Application Security // Database Security
4/17/2014
06:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
0%
100%

SQL Injection Cleanup Takes Two Months or More

A new report highlights the prevalence and persistence of SQL injection attacks.

In the past 12 months, 65% of organizations have suffered a SQL injection attack, and it took them close to 140 days to realize they had been hit.

According to a report by the Ponemon Institute published yesterday, it took an average of 68 days for victim organizations to recover and clean up after discovering they had suffered a SQL injection attack.

SQL injection is a hacking technique where an attacker exploits a vulnerability in the targeted application to send malicious SQL statements to the database. The attacker inserts malicious SQL statements into an entry field.

"SQL injection has been around for ages," says Larry Ponemon, chairman and founder of the Ponemon Institute. It just won't go away. "You're lucky if you discover it [quickly], and it takes a long time to remediate: 140 days for an organization to even detect a SQL injection attack" has occurred. "And 40% of them say it takes six months or longer to detect it... It's nine months on average from start to finish."

The report, was commissioned by DB Networks, is based on responses from 595 IT security professionals in the US, both in the commercial and government sectors.

More than half of the organizations neither test nor validate third-party software for SQL injection vulnerabilities, the survey found, and 56% say finding the source of SQL injection is harder due to the emergence of mobile devices at the office.

Other findings: Forty-four percent use professional penetration testers to look for bugs, while just 35% of those tests include looking for SQL injection bugs. More than half say they have or will begin to swap their signature-based security with behavioral analysis-based tools in the next 24 months. Half say they will use behavioral analysis tools to track database activity.

The good news is that more organizations are aware of SQL injection threats, according to Michael Sabo, director of marketing for DB Networks. "I'm excited to see at least these organizations realized the significance of the threat. SQL injection is always one of the top threats... This attack has become highly automated," he says.

A full copy of the report, The SQL Injection Threat Study, is available here (registration required).

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/21/2014 | 3:55:00 PM
Cost of SQL Injection cleanup?
Interesting data, Kelly. Wondering if the Ponemon study quantified any of the costs to organizations of a SQL injection attack, in terms of dollars and data loss. 
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.