Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:03 AM

The SQL Injection Disconnection

Hackers fixate on SQLi—CSOs, not so much

A new report out this week that examines the most talked-about topics within online hacker forums shows that there may be a huge disconnect between the vulnerabilities that hackers are most keen to exploit and the risk mitigation measures CSOs squirrel away cash to purchase. Most notably, SQL injection attacks this year rose to be tied for first place with DDoS attacks as the most commonly discussed vulnerabilities by hackers.

[Want to know the scary stories that keep CSOs up on Halloween night? See. Nightmare On Database Street: 5 Database Security Horror Stories.]

Place that interest and activity next to enterprise security spending patterns and its clear a gap in perception exists, says Rob Rachwald, director of security strategy for Imperva , which released its hacker forum analysis in its October Hacker Intelligence Initiative Monthly Trend Report.

"It was really interesting to see just how differently hackers talk about security and what they do versus what security people talk about and what they do," he says.

This was the second year in a row that Imperva conducted a content analysis of a handful of smaller hacker sites alongside one of the largest-known hacker forums, which serves approximately 250,000 members. Among a sample size of 439,587 total threads between September 2011 and September 2012, SQL injection tied for first with DDoS as the number one most popular topic, with each comprising 19% of total chatter.

While the report didn't cite analyst figures to back up its estimates, Imperva said it believes that of the $25 billion spend Gartner estimated enterprises dedicated to security last year, just 5% of that goes toward SQL injection vulnerability mitigation. But what is for sure is that among those documented as the most popular security product categories--antivirus, IPS and network firewalls--none of them can detect or recognize a SQL injection, Rachwald says. In the InformationWeek Reports, the security technology voted as most effective by technologists was the firewall, rated by 66% as a top rated technology.

"We're really just trying to get people to pay attention to this problem, says Rachwald, who points to the most recent SQL injection-related South Carolina breach as evidence of where hacker interests lie.

Others around the industry agree that the South Carolina breach should provide more grist for the mill when it comes to poking at the flaws of enterprise security perceptions.

"Cases like this continue to raise awareness of the shortcomings of traditional infrastructure security in keeping sensitive data safe," said Mark Bower, data protection expert and VP at Voltage Security.

Part of the difficulty in mitigating the risks of SQL injection is the fact that at root the problem is caused by a flaw in coding practices, says Andrew Moulton, senior software development engineer at Vigilant.

"Too often we see developers quickly building SQL statements by concatenating strings," Moulton says. "Almost all database libraries support parameterized queries and can even prepare and cache them for the possibility of a little performance boost. Basically, unless you are a DBA, do not think that you are smarter than the query planner."

Moulton warns organizations that while third party input sanitization tools are a useful part of protecting existing web applications from SQL injection attacks, coders shouldn't use them as an excuse to ignore SQL injection during development.

"There is nothing wrong with using these tools; however, they are not the holy grail of protection against SQL injection attacks," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/2/2012 | 8:53:11 PM
re: The SQL Injection Disconnection
As ccampbell notes, companies can be slow to change their security practices - and for a variety of reasons.

I think that the article's main point that the security response to SQLi is not matching the threat is very valid. In particular, the lack of security products to deal with SQLi is a very telling indicator.

Talking about the percentage of security spending that goes to one problem or another is, in itself, a really interesting conversation. More money doesn't always mean more security, of course. So is spending a reliable indicator of how seriously a threat is being taken?
User Rank: Apprentice
11/2/2012 | 10:07:39 AM
re: The SQL Injection Disconnection
Ericka, thank you very much for this insightful article. The
SQL Injection is a constant problem, and many times I find myself wondering why
does this threat still exist? Actually, hereGs an interesting article on this
matter: http://blog.securityinnovation....
Hope you find it interesting, and keep up the good work!
User Rank: Apprentice
10/31/2012 | 7:56:02 PM
re: The SQL Injection Disconnection
It should come as no surprise that hackers are focusing on the vulnerabilities that security analysts aren't paying as much attention too.- I think companies are to slow in changing their risk profiles.- Security in your company should be an ever-changing landscape.- It has to evolve and change at the rate the hackers are evolving and changing.
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user (clients and administrators).
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control where password revalidation in sensitive operations can be bypassed remotely by an authenticated attacker through requesting the endpoint directly.
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control that can lead to remote privilege escalation. PAXSTORE marketplace endpoints allow an authenticated user to read and write data not owned by them, including third-party users, application and payment term...
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by an information disclosure vulnerability. Through the PUK signature functionality, an administrator will not have access to the current p12 certificate and password. When accessing this functionality, the administrator has the opt...
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by a token spoofing vulnerability. Each payment terminal has a session token (called X-Terminal-Token) to access the marketplace. This allows the store to identify the terminal and make available the applications distributed by its ...