SQL Injection Attacks Still Fierce

Monday, April 21, 2014 @ 05:04 PM gHale

SQL injection attacks are still going strong and remain very effective, a new survey said.

So strong in fact, SQL injection attacks still pose a problem as 65 percent of the 595 U.S. security practitioners who took part in the survey have reported experiencing such attacks in the last 12 months. On top of that, the average amount of time it took to discover a breach was 140 days, and 68 additional days to remediate the issue, researchers from the Ponemon Institute said.

Insider Threat: Firms Aware, but Take No Action
Insider Threat Scares DoD IT Pros
Smart Grid; Vulnerable Grid
NIST Seeks Smart Grid Comments

“We believe this is the first study to survey the risks and remedies regarding SQL injection attacks, and the results are very revealing,” said Ponemon Institute Founder Dr. Larry Ponemon, who conducted the research on behalf of DB Networks.

“It is commonly accepted that organizations believe they struggle with SQL injection vulnerabilities, and almost half of the respondents said the SQL injection threat facing their organization is very significant, but this study examines much deeper issues,” Ponemon said.

“For example, only a third of those surveyed (34 percent) agreed or strongly agreed that their organization presently had the technology or tools to quickly detect SQL injection attacks. And more than half (52 percent) of respondents indicated that they don’t test or validate any third party software to ensure it’s not vulnerable to SQL injection,” he said.

The study also reveals that 46 percent of respondents are familiar with the term “WAF [Web Application Firewall) Bypass.” Over half of those who took part in the study said it was becoming increasingly difficult to determine the root of SQL Injection attacks because of the fact that more and more employees used their personal devices for work purposes.

Of the respondents, 44 percent said they were using professional penetration testers to identify vulnerabilities in their systems, but 35 percent of them test for SQL Injection. Just over half said they didn’t test third-party software to see if it was vulnerable to SQL Injection attacks.

Most respondents are in favor of using behavioral analysis technology for detecting SQL Injection attacks.

“It’s well known that SQL injection attacks are rampant and have proven to be devastating to organization of all sizes. This study delves into both the scope and many of the root causes of SQL injection breaches,” said Brett Helm, chairman and chief executive of DB Networks.

“Signature-based perimeter defenses simply cannot keep up with the sophistication of today’s complex SQL injection attacks. It’s interesting that this study indicates security professionals are now recognizing this and overwhelmingly had a favorable opinion of applying behavioral analysis technologies to address the SQL injection threat.”

Click her to register for the complete “The SQL Injection Threat Study.”

Leave a Reply

You must be logged in to post a comment.