In a joint alert with the FBI, CISA seeks to tamp down the pervasiveness of a well-known class of bugs.

Dark Reading Staff, Dark Reading

March 25, 2024

1 Min Read
Software developer laptop screen
Source: Andrey Popov via Alamy Stock Photo

SQL injection vulnerabilities continue to plague supply chains, prompting a joint alert from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on developing safer software products.

CISA and the FBI said this week that the new Secure by Design guidance is in direct response to the recent broad exploitation of an SQLi defect in the MoveIT file transfer application.

SQL injection vulnerabilities allow threat actors to inject their own data into SQL commands, allowing them to perform arbitrary queries to access sensitive information inside the database.

"Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk," the joint Secure by Design Alert said. "Vulnerabilities like SQLi have been considered by others an 'unforgivable' vulnerability since at least 2007. Despite this finding, SQL vulnerabilities (such as CWE-89) are still a prevalent class of vulnerability."

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights