Web Developers Left Holding the Bag on SQL Injection Attacks
- By Jabulani Leffall
- 05/01/08
Microsoft is claiming that an injection attack vulnerability discovered late last week and made public this week related to the popular business database application SQL, is not the company's fault but may lie with lax Web developers.
"The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net, or Microsoft SQL technologies," wrote Bill Sisk, a communications manager at Microsoft, in a blog post late Friday night. "SQL injection attacks enable malicious users to execute commands in an application's database."
Sisk wrote further that to stave off such attacks against the SQL app, developers should "follow secure coding practices," which to some observers implied that many Web developers had not been employing such methods.
Whatever the case may be, the continued delicate nature of security around SQL underscores what IT security pros have been saying for the last 12 months: rather than the operating system, it's all about protecting the applications that sit on it and by extension the data contained therein.
Similarly the industry's database giant, Oracle chimed in on the subject on Monday when it identified similar vulnerabilities affecting its enterprise resource planning and database programs. The problem was described by Eric Maurice, manager of Oracle's Global Technology Unit, in a blog post on Monday.
"In simple terms, SQL injection attacks are designed to leverage improper coding of database-powered applications that, in the absence of proper input validation, allow a malicious attacker to insert string input to an application," he wrote.
Maurice surmised that in each individual case, the attacker injects or pushes through commands that will be executed on the back-end database. The commands either muck up the front end interface -- what the end user sees on the screen -- or make the data unusable and perhaps even crash the system.
"The consequences of successful SQL injections can be severe," he wrote.