Software quality analysis specialist CAST has warned that the growing number of connection points to applications has increased the risk of SQL injection exploits. As devices and platforms both proliferate, the opportunity for SQL code injections targeted at the database layer of an application increases, says the company.
"While SQL injection is not a new exploit, applications continue to be vulnerable to it. It's not because developers and architects don't know about them or don't have the skill to prevent them -- it's because they can't see them, or worse, they may think they've prevented it, but something outside their range of competence conspires against them," says the company in a press statement.
Suggesting that this issue arises in modern development shops due to the sheer weight of team size, CAST likens moderns apps to battleships; i.e. no one individual is able to see, much less monitor, the entire operation. The company lists three key reasons why even the most diligent developer may unwittingly let SQL injections slip thorough:
- There are multiple validation packages and the developer uses one that is either not up to date or has a flaw in it that he/she doesn't know about.
- The developer is told not to validate the code because the network configuration is set up to validate. This is true for a while and then a few months later someone or something changes the network configuration.
- There's an error message that unwittingly sends the malicious user some information about the database schema that he or she can now use to exploit. But the developer had nothing to do with that error message.
According to CAST's UK managing director Colin Privett, "What team managers need is an automated system that can look for patterns in the application -- patterns of component interactions -- that can potentially compromise the application. We must apply this kind of automated procedure frequently to mission-critical applications, as developers can't be held accountable for all issues."
CAST advocates a system that will quantify threats so the team can prioritize the sequence in which it takes action to fix these threats. Privett argues that his company's products help achieve a minimum standard of security hygiene to help development shops make sure they don't leave open doors just because they are unaware or have forgotten the coding practices deemed secure by their company, or the industry overall.