The US cybersecurity agency CISA, together with the Federal Bureau of Investigation (FBI), has issued a new handout for software manufacturers. As part of the “Secure by Design” campaign, authorities remind people that SQL injection vulnerabilities are a commonly targeted vulnerability type and provide tips on how to avoid them.
Advertisement
In the “Secure by Design Alert,” CISA discusses that vulnerabilities in Moveit Transfer that have affected thousands of organizations prompted the “Resolving SQL Injection Vulnerabilities in Software” guidance. CISA also wants to shine a spotlight on how widespread these types of vulnerabilities are.
SQL Injections: Documented for two decades
Despite the widespread knowledge and documentation of SQL injection vulnerabilities over the past two decades and the availability of efficient ways to avoid them, software manufacturers continued to produce products with this defect. In doing so, they exposed many customers to unnecessary risk. The MITER Corporation had already listed SQL injections as one of the non-forgivable vulnerabilities in 2007. Nevertheless, SQL vulnerabilities are a common type of security leak.
In the PDF handout, the security authorities explain what SQL gaps are and how they can be avoided. MySQL introduced “Prepared Statements” in 2004, which can prevent SQL injection vulnerabilities. When developing, programmers should therefore rely on parameterized queries with prepared statements in order to separate SQL code from user-supplied data. Some developers have tried to use input sanitization to prevent SQL injections, but this is finicky, difficult to implement on a large scale and can often be circumvented.
Further indications are that managers of software manufacturers take responsibility for the security of their customers, for example through formal code reviews. In addition, manufacturers should be transparent when publishing information about security gaps in their software and, for example, create CVE entries. Ultimately, the organizational structure should be restructured with this objective in mind.
Secure by Design is a campaign that CISA, together with other international partner authorities, has been bringing to life since last year. There are basic guidelines on how security gaps can be avoided in all processes in software development using the “Secure by Design” principle. In addition to a PDF manual against phishing, there are also indications that standard passwords are unacceptable and the root of much evil.
(dmk)