• Company
  • About US
  • NEWS
  • Development
  • Contact US
  • Sitemap
• Partners
  • Become A Partner
  • Reseller/Distributor
  • Links
• Solution
• Download
• Services
  • Professional Security Services
  • WEB Security Services
• Products
  • DAS-DBAuditor
  • DAS-WEBMonitor
  • DAS-LOGAuditor
  • DAS-WEBSCAN(MatriXay 3.0)
  • DAS-DBSCAN
  • DAS-WAF
• Home

Four Database Security Tips for SQL Injection

Source: eweek

On Dec. 6, a researcher posted proof that he had compromised NASA Websites via a SQL injection. Fortunately for NASA, his motive appears to only have been to illustrate weaknesses in its sites.

Other entities, however, have not been so lucky. There were of course the breaches of Heartland Payment Systems and Hannaford Brothers, but also mass compromises affecting thousands of Websites. 

For all the security tools on the market, SQL injection placed No. 3 on Verizon's list of the 15 most common security attacks (PDF) in its latest data breach report, issued Dec. 9.

There is a list of tips for helping enterprises deal with SQL injection attacks before hackers find their way in and turn a security hole into a data breach.

1) Fixing the code: According to Jeremiah Grossman, CTO of WhiteHat Security, developers should use parameterized SQL statements using ESAPI development frameworks. Developers should also make sure user input is properly validated. Escaping dangerous characters is another way to deal with SQL injection.

2) Developer education: "The key issue is educating Web developers about how to build secure applications," said Phil Neray, vice president of security strategy at Guardium, now an IBM company.

3) Use of technology: Many companies are not doing enough code scanning to identify vulnerabilities. They should also be using tools such as Web application firewalls and database monitoring technologies. "Proper use of tools like these will definitely add to the assurance that everything has been done to detect issues before they become major problems," said Brian Monkman, firewall program manager for ICSA Labs.

4) Configuration management: Developers should suppress verbose error messages so attackers have a tougher time getting to the bottom of why they were thwarted. "Doesn't mean the vulnerability is fixed, but makes it harder to exploit," Grossman said.

In sum, defending against SQL injection attacks requires a combination of internal and external security.

CONTACT US >>