Proper disclosure: I had to choose between writing this blog entry and shaving my head.
We gave our ADC monthly webinar a couple of days ago and had a record attendance of over 350 people. Did we promise to disclose a 0-day vulnerability in everybody's favorite name resolution protocol? No! Did we claim to reveal a new and devastating attack technique? No! Did we describe how to break the AES cipher? No again.
We talked about SQL Injection!
When choosing the the topic for July's webinar we had an internal company debate and when our marketing team (Mark and Steve) suggested that we revisit SQL injection, the technical team (well, myself) gave them the crooked eye with the compelling argument "BORING!"
However, when starting to pile up the content, the outcome was surprising even for us. While we are talking about the most ancient trick in the book we are still talking about the #1 threat to web applications today. Moreover, we are seeing actual shifts and trends with respect to the use of SQL injection in the past 12-18 months:
- Automation either through desktop applications or through search engines is becoming prevalant
- SQL injection attacks are used much more for data integrity compromise rather than the traditional data confidentiality breach.
- SQL Injection attacks are combined with other attack techniques (such as Google Hacking, HTML Injection and traditional malware) to launch devastating attacks of unprecedented scale, effectiveness and effect.
- Direct SQL Injection vulnerabilities (those that lie within database stored procedures) are becoming prevalant.
While compiling the content a disturbing question came to my mind: How come we are still experiencing so much trouble from this kind of an old attack technique? Didn't we invest all that money in programmer education in order to make SQL injection extinct? Well, to me the answer is clear, and while I'm not going to elaborate on this topic today (see http://blog.imperva.com/2008/06/we-can-write-secure-code-not.html) I'll say that it reinforces my stand with respect to the false promise of secure coding.
So, all in all this has been a very educational episode for myself, and hopefully for those who attended the webinar. For those who didn't the recorded version can be found here.
and, Mark, you told me so!
- Amichai
Hey,
* I've seen this happen many times in the past. Usually, the webinars and conference talks that attract the biggest crowd, are what we consider to be boring/old/obsolete. It appears that webappsec is just becoming mainstream these days.
* The most surprising/frustrating thing about the amount of applications that are still vulnerable to SQLi, is that you don't need to be an uber-programmer to solve the problem anymore. Both .NET and JAVA give you built-in facilities to avoid this issue. I guess they don't teach that in universities/programming-courses. Bummer.
-Ory
As a person who is responsible for hosting applications that appear to be written by developers who think that SQL injection is 'boring', I've got a a few thoughts on the subject.
"Today, with web apps as the hack target, the community of developers who have to understand the problem and change the way they build systems is pretty much anyone who has ever slung up a simple web/database application. That population of developers is millions, not thousands, they are all over the map in terms of their skill set, and they are largely outside the bounds of large structured software companies or anything resembling top down authority, and are extremely unlikely to be using any software development methodology whatsoever, much less a methodology that encompasses secure software development."
See: http://lastinfirstout.blogspot.com/2008/08/crud-moved-up-stack.html
As you can tell, I'm rather pessimistic.
You should take the preventive approach and shave your head before the next webinar :-)