Application Security // Database Security
4/17/2014
06:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
0%
100%

SQL Injection Cleanup Takes Two Months or More

A new report highlights the prevalence and persistence of SQL injection attacks.

In the past 12 months, 65% of organizations have suffered a SQL injection attack, and it took them close to 140 days to realize they had been hit.

According to a report by the Ponemon Institute published yesterday, it took an average of 68 days for victim organizations to recover and clean up after discovering they had suffered a SQL injection attack.

SQL injection is a hacking technique where an attacker exploits a vulnerability in the targeted application to send malicious SQL statements to the database. The attacker inserts malicious SQL statements into an entry field.

"SQL injection has been around for ages," says Larry Ponemon, chairman and founder of the Ponemon Institute. It just won't go away. "You're lucky if you discover it [quickly], and it takes a long time to remediate: 140 days for an organization to even detect a SQL injection attack" has occurred. "And 40% of them say it takes six months or longer to detect it... It's nine months on average from start to finish."

The report, was commissioned by DB Networks, is based on responses from 595 IT security professionals in the US, both in the commercial and government sectors.

More than half of the organizations neither test nor validate third-party software for SQL injection vulnerabilities, the survey found, and 56% say finding the source of SQL injection is harder due to the emergence of mobile devices at the office.

Other findings: Forty-four percent use professional penetration testers to look for bugs, while just 35% of those tests include looking for SQL injection bugs. More than half say they have or will begin to swap their signature-based security with behavioral analysis-based tools in the next 24 months. Half say they will use behavioral analysis tools to track database activity.

The good news is that more organizations are aware of SQL injection threats, according to Michael Sabo, director of marketing for DB Networks. "I'm excited to see at least these organizations realized the significance of the threat. SQL injection is always one of the top threats... This attack has become highly automated," he says.

A full copy of the report, The SQL Injection Threat Study, is available here (registration required).

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/21/2014 | 3:55:00 PM
Cost of SQL Injection cleanup?
Interesting data, Kelly. Wondering if the Ponemon study quantified any of the costs to organizations of a SQL injection attack, in terms of dollars and data loss. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1375
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.

CVE-2015-1376
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.

CVE-2015-1419
Published: 2015-01-28
Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.

CVE-2014-5211
Published: 2015-01-27
Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.

CVE-2014-8154
Published: 2015-01-27
The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overf...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.