SQL injection vulnerabilities have threatened application security for over 15 years and most security experts and many developers alike understand SQLi very well. So why are they still quite common, despite the fact that we, as an industry, know how to prevent them?
SQLInjection is a common vulnerability, always listed on the OWASP Top 10 that stems from unvalidated application inputs or parameters like "last name," first name," or "SSN" in the source code. Attackers are able to capitalize on these unvalidated inputs by injecting malicious SQL statements into entry fields. There are many common techniques used by security teams and developers to find a prevent SQL Injection attacks. Many organizations layer several techniques including like Pen testing and Dynamic Application Security Testing (DAST) solutions like, AppSpider which are designed to find unvalidated inputs and SQL Injection vulnerabilities.
Clearly, if eradicating the vulnerability was contingent on understanding how to implement a technical fix, we would've done so by now. But the problem is much bigger than that, and it requires a deeper look into web application security testing as a whole. Below, we've listed some of the factors that come into play from the security team's point of view.
- A lack of resources: Security organizations run lean and mean these days. They simply don't have the staff, time or technology to dedicate to fixing every vulnerability. Plus, when resources are tight, it can be tempting to take shortcuts, which can easily decrease the level of application security altogether.
- Not enough time in the day: Security teams are in a race against hackers to find SQL injection vulnerabilities, prioritize them according to severity and remediate them – not for just one, but for hundreds of applications.
- Humans are fallible: Pen testers are the experts at finding SQL injection vulnerabilities, and they must employ a combination of automated and manual tests. Using one at the expense of the other or using rudimentary technology can leave some vulnerabilities undetected.
- Lack of control: Because security teams have little control over developers, they often have little influence over development training, policies and coding practices.
It's evident that security teams have their work cut out for them when it comes to providing effective application security against SQL injection vulnerabilities. Fortunately, they don't have to face the challenge alone. Together, security specialists and developers should work as a team to prevent future vulnerabilities and eradicate any current ones. Unfortunately, developers do face a host of challenges of their own.
Rapid7's AppSpider is a dynamic application security testing solution designed to find SQL Injection and 40 other vulnerabilities in even the most complex applications. Learn by visiting our AppSpider pages.