Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/20/2015
03:00 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

SQL Injection Vulnerabilities Surge

SAN DIEGO, Jan. 20, 2015 – DB Networks, an innovator of intelligent continuous monitoring for core networks, today announced that after years of steady decline, 2014 witnessed a significant uptick in SQL injection vulnerabilities identified in publicly released software packages. DB Networks research indicates this alarming fact is directly attributed to todays software development methodology – an emphasis on deadlines and budgets that gives short shrift to the kind of security due diligence that's more important today than ever before.

DB Networks analyzed statistics from the National Vulnerability Database, a federally funded repository of cyber-vulnerability data maintained by the National Institute of Standards and Technology, to arrive at its conclusions regarding these troubling software security trends. Last year produced the most SQL vulnerabilities identified since 2011 and 104% more than were identified in 2013. 

“Despite the best efforts of project managers, software development nearly always runs headlong into time and cost constraints,” said Dave Rosenberg, CTO of DB Networks. “When the clock is ticking, it seems security testing is among the first tasks to be shunted aside.”

The hope is that these SQL injection vulnerabilities are identified and the software packages patched before hackers can exploit the vulnerability. DB Networks DBN-6300 is able to identify SQL injection vulnerabilities in commercial and custom database connected applications. With the average cost of a data breach approaching $6 million, it’s critical to identify and remediate vulnerabilities as quickly as possible.

The ramifications of a SQL injection vulnerability occurring in a popular software package can be enormous. In October 2014, a SQL injection flaw was identified in the Drupal content management software that affected over a million web sites. 

An April 2014 study conducted by the Ponemon Institute found that many organizations were simply not up to speed on the latest cyber threats. Many were unaware that their Web Application Firewalls could be so easily defeated. Even more troublingly, just over half of organizations surveyed conducted no testing of their third-party software for SQL injection vulnerabilities. 

The obvious question then is what can organizations do to protect themselves? DB Networks' security professionals have addressed this fully in a newly published technical white paper: "SQL Injection Defense: There Are no Silver Bullets."

Cybercriminals have probabilities and time on their side – complex applications with large numbers of routines that generate SQL queries present better odds of discovering a flaw, and those looking to exploit a system only need one flaw to accomplish their objectives. They can apply their tools to the problem 24/7 until that flaw is uncovered. Software developers, on the other hand, are tasked with being perfect while still hitting benchmarks and deadlines.

Although it's far too soon to make a firm prediction, the early data in 2015 indicates the upward trend in SQL injection vulnerabilities is continuing.

About DB Networks®

DB Networks® innovates cyber security through intelligent continuous monitoring. Our customers include the world's largest financial institutions, healthcare providers, manufacturers and governments. DB Networks' unique approach to database security utilizes behavioral analysis to automatically learn each application's proper interactions and then applies those learnings to accurately and immediately identify attacks in the core network. With no signature files to deal with or endless false positives to chase down, operational support becomes trivial. DB Networks is a privately held company headquartered in San Diego, California. For more information, see http://www.dbnetworks.com or call (800) 598-0450.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12262
PUBLISHED: 2020-11-27
Intelbras TIP200 60.61.75.15, TIP200LITE 60.61.75.15, and TIP300 65.61.75.15 devices allow /cgi-bin/cgiServer.exx?page= XSS.
CVE-2020-29129
PUBLISHED: 2020-11-26
ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-29130
PUBLISHED: 2020-11-26
slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-26936
PUBLISHED: 2020-11-26
Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack.
CVE-2020-29042
PUBLISHED: 2020-11-26
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.