CISA Seeks to Curtail 'Unforgivable' SQL Injection Defects

SQL injection vulnerabilities continue to plague supply chains, prompting a joint alert from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on developing safer software products.

CISA and the FBI said this week that the new Secure by Design guidance is in direct response to the recent broad exploitation of an SQLi defect in the MoveIT file transfer application.

SQL injection vulnerabilities allow threat actors to inject their own data into SQL commands, allowing them to perform arbitrary queries to access sensitive information inside the database.

"Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk," the joint Secure by Design Alert said. "Vulnerabilities like SQLi have been considered by others an 'unforgivable' vulnerability since at least 2007. Despite this finding, SQL vulnerabilities (such as CWE-89) are still a prevalent class of vulnerability."