Structured Query Language, or SQL, has been around since the 70's and is heavily utilized in today's connected web of data access. The purpose of SQL is to provide the instructions to interact with the data residing within database systems. These back-end database systems can hold important information that may be personal and confidential to the organization, as well as the organization's customers, and should only be viewed by authorized individuals.
However, many attacks have been reported over the years that have jeopardized the data held within these systems, called SQL Injection. SQL injection is a technique used to "inject" malicious SQL code/queries, generally within a web form input box, to gain unauthorized access or harvest information from a database server. For example, VTech, a company that sells a plethora of kid's toys and more, was one of the largest attacks in 2015 that utilized SQL injection (ThompsonM, 2015). VTech's database servers were compromised during this attack allowing the hacker full authorization and control of the data.
Even though organizations have built a level of awareness around this issue, SQL injection vulnerabilities are among the most exploited flaws (Baker, A. 2013). In fact, a survey conducted from Ponemon Institute is claiming SQL injection as the number one attack vector for 2015 and OWASP has it listed as a top ten threat category (Paganini, P. 2014). The impact of this type of vulnerability could lead to the internal compromise of a database that could tarnish an organizations trust and brand with its customers, as it did with VTech.
Some of the primary defenses to consider for SQL injections attempts are; parameterized queries, stored procedures, least privilege, and input validation. Parametrized queries allows the database to distinguish between code and data by having the developers define all of the SQL code before passing the parameters to the query, regardless of the input that is supplied. Additionally, stored procedures can be utilized to prevent user input, as they are called directly from within the application. Another simple, yet effective defense that could be applied is the principal of least privilege. This method minimizes the privileges assigned to every database account to provide users with the permissions required to perform their job function, but nothing more. Lastly, providing input validation to detect unauthorized input prior to the application processing it could assist in preventing an injection attack.
With the many internal and customer-facing applications spanning the Internet to support business initiatives, it is exceptionally important to provide methods to protect the confidentiality and integrity of this data. To assist in this effort, OWASP has provided tips in the form of a Prevention Cheat Sheet that can be viewed, modified, and implemented. The link to the Cheat Sheet can be found here (SQL Injection Prevention Cheat Sheet. n/d).
References:
Baker, A. (2013, August 22). 14 Years of SQL Injection and still the most dangerous vulnerability. Retrieved February 25, 2016, from https://www.netsparker.com/blog/web-security/sql-injection-vulnerability-history/
Paganini, P. (2014, April 18). Ponemon study – SQL Injection attacks too dangerous for organizations. Retrieved February 27, 2016, from http://securityaffairs.co/wordpress/24094/cyber-crime/ponemon-sql-injection-attacks.html
No comments:
Post a Comment