Security Profession blog
Comment and discussion about the security industry of interest to the security professional. Blogs will be submitted by (ISC)2's management team and Advisory Board members.
Wednesday 26 August 2009, 6:39 PM
SQL injection attacks point to need for more secure software
The most recent identity theft attack to hit the headlines (http://news.bbc.co.uk/1/hi/business/8206305.stm) was apparently the biggest case of identity theft in the USA. Like an increasing number of such attacks, it exploited weaknesses in web based applications by using the well known technique of ‘SQL injection’ to access and steal 130 million credit card numbers. Hackers understand that there have been significant investments made to protect network, database and server assets and have moved on to attack the application layer. Today they are less interested in causing corporate havoc, and more interested in stealing data. Their attacks therefore are designed to evade detection and move through the easiest door to get to the prize.
At a recent (ISC)2 Secure London seminar the keynote speaker from IBM Internet Security, James Rendell, said that IBM’s X-Force security labs had tracked a 30 x increase in ‘SQL injection’ attacks in the last six months. He suggested that cyber criminals liked them because it is easy to identify the targets, they are easy to implement and they deliver a high payoff—i.e. they don’t have to recognise the underlying operating system or even the database because they take advantage of the Web front ends that companies are applying to all of their applications.
Rendell also pointed out that more than half of all software vulnerabilities are web application based, however the issue here isn’t just about web application software, it’s a matter of the bad software architecture and design that is endemic in much software. Too often security holes are known vulnerabilities that just weren’t tracked properly in the development process. With patching becoming an increasing burden, wouldn’t the economics now warrant pushing the issues and costs back to the software vendors?
We know that software developers have yet to progress their profession with security in mind. They are driven by tight timescales, flexible and cost-effective development methodologies and an obsessive focus on usability. Security has been an afterthought, all too often introduced at the testing stage. But the time to change is now. Software teams need to establish more sound security standards and raise awareness among stakeholders across the software development lifecycle of the importance of addressing security concerns. While many argue that secure coding techniques have been developed, the approach is too limited. This is not an issue for software coding alone.
John Colley, managing director for EMEA of (ISC)2
At a recent (ISC)2 Secure London seminar the keynote speaker from IBM Internet Security, James Rendell, said that IBM’s X-Force security labs had tracked a 30 x increase in ‘SQL injection’ attacks in the last six months. He suggested that cyber criminals liked them because it is easy to identify the targets, they are easy to implement and they deliver a high payoff—i.e. they don’t have to recognise the underlying operating system or even the database because they take advantage of the Web front ends that companies are applying to all of their applications.
Rendell also pointed out that more than half of all software vulnerabilities are web application based, however the issue here isn’t just about web application software, it’s a matter of the bad software architecture and design that is endemic in much software. Too often security holes are known vulnerabilities that just weren’t tracked properly in the development process. With patching becoming an increasing burden, wouldn’t the economics now warrant pushing the issues and costs back to the software vendors?
We know that software developers have yet to progress their profession with security in mind. They are driven by tight timescales, flexible and cost-effective development methodologies and an obsessive focus on usability. Security has been an afterthought, all too often introduced at the testing stage. But the time to change is now. Software teams need to establish more sound security standards and raise awareness among stakeholders across the software development lifecycle of the importance of addressing security concerns. While many argue that secure coding techniques have been developed, the approach is too limited. This is not an issue for software coding alone.
John Colley, managing director for EMEA of (ISC)2
PreviousComments on this post
This underlines the sheer stupidity in keeping copy's of customers details for any retailers, I mean the only organizations who should have these details should be the relevant banks to which your cards belong to and thats it.
The only thing the retailers need is a link back to the banking system to authenticate the card purchase, why the retailer's have being collating customer's details after transactions is beyond me.
