Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

SQL attacks on web applications continue to increase.

Fortify : 02 May, 2008  (Technical Article)
Fortify warns of the need for protection against malicious web site attacks that can compromise applications and expose sensitive data.
Fortify Software says that this week's reports of a rash of SQL attacks on Web sites should make software developers sit up and take notice.

'Newswire reports suggest that hundreds of thousands of Web site have been hit by a mass SQL attack. This is symptomatic of hackers developing highly sophisticated and semi-automated attack routines,' said Jacob West, Manager of Fortify's Security Research Group.

West added that "The script or tool behind the attack uses Google to search for sites that include a file type and parameter that appear to often be susceptible to SQL injection and uses that list returned from Google to mount its attack. The attack uses the SQL injection vulnerability to mount a persistent cross-site scripting attack that embeds malicious JavaScript/HTML in the vulnerable application and infects all visitors to the infected site until it is explicitly identified and removed."

According to West, the current crop of SQL attacks appears to be the result of sloppy programming on the part of Web site developers.

'Although this wave of attacks targets an application vulnerability that is the result of poor programming, it is indicative of the larger problem that we in the software engineering and security fields need to provide developers with APIs that make getting security right easier and better tools and processes to ensure that the software they build with these APIs is secure.,' he said.

West added "SQL injection is a straightforward problem to identify and avoid when compared with other code-level vulnerabilities, but these attacks demonstrate that some organizations building web applications today are still woefully behind the bad guys. The solution to this and similar problems is a software development lifecycle designed to build security into software from the ground up. Security is a critical attribute during the design, building, testing and deployment phases. Software developed without a full-lifecycle approach and the right tools to support each phase is destined to suffer security compromises like the one seen here"
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo