Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/20/2015
03:00 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

SQL Injection Vulnerabilities Surge

SAN DIEGO, Jan. 20, 2015 – DB Networks, an innovator of intelligent continuous monitoring for core networks, today announced that after years of steady decline, 2014 witnessed a significant uptick in SQL injection vulnerabilities identified in publicly released software packages. DB Networks research indicates this alarming fact is directly attributed to todays software development methodology – an emphasis on deadlines and budgets that gives short shrift to the kind of security due diligence that's more important today than ever before.

DB Networks analyzed statistics from the National Vulnerability Database, a federally funded repository of cyber-vulnerability data maintained by the National Institute of Standards and Technology, to arrive at its conclusions regarding these troubling software security trends. Last year produced the most SQL vulnerabilities identified since 2011 and 104% more than were identified in 2013. 

“Despite the best efforts of project managers, software development nearly always runs headlong into time and cost constraints,” said Dave Rosenberg, CTO of DB Networks. “When the clock is ticking, it seems security testing is among the first tasks to be shunted aside.”

The hope is that these SQL injection vulnerabilities are identified and the software packages patched before hackers can exploit the vulnerability. DB Networks DBN-6300 is able to identify SQL injection vulnerabilities in commercial and custom database connected applications. With the average cost of a data breach approaching $6 million, it’s critical to identify and remediate vulnerabilities as quickly as possible.

The ramifications of a SQL injection vulnerability occurring in a popular software package can be enormous. In October 2014, a SQL injection flaw was identified in the Drupal content management software that affected over a million web sites. 

An April 2014 study conducted by the Ponemon Institute found that many organizations were simply not up to speed on the latest cyber threats. Many were unaware that their Web Application Firewalls could be so easily defeated. Even more troublingly, just over half of organizations surveyed conducted no testing of their third-party software for SQL injection vulnerabilities. 

The obvious question then is what can organizations do to protect themselves? DB Networks' security professionals have addressed this fully in a newly published technical white paper: "SQL Injection Defense: There Are no Silver Bullets."

Cybercriminals have probabilities and time on their side – complex applications with large numbers of routines that generate SQL queries present better odds of discovering a flaw, and those looking to exploit a system only need one flaw to accomplish their objectives. They can apply their tools to the problem 24/7 until that flaw is uncovered. Software developers, on the other hand, are tasked with being perfect while still hitting benchmarks and deadlines.

Although it's far too soon to make a firm prediction, the early data in 2015 indicates the upward trend in SQL injection vulnerabilities is continuing.

About DB Networks®

DB Networks® innovates cyber security through intelligent continuous monitoring. Our customers include the world's largest financial institutions, healthcare providers, manufacturers and governments. DB Networks' unique approach to database security utilizes behavioral analysis to automatically learn each application's proper interactions and then applies those learnings to accurately and immediately identify attacks in the core network. With no signature files to deal with or endless false positives to chase down, operational support becomes trivial. DB Networks is a privately held company headquartered in San Diego, California. For more information, see http://www.dbnetworks.com or call (800) 598-0450.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17452
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows upload and execution of a .php file by an admin.
CVE-2020-17451
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter.
CVE-2020-17447
PUBLISHED: 2020-08-09
MyBB before 1.8.24 allows XSS because the visual editor mishandles [align], [size], [quote], and [font] in MyCode.
CVE-2020-16248
PUBLISHED: 2020-08-09
** DISPUTED ** Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability.
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.