Security Horizon invited me to contribute an article for their free Winter 2009 edition of Security Journal. I took the opportunity to discuss several very important aspects of SQL Injection, which are not well understood. For example, why certain best-practices may have contributed to the ongoing problem. How black and white box vulnerability testing is impacted. Why the good guys are at a substantial disadvantage to the bad guys. How the problem could potentially be solved and how much it might cost us. etc. Especially timely material considering the ongoing exploitation. Enjoy!
SQL Injection, Eye of the Storm
In 2008 SQL Injection became the leading method of malware distribution, infecting millions of Web pages and foisting browser-based exploits upon unsuspecting visitors. The ramifications to online businesses include data loss, PCI fines, downtime, recovery costs, brand damage, and revenue decline when search engines blacklist them. According to WhiteHat Security1, 16 percent of websites are vulnerable to SQL Injection. This is likely under-reported given that the statistics are largely based on top-tier Web properties that employ a website vulnerability management solution to identify the problem. The majority of websites do not and as such may be completely unaware of the extent of the issue. In addition, some recommended security best-practice have ironically benefited malicious hackers. Websense now reports that "60 percent of the top 100 most popular Web sites have either hosted or been involved in malicious activity in the first half of 2008." Let’s examine the forces that have aligned to create the storm that allows SQL Injection to thrive.