Why Does SQL Injection Still Exist?

After having spent the last two weeks in Asia I find myself sitting in a hotel room in Tokyo pondering something. I delivered a few talks in Singapore and in Manila and was struck by the fact that we're still talking about SQL injection as a problem.

So, what is SQL injection you might ask. This is a method to attack web applications that have a data repository. The attacker would send a specially crafted SQL, or structured query language, statement that is designed to cause some malicious action. These statements are successful too often as many web applications do not sanitize their inputs.

The OWASP Top Ten is a collection of vulnerabilities that are of particular note. The problem that jumps out at me is that SQL injection has been on this list for the better part of a decade. Why does this continue to be the case? Well, there are contributing factors to be certain. One of which is the time to market issue which will most likely never be dealt with from a security perspective.

When you have a business leader who has their bonus structure tied to the delivery of a particular web application there is the element of fear that is introduced. Fear that security will be ultimately bypassed in an effort to save money and avoid any roadblocks. This is not to say that this is a uniform problem across the board but, it does in fact happen. Far more often than I care to admit. In previous day jobs I ran into this behavior on several occasions.

This needs to be addressed by baking the requirement to have security review as a gateway into business processes as well as the corporate culture. If corners are allowed to be cut and this behavior goes unpunished there is a great deal of blame to be assigned to senior management who permits this to continue. Whether this is being done from a conscious event of inadvertent does not obviate the responsibility of senior management to meet this behavior head on.

When corners are cut, things get missed. A perfect example is SQL injection as a lurking issue. When an application is rushed out the door there is a real chance that problems will be introduced that can lead to a data breach.

The headlines have been littered with stories about data breaches and a not insignificant portion of that is as a result of a SQL injection attack. This is a solvable problem. As security practitioners it is incumbent upon us to do a better job of making sure that this sort of problem does not continue on.

Another point is that security practitioners are very good at talking about security...amongst themselves. We need to do a better job at bringing the security message to a wider audience. We need to be talking to the stakeholders as well as the programmers and so forth. If we cannot successfully articulate the message of security to a wider audience then we are of limited utility.

We need to do a better job go tackling the corner cutters as well as making sure that we are getting the message heard. It serves no one to sit in a darkened room listing to Front 242 and lamenting that no one understands us.

Join the CSO newsletter!

Error: Please check your email address.

Tags no companysecuritydata breach

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dave Lewis

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place