This study provides a unique technique to protect against SQL Injection. However, it is not a full proof solution and maintaining/updating queries using this method becomes cumbersome and difficult to manage. Generic web application firewall rules do not provide protection against SQL injection as this study supports. You need to find the root cause and either programmatically fix the code or you need custom rules to protect against the vulnerability. NTOSpider can help you find vulnerabilities and NTODefend can help you generate rules as a mitigation strategy until code can be updated - http://www.darkreading.com/database-security/167901020/security/news/232900232/using-reverse-proxies-to-secure-databases.html
2 SQLi vulns were closed with April’s Critical Patch Update. Both are remotely exploitable but considered medium risk. http://cxsecurity.com/issue/WLB-2012040163 affected the Search page and was 8 months from vendor notification to patch release. Whereas, http://cxsecurity.com/issue/WLB-2012040162 which affected the Compare Wizard first Config page was over 2 years between notification and patch. As much as we talk about SQLi, that vector doesn’t go away.
Dan Kuykendall is the CTO and Co-CEO at NT OBJECTives. Dan is a founder of NT OBJECTives and has been with the company for more than 10 years. He is responsible for the strategic direction and development of products and services and works closely with technology partners to make sure integrations are both deep and valuable. As a result of Dan’s dedication to security, technology innovation and software development, NTO application security scanning software is often recognized as the most accurate because of its sophisticated automation techniques. Dan joined NT OBJECTives from Foundstone, where he was responsible for the portal interface to the company’s flagship product, FoundScan. Prior to Foundstone, Dan was the founder of the Information Security team in the United States branches of Fortis.
Dan is a regular blogger on web application security issues on ManVsWebApp.com and co-hosts An Information Security Place Podcast. His has presented on the topics of mobile and application security at many of the top security industry conferences such as ISSA (2011), B-Sides (2012-2013), OWASP AppSecUSA (2012), HouSecCon (2010-2012), ToorCon (2013) and THOTCON (2013). Dan has been involved with Web Application Security Consortium and is a regular contributor to many open source development projects including founding the RPM Builder, phpGroupWare and podPress projects.
Connect with Dan on
Google+
