Home
Topics
Software Security Testing and Quality Assurance
Software Security Test Best Practices
Is SQL injection really the guilty party in software application vulnerabilities?

Is SQL injection really the guilty party in software application vulnerabilities?

Is SQL injection as big a problem as the vulnerability scanner vendors and other product/service companies say it is?

Requires Free Membership to View

Login

By submitting you agree to receive email communications from
TechTarget and its partners. Privacy Policy Terms of Use.

The vulnerability scanning vendors get raw data on the number of SQL injection flaws that are uncovered. If you just look at these numbers and not take authentication, user roles, and other contextual information into account, then yes you'd think the sky is falling. That said, I find lots of SQL injection flaws that are not exploitable given the context of the vulnerability. Many are false positives.

In over 10 years of testing Web applications using what I believe are some of the best tools available, I've only come across two situations where SQL injection was actually exploitable and truly meant something to the business. One was exploitable via an unauthenticated user and the other by trusted user who were logged in. I see many, many more issues with cross-site scripting, login mechanisms, and application logic that, in many cases, can be just as detrimental as SQL injection.

Here are some articles that might interest you while we're on the topic of SQL injection issues:

Malicious code injection: It's not just for SQL anymore
Injection attacks are ubiquitous, and SQL injection is only one version of the exploit. S.P.I. Dynamics' Bryan Sullivan describes these attacks and how to prevent them.
Blind SQL injection attacks explained
Most security professionals know what SQL injection attacks are and how to protect their Web applications against them.

More News and Tutorials

Articles

Related glossary terms

Terms for Whatis.com - the technology online dictionary

This was first published in December 2009

Join the conversationComment

Share

Comments

Results

Contribute to the conversation

All fields are required. Comments will appear at the bottom of the article.

Back to top

More from Related TechTarget Sites

SOA
Java
Windows Development
Oracle
Cloud computing
Business Analytics

SOA
- Architects can meet mobile user needs by altering mindset
  
  Smartphones, tablets and desktop computers don't just differ in screen size; they are different form factors.
- Tools and practices to create a meaningful SOA ALM process
  
  To create a meaningful SOA ALM process, architects have to remember modern apps are increasingly using components.
- Inside the world of Web APIs, the cloud and mobile technology
  
  Rob Daigneau offers his expert insights on the convergence of the cloud, mobile technology and Web APIs.
Java
- How skilled portlet developers make the portal strategy work
  
  Portals are providing more value than ever, and having skilled portlet developers on staff brings the technology to new levels.
- Five portlet development tips software engineers can't ignore
  
  Here are five quick portlet development tips that software engineers will find helpful as they develop applications for the portal.
- Effective portlet development means respecting the servlet API
  
  When moving to portlet development from web development, software engineers must remember that servlet and JSP development rules still apply.
Windows Development
- Native versus JavaScript/HTML5 development for Window 8 apps
  
  Learn the advantages and disadvantages in using HTML5/JavaScript for deployment.
- Technology Priorities for 2012
  
  Each year TechTarget surveys thousands of IT professionals around the world on their company’s forecasts for the coming year. As IT budgets continue through the strain of trying to align themselves with businesses trying to recover from the global recession, the direction of IT’s newest technologies may surprise you.
- Where can I find Visual Basic 6.0 DataEnvironment code samples?
  
  Get information on the best places to find Visual Basic DataEnvironment 6.0 code samples.
Oracle
- Domain-specific Oracle master data management
  
  Oracle master data management products are starting to merge various data management hubs, which is a help in particular vertical industries.
- Privileged user management a must for DBAs
  
  Trust, but verify. Ronald Reagan made it popular, and it's certainly relevant for DBAs in today's consolidated, virtualized IT world.
- John Webb: Why the new PeopleSoft applications are big news
  
  Lena Weiner-Bishop catches up with Oracle's vice president of PeopleSoft strategy, who explains the excitement around new PeopleSoft applications.
Cloud computing
- Google Compute Engine prices on par with AWS -- for now
  
  Conventional wisdom has Google and AWS locked in the Price War of the Titans with the launch of GCE, but a deeper look reveals a different truth.
- Limiting the effects of cloud computing outages
  
  After making the case for cloud based on high availability, IT pros are upset by cloud outages. With planning, there are ways to craft a strategy.
- Amazon Redshift an appealing alternative to on-premises data warehouse
  
  Amazon Redshift has intriguing pricing and features, but beware of its differences from a traditional, on-premises data warehouse.
Business Analytics
- Marketing and advertising remain sweet spots for big data technology
  
  Marketing and advertising are the sweet spots for big data, but those who serve up marketing insights and ad space will need to evolve to survive.
- Strategies for de-cluttering business intelligence dashboard designs
  
  Expert Brian Jordan shows business intelligence managers how to avoid developing dashboards that overwhelm business users with too much information.
- Making mobile BI applications a reality: Key steps to take
  
  In a podcast, BI expert William McKnight discusses best practices and action items for managing deployments of mobile business intelligence tools.

All Rights Reserved,Copyright 2006 - 2013, TechTarget