SQL flaws remain an Achilles heel for IT security groups

Another example: Five charged today with using SQL injection attacks to breach corporate networks to steal some $300 million from U.S. businesses

By , Computerworld |  Security

Hackers have taken advantage of SQL injection flaws for years because they can be exploited with relative ease. In recent years, SQL injection attacks have consistently ranked as one of the most popular methods for hackers to break into networks.

Security experts and organizations like the Payment Card Industry Security Council have long urged companies to thoroughly scan Web applications for such flaws. They suggest using Web application firewalls to mitigate the threat.

The PCI council mandates that companies either do a complete source code analysis to weed out such flaws or use a Web application firewall.

Even so, many companies fail to fully implement measures that can mitigate SQL injection threats, said Avivah Litan, an analyst with Gartner. "SQL injection attacks succeed because companies aren't protecting themselves well enough against them," she said.

Though companies understand the need for application code reviews and to maintain application firewalls, many neglect the task due to resource issues, Litan said.

"[Companies] just don't do it well enough because they are overwhelmed. They don't have the money or the resources," needed to address SQL issues, she said. "It really is about budget prioritization and organizational silos."

Jeremiah Grossman, founder and chief technology officer of Web application security specialist WhiteHat Security, said that software development resources are completely maxed out in many companies.

"Your coders have to push new features to customers that will drive future revenue. If they slow down, or work on anything else, like fixing vulnerabilities in their code, there is a certain monetary sacrifice. There simply isn't enough time or resources to do everything," Grossman said.

Therefore, he said. "If you are after data, as these bad guys [were], then SQL injection is the best and fastest way to breach the database. There is nothing technical about SQL injection that we don't know. We know what it is, we know how to fix it, we know how to prevent it. The central issue is the scale of the problem and development resource constraints."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

Read more about security in Computerworld's Security Topic Center.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question