The FBI and the U.S. Cybersecurity and Infrastructure Agency (CISA) argue that SQL injections should be a thing of the past. Despite developers’ knowledge for two decades of how to prevent this type of attack, it continues to cause widespread exploits.
SQL injections insert malicious code into SQL statements, which access or modify a database. According to U.S. agencies, the fundamental problem is that developers should not trust user input by default. The end result of an SQL injection can vary, but they may enable lateral movement inside a target network or the destruction of data.
Secure by Design
The government agencies cite that a solution to SQL injections existed as far back as 2004. At the time, MySQL introduced prepared statements, which pre-compile SQL statements and prevent injections. Deploying that best practice was so obvious, according to the MITRE Corporation, that it described a vulnerability that allows for an SQL injection as an “unforgivable” sin in software development as early as 2007.
According to the FBI and CISA, since exploits of this vulnerability are still widespread, developers should be better prepared than they are. With a “Secure by Design” approach, developers should be addressing an implementation against SQL injections and other common vulnerabilities as early as the initial design phase.
Accountability and transparency
Several principles are recommended for a successful implementation of Secure by Design. First, developers should hold themselves accountable for “customer security outcomes,” or in other words, any threat that arises from user behaviour. In addition to this advice, legislation will require this of software teams, including the Cyber Resilience Act.
Read more: Cyber Resilience Act: manufacturers responsible for open-source code
In addition, the agencies argue that “radical” transparency and accountability is required. Developers must more quickly disclose a vulnerability and provide mitigations. The exact causes of a cyber threat should be clearly articulated so that, eventually, entire classes of vulnerabilities can be eliminated.
Compliance with these two concerns requires another principle: pursuing an organizational structure that appropriates accountability and transparency.
Also read: Fortinet warns vulnerability in FortiClientEMS is exploited in the wild
22 hours ago
