Channels ▼
RSS

Security

CAST Warns Developers To Beware SQL Injections


Software quality analysis specialist CAST has warned that the growing number of connection points to applications has increased the risk of SQL injection exploits. As devices and platforms both proliferate, the opportunity for SQL code injections targeted at the database layer of an application increases, says the company.

"While SQL injection is not a new exploit, applications continue to be vulnerable to it. It's not because developers and architects don't know about them or don't have the skill to prevent them -- it's because they can't see them, or worse, they may think they've prevented it, but something outside their range of competence conspires against them," says the company in a press statement.

Suggesting that this issue arises in modern development shops due to the sheer weight of team size, CAST likens moderns apps to battleships; i.e. no one individual is able to see, much less monitor, the entire operation. The company lists three key reasons why even the most diligent developer may unwittingly let SQL injections slip thorough:

  1. There are multiple validation packages and the developer uses one that is either not up to date or has a flaw in it that he/she doesn't know about.

  2. The developer is told not to validate the code because the network configuration is set up to validate. This is true for a while and then a few months later someone or something changes the network configuration.

  3. There's an error message that unwittingly sends the malicious user some information about the database schema that he or she can now use to exploit. But the developer had nothing to do with that error message.

According to CAST's UK managing director Colin Privett, "What team managers need is an automated system that can look for patterns in the application -- patterns of component interactions -- that can potentially compromise the application. We must apply this kind of automated procedure frequently to mission-critical applications, as developers can't be held accountable for all issues."

CAST advocates a system that will quantify threats so the team can prioritize the sequence in which it takes action to fix these threats. Privett argues that his company's products help achieve a minimum standard of security hygiene to help development shops make sure they don't leave open doors just because they are unaware or have forgotten the coding practices deemed secure by their company, or the industry overall.


Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Video