Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/20/2015
03:00 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

SQL Injection Vulnerabilities Surge

SAN DIEGO, Jan. 20, 2015 – DB Networks, an innovator of intelligent continuous monitoring for core networks, today announced that after years of steady decline, 2014 witnessed a significant uptick in SQL injection vulnerabilities identified in publicly released software packages. DB Networks research indicates this alarming fact is directly attributed to todays software development methodology – an emphasis on deadlines and budgets that gives short shrift to the kind of security due diligence that's more important today than ever before.

DB Networks analyzed statistics from the National Vulnerability Database, a federally funded repository of cyber-vulnerability data maintained by the National Institute of Standards and Technology, to arrive at its conclusions regarding these troubling software security trends. Last year produced the most SQL vulnerabilities identified since 2011 and 104% more than were identified in 2013. 

“Despite the best efforts of project managers, software development nearly always runs headlong into time and cost constraints,” said Dave Rosenberg, CTO of DB Networks. “When the clock is ticking, it seems security testing is among the first tasks to be shunted aside.”

The hope is that these SQL injection vulnerabilities are identified and the software packages patched before hackers can exploit the vulnerability. DB Networks DBN-6300 is able to identify SQL injection vulnerabilities in commercial and custom database connected applications. With the average cost of a data breach approaching $6 million, it’s critical to identify and remediate vulnerabilities as quickly as possible.

The ramifications of a SQL injection vulnerability occurring in a popular software package can be enormous. In October 2014, a SQL injection flaw was identified in the Drupal content management software that affected over a million web sites. 

An April 2014 study conducted by the Ponemon Institute found that many organizations were simply not up to speed on the latest cyber threats. Many were unaware that their Web Application Firewalls could be so easily defeated. Even more troublingly, just over half of organizations surveyed conducted no testing of their third-party software for SQL injection vulnerabilities. 

The obvious question then is what can organizations do to protect themselves? DB Networks' security professionals have addressed this fully in a newly published technical white paper: "SQL Injection Defense: There Are no Silver Bullets."

Cybercriminals have probabilities and time on their side – complex applications with large numbers of routines that generate SQL queries present better odds of discovering a flaw, and those looking to exploit a system only need one flaw to accomplish their objectives. They can apply their tools to the problem 24/7 until that flaw is uncovered. Software developers, on the other hand, are tasked with being perfect while still hitting benchmarks and deadlines.

Although it's far too soon to make a firm prediction, the early data in 2015 indicates the upward trend in SQL injection vulnerabilities is continuing.

About DB Networks®

DB Networks® innovates cyber security through intelligent continuous monitoring. Our customers include the world's largest financial institutions, healthcare providers, manufacturers and governments. DB Networks' unique approach to database security utilizes behavioral analysis to automatically learn each application's proper interactions and then applies those learnings to accurately and immediately identify attacks in the core network. With no signature files to deal with or endless false positives to chase down, operational support becomes trivial. DB Networks is a privately held company headquartered in San Diego, California. For more information, see http://www.dbnetworks.com or call (800) 598-0450.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37759
PUBLISHED: 2021-07-31
A Session ID leak in the DEBUG log file in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).
CVE-2021-37760
PUBLISHED: 2021-07-31
A Session ID leak in the audit log in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).
CVE-2020-26564
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFil...
CVE-2020-26565
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data.
CVE-2020-26806
PUBLISHED: 2021-07-31
admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.