Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have warned technology manufacturers and their customers about the persistent threat posed by SQL injection vulnerabilities.
Despite being a well-documented issue for over two decades, SQL injection—or SQLi—vulnerabilities continue to be a prevalent defect in commercial software products, leaving thousands of organizations at risk.
SQL injection vulnerabilities allow malicious cyber actors to compromise a database’s confidentiality, integrity, and availability by executing arbitrary queries.
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :
AcuRisQ, that helps you to quantify risk accurately:
This class of vulnerability stems from the software developers’ failure to adhere to security best practices, particularly the separation of database queries from user-supplied data.
The recent campaign exploiting SQLi defects in a managed file transfer application, impacting thousands, has prompted CISA and the FBI to urge a formal review of code by technology manufacturers to eliminate this threat.
The “Secure by Design” concept emphasizes the importance of incorporating security measures from the outset of product development.
This approach reduces the cybersecurity burden on customers and minimizes public risk.
Despite being labeled as “unforgivable” since 2007, SQL vulnerabilities continue to rank high on the list of most dangerous and stubborn software weaknesses in 2023, according to MITRE’s CWE Top 25.
DeepBlue Security & Intelligence recently tweeted that the Cybersecurity and Infrastructure Security Agency (CISA) has recommended developers eliminate SQL injection vulnerabilities in their software.
To combat SQLi vulnerabilities, software developers are encouraged to use parameterized queries with prepared statements, which effectively separates SQL code from user-supplied data.
This method ensures that user input is treated as data rather than executable code, mitigating the risk of SQL injection attacks.
However, CISA and the FBI caution against solely relying on input sanitization techniques, which can be bypassed and are difficult to enforce at scale.
CISA and the FBI have outlined three key principles for achieving Secure by Design software:
The alert serves as a call to action for software manufacturers to adopt a comprehensive set of Secure by Design practices beyond just mitigating SQL injections.
Manufacturers are urged to publish their Secure by Design roadmap, demonstrating a strategic commitment to customer safety.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…
Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…
An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…
A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…
The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…
NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…