Skip to main content
August 8, 2014

Coming to a computer near you, SQL: The Sequel

It might sound like a bad movie, but it’s playing out in real life – despite what seems like endless hacks using SQL injections, SQLi related breaches keep turning up like a bad penny.

Most recently, Hold Security reported that they discovered a breach by Russian Hacker Ring. While details of this series of breaches are still surfacing, it is time for enterprises to start taking web perimeter security just as seriously as those aimed at the network. Vulnerabilities like SQL injection are pervasive in web applications, yet most enterprises aren’t aware that their web perimeter is putting their organization at risk. This is because enterprises don’t typically know how many web applications they have in their domain. When working with an organization to reduce web application perimeter risk, we regularly find 40% more web sites than what customers provide as an input range. Couple this with the Verizon Data Breach Report findings that web application vulnerabilities are the number one cause of data breaches, and 80 percent of web application breaches in the retail industry exploit SQL injection vulnerabilities, and there is a recipe for disaster. Without visibility into the entire web perimeter, enterprises are leaving thousands of applications vulnerable, and creating a long-term security threat, as cyber-criminals are constantly scanning the Internet looking for vulnerabilities like SQL injection. Given the large number of breaches caused by SQL injection and other web application vulnerabilities, we are getting to the point where it is reckless to assume that because your critical web-sites are secure, your risk is appropriately mitigated. So what can enterprises do? Here are a few steps enterprises can take to help reduce risk:
  • Get stronger visibility into their entire web perimeter through use of a discovery solution (most enterprises don’t know the contents of their web perimeter, it’s typical to be unaware of up to 40% of websites within the enterprise domain).
  • Determine which sites have vulnerabilities by scanning them and looking for common exploits such as SQL Injection. Modern automated cloud-based services can now accomplish this quickly and continuously -- with minimum setup time and effort -- across tens of thousands of sites, in days versus weeks or months.
  • Take action: decommission sites no longer in use, which ultimately reduces your company's attack surface. In one recent example, a global 1000 company reduced 50% of their perimeter risk by shutting down just three websites that were using unpatched software and were no longer required.

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.