SQL Injection Vulnerabilities Surge

January 21, 2015

3 Min Read

PRESS RELEASE

SAN DIEGO, Jan. 20, 2015 – DB Networks, an innovator of intelligent continuous monitoring for core networks, today announced that after years of steady decline, 2014 witnessed a significant uptick in SQL injection vulnerabilities identified in publicly released software packages. DB Networks research indicates this alarming fact is directly attributed to todays software development methodology – an emphasis on deadlines and budgets that gives short shrift to the kind of security due diligence that's more important today than ever before.

DB Networks analyzed statistics from the National Vulnerability Database, a federally funded repository of cyber-vulnerability data maintained by the National Institute of Standards and Technology, to arrive at its conclusions regarding these troubling software security trends. Last year produced the most SQL vulnerabilities identified since 2011 and 104% more than were identified in 2013. 

“Despite the best efforts of project managers, software development nearly always runs headlong into time and cost constraints,” said Dave Rosenberg, CTO of DB Networks. “When the clock is ticking, it seems security testing is among the first tasks to be shunted aside.”

The hope is that these SQL injection vulnerabilities are identified and the software packages patched before hackers can exploit the vulnerability. DB Networks DBN-6300 is able to identify SQL injection vulnerabilities in commercial and custom database connected applications. With the average cost of a data breach approaching $6 million, it’s critical to identify and remediate vulnerabilities as quickly as possible.

The ramifications of a SQL injection vulnerability occurring in a popular software package can be enormous. In October 2014, a SQL injection flaw was identified in the Drupal content management software that affected over a million web sites. 

An April 2014 study conducted by the Ponemon Institute found that many organizations were simply not up to speed on the latest cyber threats. Many were unaware that their Web Application Firewalls could be so easily defeated. Even more troublingly, just over half of organizations surveyed conducted no testing of their third-party software for SQL injection vulnerabilities. 

The obvious question then is what can organizations do to protect themselves? DB Networks' security professionals have addressed this fully in a newly published technical white paper: "SQL Injection Defense: There Are no Silver Bullets."

Cybercriminals have probabilities and time on their side – complex applications with large numbers of routines that generate SQL queries present better odds of discovering a flaw, and those looking to exploit a system only need one flaw to accomplish their objectives. They can apply their tools to the problem 24/7 until that flaw is uncovered. Software developers, on the other hand, are tasked with being perfect while still hitting benchmarks and deadlines.

Although it's far too soon to make a firm prediction, the early data in 2015 indicates the upward trend in SQL injection vulnerabilities is continuing.

About DB Networks®

DB Networks® innovates cyber security through intelligent continuous monitoring. Our customers include the world's largest financial institutions, healthcare providers, manufacturers and governments. DB Networks' unique approach to database security utilizes behavioral analysis to automatically learn each application's proper interactions and then applies those learnings to accurately and immediately identify attacks in the core network. With no signature files to deal with or endless false positives to chase down, operational support becomes trivial. DB Networks is a privately held company headquartered in San Diego, California. For more information, see http://www.dbnetworks.com or call (800) 598-0450.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights