February 28, 2013

SQL Injection, Are you focused on the right problem?

2013-02-28 15_40_38-9GAG - Just for Fun!

Today, on the last day of RSA2013, InformationWeek has published an article that analyzes the security spend of companies vs the problems that they need to tackle. While referencing OWASP Top 10 Threats, they cover some of the more modern vectors of attack, focusing mainly on SQL Injection.

To quote our CTO, Amichai Shulman, “SQL Injection should have died years ago. Sadly, it didn’t.” SQL injection is one of the biggest threats and easiest vectors for an attacker to steal data and compromise an organization. Not only that, it has become industrialized, with tools like HavijSQLmap and others automating the attack and “dumbing it down” to make the it easier to approach by non-experts.

Today, even in the largest organizations, CIO’s still focus spending on fixing problems from the past: viruses and network threats that used to be acute. What is interesting is that companies did so well in spending in the right place in the past, and putting the right controls around their assets to fix the old problems, that the problem has moved. Hackers are now lurking in new places. It’s a classic example of “win the battle and lose the war.”

Nowdays, hackers are all about data and how to get it for profit. When that is the case, you should always expect them to look for the weakest point in your organization, because easy money is the best kind of money. SQL Injection is an easy way to get data.

What should you I do ?

  • Dork yourself, check what SQL Injection really is and what is your threat.
  • Check your access control, is your organization dealing with SQL Injection?
  • Verify that you evaluate your online assets and applications to make sure that you are safe
  • Regularly schedule “clean ups” to remove nasty bits.
  • Put proper Web Application security controls such as Web Application Firewalls in place.

Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.