Threat of SQL Injections still plague businesses
By Chong Jinn Xiung October 17, 2016
- SQL Injections are still dangerous in today’s application world
- Security needs to be incorporated into the development of applications
CYBER attacks using SQL Injections (SQLi), a method that exploits vulnerabilities in a web application to gain access to an application’s database, is on the rise in Southeast Asia (SEA) as enterprises are not adequately protected.
The recent case of a 23-year-old Singaporean hacker who managed to purchase US$51,325 (S$70,000) worth of products using stolen names and passwords, highlights that companies in the region are still vulnerable to such attacks.
The surprising thing is that attacks using SQLi have been around for over 20 years, and should be a rather obsolete form of attack, yet SQLi finds itself at the top spot on the Open Web Application Security Project (OWASP) Top 10 in 2013.
“In large parts of SEA, coding hygiene is poor, especially in the area of ensuring security best practices are followed during the development stage,” said F5 Network director of solutions architecture, Prakash Sadagopan (pic).
“Cyber Criminals look for the path of least resistance and this usually comes in the form of poorly coded and inadequately protected websites.”
Hackers have even customised and developed malware strains that target banks and financial service institutions, with one example being Tinba. The availability of such malware and services on the black market provides cybercriminals with enough ammunition to target other individuals and organisations.
“When all these ‘internal’ applications become exposed to the ‘external’ world through ‘Webifying’ mechanisms, these enterprises can be caught off-guard with security breaches,” Prakash said.
In actual fact, SQLi can be avoided with good development practices. The defence starts at the inception of an application with trained developers avoiding any form of injections in the source code itself.
“Organisations should invest in technologies such as web application firewalls, as part of their perimeter defence. Such technologies help protect applications against Layer 7 Attacks like SQLi and Cross Site Scripting,” he advises.
At the same time, security should be incorporated into development practices by way of using static and dynamic analysis of an application.
“Organisations should perform regular dynamic scans of the website to see if their website is susceptible to any web-based attack including SQLi. Rigorous application protection mechanisms and advanced policy management play a critical role,” he concludes.
The war against cybercrime now rages at the app layer: F5
The greatest threat to banks today
Steps to a brighter, safer, and more secure digital world