed since 1998.

Part of the reason SQL Injection exists is because on the criminal's end, it works. There are several tools on the Web that automate SQL Injection, from scanning for vulnerable hosts, to harvesting data from the database - and for most criminal's that's the only thing they need to compromise data.

For businesses, the issue is a bit more complex. Developers are paid to code, but security still isn't a primary function when a project needs to be delivered on time and under budget.

Code development has come a long way since 1998, but things still slip through the cracks. Those small mistakes that fall between the cracks are the same mistakes that turn into large breaches. This is why code assessments and continual monitoring of applications and data bases is encouraged, or outright mandated.

Still, SQL Injection happens with regularity, and the aftermath of those incidents can be costly and embarrassing (in a PR sense). Obviously, DB Networks has a horse in the race when it comes to preventing SQL Injection, but so do several other vendors. But the basics can often solve the most basic SQL Injection issues, such as those outlined by OWASP.

Still, no matter how your organization deals with SQL Injection, the important part is that it's addressed. It isn't easy, but given the value placed on data, both inside and outside of the company, it's worth the effort.

Join the CSO newsletter!

Error: Please check your email address.

Tags WebAppSecsecurityapplication securitydata breachsql injectionAccess control and authenticationPonemon Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place