Four Reasons Security Teams Can’t Stop SQL Injection Vulnerabilities

SQL injection vulnerabilities have threatened application security for years. So why are they still quite common, despite the fact that we, as an industry, should know how to prevent them? Clearly, if eradicating the vulnerability was contingent on understanding how to implement a technical fix, we would’ve done so by now. But the problem is much bigger than that, and it requires a deeper look into web application security testing as a whole. Below, we’ve listed some of the factors that come into play from the security team’s point of view.

SQL-Injection

  • A lack of resources: Security organizations run lean and mean these days. They simply don’t have the staff, time or technology to dedicate to fixing every vulnerability. Plus, when resources are tight, it can be tempting to take shortcuts, which can easily decrease the level of application security altogether.

  • Not enough time in the day: Security teams are in a race against hackers to find SQL injection vulnerabilities, prioritize them according to severity and remediate them – not for just one, but for hundreds of applications.

  • Humans are fallible: Pen testers are the experts at finding SQL injection vulnerabilities, and they must employ a combination of automated and manual tests. Using one at the expense of the other or using rudimentary technology can leave some vulnerabilities undetected.

  • Lack of control: Because security teams have little control over developers, they often have little influence over development training, policies and coding practices.

It’s evident that security teams have their work cut out for them when it comes to providing effective application security against SQL injection vulnerabilities. Fortunately, they don’t have to face the challenge alone. Together, security specialists and developers should work as a team to prevent future vulnerabilities and eradicate any current ones. Unfortunately, developers do face a host of challenges of their own.

About Dan Kuykendall
Dan Kuykendall is the founder and co-CEO at the premier application security solutions provider NT OBJECTives, Inc. Throughout his career, Dan has helped develop advanced dynamic application security testing software, a fundamental aspect to NT OBJECTives’ reputation as a leader in comprehensive web application scanning. Dan has also worked for McAfee’s Foundstone and Fortis, where he founded the U.S. Information Security team. Connect with Dan on Google+

1 Comment on Four Reasons Security Teams Can’t Stop SQL Injection Vulnerabilities

  1. “They simply don’t have the staff, time or technology to dedicate to fixing every vulnerability.”

    Great point. Sometimes teams have to make decisions and categorize vulnerabilities because they just can’t tackle them all at once. That means that while the biggest issue is being fixed, 5 or 6 smaller problems are still at large.

Leave a comment

Your email address will not be published.

*