Click here to receive your FREE subscription to Campus Technology
News
Web Developers Left Holding the Bag on SQL Injection Attacks
5/1/2008
Developers need to understand that it's a brave new world, according to Andrew Storms, director of security operations at nCircle Inc. in San Francisco.
"The early days of writing Web applications, what we called CGIs back in the early 90s, we always lived by a single simple truth -- never trust user input," Storms said. "It seems now that Web application developers have forgotten this golden rule and have been lazy, allowing sanity and security checking to be performed by some other library or module. Combine this with fancy Web applications and Web services and the result is what we see today."
For this reason, Storms and others argue, there are loads of Web sites vulnerable to any number of Web-based attacks, such as SQL injection, cross-site scripting and cross-site request forgery.
The variety of potential problems adds to the mystery.
"At this point we really don't know exactly if the problem at hand [this week] is due to a Microsoft bug or poorly written application code," Storms said. "The more likely answer is that the attack vector of these Web sites varies just enough from each site that it's making things difficult to pinpoint a single root cause."
IT pros may need to ramp up IT risk management and application-level access controls, experts say. Such a process involves continuous vulnerability assessment, as well as Web application risk profiling. It's best to start such a process from the beginning of code development all the way into preproduction, scanning Web applications for potential risks.
The amount of at-risk Web sites cited this week -- somewhere between 200,000 and 500,000 Web sites -- is an "egregious number," according to Storms. Such figures are not as imposing as numbers "like one million to ten million storm worm bots back in 2007," Storms said, adding that "these SQL incursions are an entirely different breed."
The attacks are sobering news, he added.
"The reason for such controversy here is that this instance is a difficult fact to swallow," he said. "To the average unsuspecting Web surfer, the risk that they could be hit by some drive-by malware has now increased significantly. We used to tell our older relatives to only surf trusted Web sites and don't click on e-mail links, but that kind of advice is becoming less and less foolproof."
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. You can contact Jabulani at editor@entmag.com.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- Sentrigo Offers Help for Database Patching Woes
Sentrigo Inc. released its new Hedgehog vPatch database security software product Tuesday. The product addresses patching inconsistencies that seem to affect busy Oracle database administrators (DBAs), who don't always have time to test and patch. However, users of Microsoft SQL Server database in the enterprise can take a lesson here too.
- Starfish Launches Higher Ed Retention Solution
Software provider Starfish Retention Solutions has announced the upcoming launch of its first product, Starfish Office Hours. The company said this will be the first in a series of products intended to help higher education institutions improve retention and graduation rates by aiding in the delivery of programs designed to help at-risk student populations.
- Unisys Offers Free Unified Communications Trial
Unisys announced Monday that it is offering companies a free 30-day unified communications trial using Microsoft solutions. The offer is currently available through Microsoft's sales personnel.
- New Mexico Launches Statewide eLearning Initiative
As part of its Innovative Digital Education and Learning initiative (IDEAL-NM), New Mexico is launching a statewide program to standardize on a single electronic learning platform--Blackboard--spanning K-12, higher education, adult education, and government. The initiative will also support a new statewide virtual high school.
- North Carolina Adopts Blackboard for Higher Ed
The University of North Carolina and the North Carolina Community College System have signed on with Blackboard to deploy that company's electronic learning platform across 68 individual campuses.
- Semantic Search: Could the Web Think?
Semantics is a sub-field of linguistics that focuses on meaning making in language. Therefore, the Semantic Web we're still reaching for will be based on a set of definitions, languages, and standards that can base a search on the detection of meaning and not just on a simple character string. The Semantic Web will at least be smarter than the current Web.
