How Do You Use DAM For Blocking? You Don't

Curiously, many view blocking malicious Web application requests via WAFs as the appropriate approach
SQL injection remains a top database threat, at least if you put faith in the OWASP Top Ten threat list. In fact, it has been a top threat for about a decade. So why don't more companies use database activity monitoring (DAM) to block malicious traffic?

Most customers I speak with do not and will not use DAM to block database queries. If they view SQL injection as a threat, then they use Web application firewalls (WAFs). More to the point, they view blocking malicious Web application requests via WAFs as the appropriate approach.

Again, I ask, "Why?" SQL injection is a database attack. DAM is a tool that can block SQL injection, yet it's not the first thought in customers' minds when they think about solving this problem.

According to my research, about 2 percent to 3 percent of the companies I speak with use DAM for blocking malicious events in general. SQL injection is just one of the types of events they consider when selecting DAM for activity blocking. Of those companies I speak with that have DAM, only a handful of the databases have the blocking capability of DAM enabled -- let's say 10 percent. (I haven't exactly been scientifically rigorous in my accounting, but that's close.) Still, it's a small, small percentage of databases and an even smaller percentage of companies. It seems to be growing a bit as some customers are applying security policy not through changing application logic, but externally with DAM policies -- for example, data usage policies for HIPAA or EU privacy. But it's still a minority.

I ask why because I am still not sure why more companies don't use blocking for databases on a more regular basis. The technology is embedded in most of the DAM platforms and a handful of other database security tools. And in the case of SQL injection specifically, if I were to sit down and select a protection solution in a vacuum, personally I'd lean toward DAM as a means of filtering queries. I do acknowledge my preference is at odds with the market trend. But I think a lot of that is because of WAFs and customer perception of need is greatly altered by WAFs.

Here is why customers don't use DAM to block events:

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5