Enabled by the relative ease of exploiting SQL injection flaws, a ring of Russian and Ukrainian hackers allegedly cost several companies more than $300 million in losses over a seven year period from 2005 to 2012. Five men were recently indicted on charges for compromising the networks of companies such as Nasdaq, 7-Eleven, JCP, Dow Jones and Hannaford, according to the Department of Justice. Experts noted that these attacks are emblematic of the problems brought on by lapses in software security testing during application development processes.
The DOJ alleged that the attackers gained entrance to corporate networks through SQL injection attacks and planted malware enabling backdoor access, Computerworld reported. Companies were often targeted for months through persistent attacks. The hackers acquired credit card numbers and payment data and allegedly sold the information to global resellers.
Onlookers pointed out that such attacks are relatively easy to carry out, but they are also fairly easy to fix. The biggest challenge is generally locating the errors, a separate Computerworld article noted. The Payment Card Industry Security Council mandates that companies perform a complete source code analysis to catch errors or use a web application firewall.
“SQL injection attacks succeed because companies aren’t protecting themselves well enough against them,” Gartner analyst Avivah Litan told Computerworld.
Improving software security tests
One of the biggest challenges facing organizations as they try to prevent SQL injection attacks is finding the time and money to devote to catching errors, Computerworld reported. Often, companies neglect to fully scan for SQL flaws during development because of a lack of resources, explained Jeremiah Grossman, founder and CTO of WhiteHat Security.
“Your coders have to push new features to customers that will drive future revenue. If they slow down, or work on anything else, like fixing vulnerabilities in their code, there is a certain monetary sacrifice,” Grossman told Computerworld. “There simply isn’t enough time or resources to do everything.”
The techniques for preventing such attacks are well known, but SQL injection continues to be the “best and fastest way” to target companies simply due to the ubiquity of such flaws, Grossman added. The problem is likely to continue as long as organizations do not place more of an emphasis on software security. To shore up security and avoid SQL exploits, companies can use tools such as static analysis software, which automatically detects errors that can enable these attacks.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.